In this configuration, all of the Exchange servers are within the corporate network and the ISA server acts as the advanced firewall in the perimeter network that is exposed to Internet traffic. This adds an additional layer of security to your network.
All incoming Internet traffic bound to your Exchange servers – for example, Microsoft Office OWA and remote procedure call (RPC) over HTTP communication from Microsoft Office Outlook 2003 clients – is processed by the ISA server. When the ISA server receives a request from an Exchange server, the ISA server terminates the connection and then proxies the request to the appropriate Exchange servers that are on your internal network. The Exchange servers on your network then return the requested data to the ISA server, which sends the information to the client through the Internet.
During installation of the ISA server, Microsoft recommends that you enable Secure Sockets Layer (SSL) encryption, and designate 443 as the SSL port. This leaves the 443 port open as the “Web Listener” to receive Internet traffic. Microsoft also recommends that you set up basic authentication for Exchange ActiveSync, and that you require all clients to successfully negotiate an SSL link before connecting to the Exchange ActiveSync site directories. If you follow these recommendations, the Internet traffic that flows into and out of the 443 port will be more protected.
When configured in Web-publishing mode, ISA Server 2006 will provide protocol filtering and hygiene, denial of service (DoS) and distributed denial of service (DDoS) protection, and pre-authentication.
The following illustration shows the recommended Exchange Server 2003 deployment for mobile messaging with ISA Server 2006.
Authentication in ISA Server 2006
Users can be authenticated using built-in Windows, LDAP, RADIUS, or RSA SecurID authentication. Front-end and back-end configuration has been separated, providing for more flexibility and granularity. Single sign on is supported for authentication to Web sites. Rules can be applied to users or user groups in any namespace.
For most Enterprise installations, ISA Server 2006 with LDAP authentication is recommended. In addition, ISA Server 2006 enables certificate-based authentication with Web publishing. For more information, see Authentication in ISA Server 2006 on Microsoft TechNet Web site: http://go.microsoft.com/fwlink/?LinkID=87068.
The following table summarizes some of the features of ISA Server 2006:
Support for LDAP authentication
LDAP authentication allows ISA Server to authenticate to Active Directory without being a member of the domain.
See this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=87069
Delegation of Basic authentication
Published Web sites are protected from unauthenticated access by requiring the ISA Server 2006 firewall to authenticate the user before the connection is forwarded to the published Web site. This prevents exploits from unauthenticated users from reaching the published Web server.
SecurID authentication for Web Proxy clients
ISA Server 2006 can authenticate remote connections using SecurID two-factor authentication. This provides a high level of authentication security because a user must know something and have something to gain access to the published Web server.
With ISA Server 2006, you can authenticate users in Active Directory and other authentication databases by using RADIUS to query Active Directory. Web publishing rules can also use RADIUS to authenticate remote access connections.
ISA Server 2006 includes improved control of cookie-based sessions to provide for better security.
ISA Server 2006 is improved to simplify certificate management and reduce the total cost of ownership associated with using certificates when publishing Web sites. It is possible to utilize multiple certificates per Web listener and to use different certificates per array member.
LDAP Authentication with ISA Server 2006
ISA Server 2006 supports Lightweight Directory Access Protocol (LDAP) authentication. LDAP authentication is similar to Active Directory® directory service authentication, except that the ISA Server computer does not have to be a member of the domain. ISA Server connects to a configured LDAP server over the LDAP protocol to authenticate the user. Every Windows domain controller is also an LDAP server, by default, with no additional configuration changes required. By using LDAP authentication, you get the following benefits:
A server running ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition array members in workgroup mode. When ISA Server is installed in a perimeter network, you no longer need to open all of the ports required for domain membership.
Authentication of users in a domain with which there is no trust relationship.
Instructions for configuring ISA Server for LDAP authentication are included in this document in Step 5: Install and Configure ISA Server 2006 or Other Firewall. For more information about configuring ISA Server for LDAP authentication, see "Secure Application Publishing" at the Microsoft TechNet Web site.