Nice article, as usual. However, I have to ask you about one of the basic assumptions of your article. You have gone to great lengths to explain the process of creating two web listeners (and two certificates) so that you can create two rules - one for OWA with forms based authentication and one for the other Outlook publishing rules (ActiveSync, OMA etc).
This is from the article:
In addition, you cannot use the same listener for the OWA Web Publishing Rule and the OMA/ActiveSync/RPC-HTTP Web Publishing Rule because the OMA/ActiveSync/RPC-HTTP client software does not know how to deal with the form presented to them and will fail the connection without informing you why it failed.
I have to disagree with this statement. I have setup OWA Web Publishing several times using ISA 2004 and forms based authentication (enabled on ISA, not on Exchange) and in my experience OMA and ActiveSync continue to work perfectly (with just the one web listener). I can't comment on RPC-HTTP as I've never used it.
In my test lab at home I have an ISA 2004 front end with just one web listener with a HTTPS certificate and ISA forms based authentication enabled. OWA works perfectly, and my Windows Mobile 2003 SE phone syncs with ActiveSync perfectly as well. OMA also works.
I've also setup a client with a similar system (although their Exchange system is a front-end/back-end setup) and it also works for them with just the one web listener.
I don't believe I had to do anything special to make this work. I even remember thinking to myself "I wonder if enabling forms based authentication on ISA is going to prevent ActiveSync from working" and I was surprised to find that it didn't.
I am happy to provide details of configuration if you are interested. Also keep in mind that I have never tried to get RPC-HTTP working so it may well be the case that this particular protocol does not work with forms based authentication enabled, but ActiveSync and OMA certainly do (for me anyway!).
Great series of articles about Multiple Security Perimeters with a Multihomed ISA Firewall. Is there a generic thread for all articles in the series or just this one for part 3? Either way, I have a few questions and probably a couple more as I re-read it again.
I currently have a simple ISA 2004 configuration but will be rolling out a multi-homed version for a new forest with 4 or 5 distinct domains and a topology identical to the one you described (so these articles will help me do this). My first questions are in regard to the two web listeners. I was wondering if I need to create two listeners if all my Outlook clients are 2003 and use RPC/HTTP only? If so, can I skip creating a Secure Exchange RPC Server Publishing Rule? I assume that this rule grants inbound access directly to the back-end Exchange Server. Without it, do Outlook 2003 clients use the path to/through the front-end Exchange Server and then to the back-end Exchange Server?
My other question is pretty basic. I assume the front-end Exchange Server in the Authenticated Access DMZ is a domain member since it requires the typical set of intradomain communication protocols. Likewise, I assume the SMTP Relay in the Anonymous Access DMZ is not a domain member. I never set one up this way before and so I'm wondering what membership do servers in this security zone belong to? Is it just a workgroup?
Hi Tom, Great article, I'm having trouble with getting the certificates that I created on an internal CA to be useable by the SSL listeners, the only one I have available is the machine cert created for the ISA box any I created by using the method described in Part 3 of this series are visible in the Cert MMC but not if I go to select a certificate to use with SSL for my listeners. Am I doing something wrong? Thanks