If you are following the network architecture that the Deployment Configurations and Best Practices for Deploying a Mobile Messaging Solution section recommends, you should install ISA Server 2004 as a stand-alone firewall on your server. Do not install ISA Server 2004 as part of an ISA server array because this deployment requires domain membership. Your ISA server should not be a member server in your Microsoft Windows forest because, if the ISA server is compromised by attacks from the Internet, the attackers can gain access to domain resources if those resources are in the same domain. Additionally, you should minimize the number of ports that are open to your internal network. Member servers require additional ports for activities, such as talking to domain controllers.
It is recommended that you set up both Exchange ActiveSync and OWA publishing on the ISA server. Having OWA published in addition to Exchange ActiveSync will give you greater troubleshooting capabilities.
To install ISA Server 2004
1. Install and configure Microsoft Windows Server 2003 on the firewall computer.
2. Go to Microsoft Update, and then install all critical security hot fixes and service packs for Windows Server 2003.
3. Remove the server from any domains that is a member of, and then place it in a workgroup.
4. Install ISA Server 2004.
5. Export the OWA SSL Certificate from the Exchange front-end OWA server to a file.
Creating the Exchange ActiveSync Publishing Rule Using Web Publishing
Web publishing rules determine how ISA Server 2004 intercepts incoming requests for Hypertext Transfer Protocol (HTTP) objects on an internal Web server, and how ISA Server 2004 responds on behalf of the internal Web server.
During this process, you will be required to provide names for the publishing rule itself, the internal and external Web servers, and the Web Listener. Read through these instructions and determine appropriate names before you begin.
For more information, see Publishing Web Servers Using ISA Server 2004 at this Microsoft Website: http://go.microsoft.com/fwlink/?LinkId=108956.
If you plan to use Certificate Authentication with ISA Server 2004, you must use Server Publishing or tunneling to create your Exchange ActiveSync publishing rule. Skip the following procedure, and follow the instructions in Appendix A: Overview of Deploying Exchange ActiveSync Certificate-Based Authentication.
After you create and name the Web publishing rule, you will create and configure the Web Listener, complete the Web site rule, and update the firewall policy.
To create and name the Exchange ActiveSync Web publishing rule
1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name, and then click the Firewall Policy node.
2. Right-click the Firewall Policy node, point to New, and then click Mail Server Publishing Rule.
3. On the Welcome to the New Mail Server Publishing Rule Wizard page, type a name for the rule in the Mail Server Publishing RuleName text box. Click Next.
4. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option, and then click Next.
5. On the Select Services page, click to select the Exchange ActiveSync check box. Confirm that there is a check mark in the Enable high bit characters used by non-English character sets check box. (If you expect users to read only English-based character sets, you can make this option unavailable by clearing the check box.) For troubleshooting purposes, we recommend that you click to select the Outlook Web Access check box. Click Next. The following illustration shows the Bridging Modepage of the New Mail Server Publishing Rule Wizard.
6. On the Bridging Mode page, click the Secure connection to clients and mail server option, and then click Next.
The Secure connection to clients and mail server option creates a Web publishing rule that provides the SSL connection from the client mobile device to the Exchange Web site. This option prevents the traffic from moving in the clear, where an intruder can sniff the traffic and intercept valuable information.
7. On the Specify the Web Mail Server page, type the name for the internal Web site in the mail server text box, and then click Next.
The name that you type is the name used for the Exchange Server 2003 Web site on the internal network. The name in the request that the ISA Server 2004 firewall sends to the Exchange server on the internal network should be the same as the name on the certificate that is installed on the Exchange ActiveSync Web site.
8. On the Public Name Details page, click the This domain name (type below) option in the Accept requests for list. In the Public name box, type the name that external users will use to access theExchange ActiveSync Web site, and then click Next.
All incoming Web requests must be received by a Web Listener. A Web Listener may be used in multiple Web publishing rules.
To Create the Web Listener
1. On the Select Web Listener page, click New. With the ISA Server 2004 Web Listener, you have several options:
You can create a separate Web listener for SSL and non-SSL connections on the same IP address.
Based on the number of addresses that are bound to the external interface of the ISA Server 2004 firewall, you can configure separate settings for each Web Listener. The Web Listener settings are not global.
2. On the Welcome to the New Web Listener Wizard page, type a name for the Web Listener in the Web listener name text box, and then click Next.
3. On the IP Addresses page, select the Externalcheck box, and then click Address.
4. In the External Network Listener IP Selection dialog box, select the Specified IP addresses on the ISA Servercomputer in the select network option. In the Available IP Addresses list, click on the external IP addresses that are on the ISA Server 2004 firewall and that you want to listen for incoming requests to the OWA Web site, and then click Add. The external IP addresses that you selected now appear in the Selected IP Addresses list. Click OK.
5. On the IP Addresses page, click Next.
6. On the Port Specification page, click to clear the Enable HTTP check box, select the Enable SSL check box, and leave the SSL port number at 443.
By configuring this Web listener to use only SSL, you can configure a second Web listener that is dedicated for non-SSL connections with different settings.
7. Click Select. In the Select Certificate dialog box, click the Exchange ActiveSync Web site certificate that you imported into the ISA Server 2004 firewall computer’s certificate store, and then click OK.
This certificate will appear in the Select Certificate dialog box only after you have installed the Web site certificate into the ISA Server 2004 firewall computer’s certificate store. In addition, the certificate must contain the private key. If the private key was not included, it will not appear in this list.
9. On the Completing the New Web Listener page, click Finish.
The next procedure is to configure the Web Listener so that no authentications are configured.
To configure the Web Listener
1. On the Select Web Listener page, where the details of the Web Listener now appear, Click Edit.
2. In the OWA SSL Listener Properties dialog box, click the Preferences tab. The following illustration shows the OWA SSL Listener Properties dialog box.
3. On the Preferences tab, click Authentication.
4. In the Authentication dialog box, click to clear the Integrated check box. In the Microsoft Internet Security and Acceleration Server 2004 dialog box that warns you that no authentication methods are currently configured, click OK.
Do not select the OWA-Forms Based Authentication check box.
5. In the SSL Listener Properties dialog box, click Apply, and then click OK.
6. On the Select Web Listener page, click Next.
7. On the User Sets page, accept the default entry All Users, and then click Next.
Accepting the All Users default entry does not enable all users to access the Exchange Web site. Only users who can authenticate successfully will be able to access the Exchange Web site. The actual authentication is done by the Exchange Web site, which uses the credentials that the ISA Server 2004 firewall has forwarded to it. The ISA Server 2004 firewall and the Exchange Web site cannot both authenticate the user. This means that you must allow all users access to the rule. An exception to this rule is when users authenticate to the ISA Server 2004 firewall itself by using client certificate authentication.
8. On the Completing the New Mail Server Publishing Rule Wizard page, click Finish.
As a final procedure, you will allow the Exchange Web site to receive the mobile device's actual IP address.
To complete the Web Site rule and update the firewall policy
In the Details pane of the ISA Server Management console, right-click the EAS Web site rule, and then click Properties.
In the Web site Properties dialog box, click the To tab. On the To tab, click Requests appear to come from the original client option. This option allows the Exchange Web site to receive the actual IP address of the external client mobile device. This feature enables Web logging add-ons installed on the OWA Web site to use this information when creating reports. The following illustration shows the OWA Web site Properties dialog box.
Click Apply, and then click OK.
Click Apply to save the changes and update the firewall policy.
In the Apply New Configuration dialog box, click OK.
The SSL Web site is now available on the external IP address of the ISA server. You may have to make host record changes on your externally-accessible Domain Name System (DNS) server to map the IP address of the ISA server’s external interface to the host record of the SSL Web site.