Deploying a Mobile Messaging Solution with Windows Mobile 5.0-based Devices
Step 5: Install and Configure ISA Server 2006 or Other Firewall
Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft Exchange Server 2003 are designed to work closely together in your network to provide a secure messaging environment.
This section discusses steps for deployment of Exchange Server 2003 SP2 mobile messaging in the recommended ISA Server 2006 environment. You can use this information to determine what to do if you are deploying another firewall.
This document does not cover the upcoming release of Exchange Server 2007. Because there are significant changes to Exchange 2007 from Exchange 2003, Exchange 2007 is discussed in a separate document.
During this part of the process, you will:
Install ISA Server 2006
Install a server certificate on the ISA Server
Update Public DNS
Create the Exchange ActiveSync publishing rule using Web publishing, opening Port 443 as a Web Listener.
Configure ISA Server with your LDAP server set
Set all firewalls and proxy server idle session timeout to 1800 seconds (30 minutes)
Increasing the timeout values maximizes performance of the direct push technology and optimizes device battery life.
Test OWA and Exchange ActiveSync.
Refer to Network Architecture Alternatives and Best Practices for Deploying a Mobile Messaging Solution for background about network architecture and SSL setup.
Install ISA Server 2006
It is recommended that you configure ISA Server 2006 in a perimeter network in workgroup mode.
To install ISA Server 2006
1. Install and configure Microsoft Windows Server 2003 on the firewall computer.
2. Go to Microsoft Update, and then install all critical security hot fixes and service packs for Windows Server 2003.
3. Install the ISA server in workgroup mode within a perimeter network.
4. Install ISA Server 2006.
5. Export the OWA SSL Certificate from the Exchange front-end OWA server to a file.
Install a Server Certificate on the ISA Server Computer
To enable a secure connection between the client computer and the ISA Server computer, you need to install a server certificate on the ISA Server computer. This certificate should be issued by a public Certificate Authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root CA certificate from the private CA will need to be installed on any computer that will need to create a secure connection (an HTTPS connection) to the ISA Server computer.
In most cases, the ISA Server computer does not have IIS installed. The following procedures assume that IIS is installed. Use the following procedures to import a certificate on the ISA Server computer.
In this section, you will
Request and install a server certificate from a public CA
Export the server certificate to a file
Import the server certificate on the ISA Server computer
Request and Install a Server Certificate From a Public CA
Perform the following procedure to request and install a server certificate on a computer with IIS installed.
To request and install a server certificate from a public CA
1. In IIS, create a new Web site, pointing the Web site to a new empty directory.
6. Enter a path for the Web site on the Web Site Home Directory page. For example, enter c:\temp.
7. Accept the default settings on the Web Site Access Permissions page and click Next.
8. Click Finish to complete the Web Site Creation Wizard.
By default, the new Web site is stopped. You should leave this Web site in the stopped state. There is no reason to start this Web site.
For more information about creating a new Web site, see IIS product documentation.
9. Follow the steps provided by the public CA to create and install a server certificate using the Web site you created in Step 1.
The important information in the certificate is the common name or FQDN. Enter the FQDN that will be used by users on the Internet to connect to the Exchange Outlook Web Access site. For example, enter mail.contoso.com.
Confirm that the private key for the certificate that you will install is exportable.
After the certificate is installed on the Web site that you just created, you will export the certificate to a file. You will then copy this file and import it to the ISA Server computer.
Perform the following procedure to export the server certificate that you just installed.
To export the server certificate to a .pfx file
1. In IIS Manager, expand the local computer, and then expand the Web Sites folder.
2. Right-click the Web site for the Exchange front-end services, by default, the Default Web Site, and click Properties.
3. On the Directory Security tab, under Secure communications, click Server Certificate to start the Web Server Certificate Wizard.
4. Click Next on the Welcome page.
5. Select Export the current certificate to a .pfx file on the Modify the Current Certificate Assignment page.
6. Type the path and file name on the Export Certificate page. For example, type c:\certificates\mail_isa.pfx, and then click Next.
7. Enter a password for the .pfx file. This password will be requested when a user is importing the .pfx file. We recommend that a strong password be used because the .pfx file also has the private key.
You should transfer the .pfx file to the ISA Server computer in a secure fashion because it contains the private key for the certificate to be installed on the ISA Server computer.
Import the Server Certificate on the ISA Server Computer
Perform the following procedure on the ISA Server computer to import the server certificate to the local computer store.
To import a server certificate on the ISA Server computer
1. Copy the .pfx file created in the previous section to the ISA Server computer in a secure fashion.
2. Click Start, and then click Run. In Open, type MMC, and then click OK.
3. Click File, click Add/Remove Snap-in, and in the Add/Remove Snap-indialog box, click Add to open the Add Standalone Snap-in dialog box.
4. Select Certificates, click Add, select Computer account, and then click Next.
5. Select Local Computer, and then click Finish. In the Add Standalone Snap-in dialog box, click Close, and in the Add/Remove Snap-in dialog box, click OK.
6. Expand the Certificates node, and right-click the Personal folder.
7. Select All Tasks, and then click Import. This starts the Certificate Import Wizard.
8. On the Welcome page, click Next.
9. On the File to Import page, browse to the file that you created previously and copied to the ISA Server computer, and then click Next.
10. On the Password page, type the password for this file, and then click Next.
The Password page provides the option Mark this key as exportable. If you want to prevent the exporting of the key from the ISA Server computer, do not select this option.
11. On the Certificate Store page, verify that Place all certificates in the following store is selected and Certificate Store is set to Personal (the default setting), and then click Next.
12. On the wizard completion page, click Finish.
13. Verify that the server certificate was properly installed. Click Certificates, and double-click the new server certificate. On the General tab, there should be a note that shows you have a private key that corresponds to this certificate. On the Certification Path tab, you should see a hierarchical relationship between your certificate and the CA, and a note that shows This certificate is OK.
Create a new DNS host record in your domain's public DNS servers. Users will initiate a connection using the name of the Web site. This name needs to match the common name or FQDN used in the certificate installed on the ISA Server computer. For example, a user might browse to https://mail.contoso.com/exchange. In this case, the following conditions need to be met for the user to successfully initiate a connection:
FQDN used in the server certificate installed on the ISA Server computer needs to be mail.contoso.com.
User needs to resolve mail.contoso.com to an IP address.
IP address that mail.contoso.com resolves to needs to be configured on the External network of the ISA Server computer.
For ISA Server Enterprise Edition, if you are working with an NLB-enabled array, the IP address should be a virtual IP address configured for the array. For more information about NLB, see ISA Server product Help.