Publish Exchange Services with ISA2006

Posted: February 9, 2010 in Exchange Server, ISA
Tags: ,

The following procedure will provide you with the steps required to publish Exchange services (OWA/HTTP-RPC/ActiveSync) with ISA2006. The procedure will work with all versions of Exchange you will just see slightly different options depending on which version you choose.

First thing is to launch ISA Server Manager, and in the Task Pane on the right hand side click Publish Exchange Web Client Access

Firewall Policy Tasks
Firewall Policy Tasks

You will then see a screen asking you to give your rule a name, I use something like “OWA Publishing Rule”, it makes no difference what you put in here but it just makes it easy to identify later if you use a sensible/descriptive name.

On the screen pictured below you need to choose which version of Exchange you are using (note that Exchange 2010 is not listed, you need to select Exchange 2007)

Exchange Version

With Exchange 2007/2010 it will not allow you to specify more than one service within the wizards so you will need to create a rule for each service. Click Next

Select to Publish a Single Website or Load Balancer (In Exchange 2007/2010 you will use a CAS server to proxy for all your Exchange Servers if you have more than one), if you only have the one server then you will just direct requests to that.

Load Balancer

On the next screen select SSL, it will work if you choose non-secured but all your login credentials will be sent in plain text.

Load Balancer

On the next screen below enter the internal fully qualified domain name of your Exchange Server that is running the Client Access Role, and the internal IP address to ensure that if names resolution fails that the request is completed.

You will then need to enter the public name that will be used to access your server, for example, this name must match the certificate that is used on both the CAS server and installed on the ISA server.

On the Web listeners page click new to create a new listener for OWA and give it a name, again it really doesn’t matter what this name is it just needs to be something you can easily identify at a later date. I am going to call mine OWA-Listener. On the next screen specify which network you will be listening on. As part of the ISA setup you will already have an External and Internal Network configured. You will need to select the External network for most applications however you may want to add the internal network as well if users inside your network will be accessing OWA through the ISA server as well.

If you have multiple external IP addresses configured to the Network Card that represents your external network then clicking the Select IP Addresses button will allow you to choose which IP address your requests will be coming from. This is important, if you have more than one service being published with port 443 going to different servers then you will need more than one external IP address.

Once that’s done you will need to select the certificate you will use, again this must match the certificate that is installed on the Exchange server and it must be installed in the Computer store on the ISA server not the User store. Select HTML Form Authentication (we will turn the Exchange FBA off later – otherwise you will end up with 2 login prompts) and uncheck the SSO box on the next screen (unless you are using SSO for other published resources).

You will then return back to the Publish wizard and select the listener you have just created, click Next and accept the defaults on the next 2 screens and then you have finished with your publishing rule. All thats left to do with ISA is to apply the settings you have just set.

Disable Exchange FBA

For the publishing rule you have just created to work effectively you need to disable Form Based Authentication on the Exchange server that the rule is publishing. The reason for this, if you don’t disable it the ISA server will provide you with a form for credentials and then so will the Exchange server.

To disable FBA in Exchange 2007 and 2010 you will need to do the following:

Open Exchange Management Console and navigate to Server Configuration > Client Access and select the Outlook Web Access tab (in Exchange 2010 they have renamed this to Outlook Web App), right click on OWA and select properties and then check the box for “Use one of more standard authentication methods” and select Integrated Authentication as per the screenshot below. You will then need to run IISRESET from a command line.

To disable FBA in Exchange 2003 you need to open Exchange System Manager and navigate to Administrative Groups > First Administrative Group > Servers > Servername > Protocols > HTTP > Right click on Exchange Virtual Server and select properties. Select Settings and uncheck the box that says “Enable Forms Based Authentication”. You will then need to run IISRESET from a command line.

  1. vraj says:

    Hi, great post just the thing i was looking for and may be you can help me further.

    am i able to email you personally?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s