Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on publishing Exchange 2007
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on publishing Exchange 2007 - 24.Oct.2007 3:17:13 AM
|
|
|
Rumple
Posts: 30
Joined: 5.Dec.2004
Status: offline
|
I am currently setting up my environment and am anxiously awaiting any documentation you can throw at us...
PS - Tom, you put an extrordinary amount of work into those articles without expectation of compensation. Ever thought of creating it as a single pdf and putting in a paypal donation link for it.
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 24.Oct.2007 9:51:28 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jason,
Looking forward to doing that article series with you. It might be something that we can turn into a book, since there are so many different Exchange 2007 scenarios. I know somebody elese in your part of town who would be interested in participating too, I think. Do you know Steven Hope?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 24.Oct.2007 10:02:06 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: Rumple
I am currently setting up my environment and am anxiously awaiting any documentation you can throw at us...
PS - Tom, you put an extrordinary amount of work into those articles without expectation of compensation. Ever thought of creating it as a single pdf and putting in a paypal donation link for it.
Hi Rumple,
We get a few dollars from the advertising on this site. But maybe when Jason and I put together the complete Exchange/ISA article series, we'll do the PDF/PayPal thing.
Thanks!!!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 24.Oct.2007 10:06:10 AM
|
|
|
Rumple
Posts: 30
Joined: 5.Dec.2004
Status: offline
|
I will put in a pre-order....
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 29.Oct.2007 12:52:09 AM
|
|
|
Rumple
Posts: 30
Joined: 5.Dec.2004
Status: offline
|
ok...so Microsoft has made a complete , and I mean complete mess of Exchange 2007 configuration. There are 8 ways to do things and none of them come up with the same result.
Prime Example. Using DR Tom's article, you have to sue Powershell to do the certificate creation,etc which in the end had me create a non exportable certificate from my SSL vendor so I couldn't import this into ISA
Now I found a microsoft article on publishing with ISA 2006
http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx#requestisa
Request and install a server certificate from a public CA
This procedure will create a new Web site on an existing computer with IIS installed. After the Web site has been created, follow the steps provided by the public CA to request and install a server certificate for the new Web site.
I guess this means I could use an Enterprise CA to generate a self signed certificate for the Exchange server with an expiry of many years into the future. Add the root into the trusted computer zone on my internal systems and then put a valid certificate using IIS onto ISA2006 so all other systems can access without a certificate error...
How silly...
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 29.Oct.2007 10:19:39 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rumple,
Don't even get me started on the goat rodeo which is Exchange 2007, espeically in the area of certificates.
I feel your pain.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 31.Oct.2007 10:09:49 PM
|
|
|
Rumple
Posts: 30
Joined: 5.Dec.2004
Status: offline
|
PS in Part 4/5 you mention you can't export the key..actually you can
New-ExchangeCertificate -GenerateRequest -SubjectName "c=ca, l=city,s=province,o=company,CN=webmail.company.com" -DomainName smtp.company.com, autodiscover.company.com, company.com, ex2007cas.hosting.local, ex2007cas -FriendlyName "Microsoft Exchange 2007" -PrivateKeyExportable $True A-Path c:\webmail.txt
This lets you then run
[PS] Export-ExchangeCertificate
-Thumbprint C6B2E7BC3D1D4F13E5F300EC594F540C67181780 -BinaryEncoded:$true -Path
c:\webmail_export.pfx -Password:(Get-Credential).password
Also found another bugger of a point...when using ca you have to have a unified communications cert or it just don't work
One quick question on that point though. In my example, it seems that even though we've added in like 6 URL's into that certificate, it seems like for basic OWA, and Outlook anywhere, we really only need the webmail.company.com and ex2007cas.hosting.local. Is this correct?
I can't see most companies doing TLS for the most part and maybe only autodiscover is a nice to have.
I can get a unified communications cert for $200/yr with 3 domains or I can get a 2 seperate domains (one for webmail and one for whatever domain outlook is expecting) for $60 and just use up another IP...
< Message edited by Rumple -- 1.Nov.2007 12:47:25 AM >
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 1.Nov.2007 12:58:07 AM
|
|
|
Rumple
Posts: 30
Joined: 5.Dec.2004
Status: offline
|
The pest is back...
Another comment
In Part 6 when configuring the ISA rules you state this
By the way, this does not solve the problem related to users having to authenticate each time they open Outlook to connect to the RPC/HTTP proxy through the ISA Firewall. The reason for this is that in order to bypass by entering credentials, you would have to bypass pre-authentication at the ISA Firewall and allow NTLM credentials directly to the Client Access Server. That would be a foolhardy move and obviates the security provided by the ISA Firewall, as it allows every hacker on the Internet free access to anonymous connections to your RPC/HTTP proxy, and when the zero-day comes that someone exploits the RPC/HTTP proxy, you will be sorry that you did not take my advice.
Now looking at this is seems they recommend using NTLM
http://technet.microsoft.com/en-us/library/46574adf-65d2-4c30-8a29-341da05b080b.aspx
Use an advanced firewall server on the perimeter network We recommend that you use a dedicated firewall server to help enhance the security of the Exchange computer. Microsoft Internet Security and Acceleration (ISA) Server 2006 is an example of a dedicated firewall server product. ISA Server 2006 also lets you use NTLM authentication instead of Basic authentication because ISA Server understands NTLM authentication information. Other firewall servers may know how to use NTLM authentication. To determine whether your firewall server allows for NTLM authentication, see the product documentation for your firewall product.
ALSO
Authentication Options for Outlook Anywhere in Exchange 2007 Service Pack 1 (SP1)
By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory is enabled for both Basic authentication and Integrated Windows authentication and cannot be modified. In Exchange 2007 SP1, only one authentication method is enabled at any time on the /rpc virtual directory. By default, this authentication method is the same as the authentication method that you choose when you enable Outlook Anywhere by using either the Enable Outlook Anywhere wizard or the Set-OutlookAnywhere cmdlet. The default authentication method can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication. For more information about authentication and Outlook Anywhere, see How to Enable Outlook Anywhere.
Do these changes alter the setup of the ISA rules?
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 1.Nov.2007 9:57:16 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: Rumple
PS in Part 4/5 you mention you can't export the key..actually you can
New-ExchangeCertificate -GenerateRequest -SubjectName "c=ca, l=city,s=province,o=company,CN=webmail.company.com" -DomainName smtp.company.com, autodiscover.company.com, company.com, ex2007cas.hosting.local, ex2007cas -FriendlyName "Microsoft Exchange 2007" -PrivateKeyExportable $True A-Path c:\webmail.txt
This lets you then run
[PS] Export-ExchangeCertificate
-Thumbprint C6B2E7BC3D1D4F13E5F300EC594F540C67181780 -BinaryEncoded:$true -Path
c:\webmail_export.pfx -Password:(Get-Credential).password
Also found another bugger of a point...when using ca you have to have a unified communications cert or it just don't work
One quick question on that point though. In my example, it seems that even though we've added in like 6 URL's into that certificate, it seems like for basic OWA, and Outlook anywhere, we really only need the webmail.company.com and ex2007cas.hosting.local. Is this correct?
I can't see most companies doing TLS for the most part and maybe only autodiscover is a nice to have.
I can get a unified communications cert for $200/yr with 3 domains or I can get a 2 seperate domains (one for webmail and one for whatever domain outlook is expecting) for $60 and just use up another IP...
Hi Rumple,
Good point about the export cert switch. I didn't see that information and used the information I got from Steven Hope. That switch solves a lot of problems!
Not sure what you mean by requiring a "unified communications" certificate. How is that certificate different than what we used, and what doesn't work when you don't have one? I got OWA and RPC/HTTP working without one.
I agree. I don't know why we need so many SANs on the certificate. The documentation for Exchange 2007 doesn't explain this.
I hope all companies will use SSL to SSL bridging! It would be a security nightmare not to do so.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 1.Nov.2007 10:02:16 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
The pest is back...
Another comment
In Part 6 when configuring the ISA rules you state this
By the way, this does not solve the problem related to users having to authenticate each time they open Outlook to connect to the RPC/HTTP proxy through the ISA Firewall. The reason for this is that in order to bypass by entering credentials, you would have to bypass pre-authentication at the ISA Firewall and allow NTLM credentials directly to the Client Access Server. That would be a foolhardy move and obviates the security provided by the ISA Firewall, as it allows every hacker on the Internet free access to anonymous connections to your RPC/HTTP proxy, and when the zero-day comes that someone exploits the RPC/HTTP proxy, you will be sorry that you did not take my advice.
Now looking at this is seems they recommend using NTLM
http://technet.microsoft.com/en-us/library/46574adf-65d2-4c30-8a29-341da05b080b.aspx
TOM: You can use NTLM at the Web site, but you'll need to configure Kerberos Constrained Delegation to make this work. KCD is somewhat complex, although I've documented how to configure it in a FE/BE configuration on this site. In the future, Jason Jones and me will do an article series on how to make this work. If you don't use KCD, then you must use Basic authentication on the Web site.
Use an advanced firewall server on the perimeter network We recommend that you use a dedicated firewall server to help enhance the security of the Exchange computer. Microsoft Internet Security and Acceleration (ISA) Server 2006 is an example of a dedicated firewall server product. ISA Server 2006 also lets you use NTLM authentication instead of Basic authentication because ISA Server understands NTLM authentication information. Other firewall servers may know how to use NTLM authentication. To determine whether your firewall server allows for NTLM authentication, see the product documentation for your firewall product.
ALSO
Authentication Options for Outlook Anywhere in Exchange 2007 Service Pack 1 (SP1)
By default, in the original release (RTM) version of Exchange 2007, the /rpc virtual directory is enabled for both Basic authentication and Integrated Windows authentication and cannot be modified. In Exchange 2007 SP1, only one authentication method is enabled at any time on the /rpc virtual directory. By default, this authentication method is the same as the authentication method that you choose when you enable Outlook Anywhere by using either the Enable Outlook Anywhere wizard or the Set-OutlookAnywhere cmdlet. The default authentication method can be modified by using the Set-OutlookAnywhere cmdlet to be either Integrated Windows authentication or Basic authentication. For more information about authentication and Outlook Anywhere, see How to Enable Outlook Anywhere.
Do these changes alter the setup of the ISA rules?
TOM: If you're not using KCD, then you need to enable Basic only.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 1.Nov.2007 2:44:51 PM
|
|
|
Rumple
Posts: 30
Joined: 5.Dec.2004
Status: offline
|
the unified communications ssl cert is kind of like the wildcard but not really...call its multiple cert type of ssl.
Currently the ssl certs I normally generate only listen on the webmail.company.com and ignor's all the SAN's...
when i used that cert everything works but outlook anywhere. I get a proxy certificate error...
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 1.Nov.2007 7:56:31 PM
|
|
|
Jason Jones
Posts: 1801
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
Chaps,
This all seems to be getting a bit complictaed and it shouldn't be that hard to get up and running if we go back to basics...
Basically you have two options:
(1) Use a single web listener configured with two public names and two SSL certs.
(2) Use two web listeners each configfured individual public names and SSL certs.
If you are not bothered about Outlook Anywhere (OA) prompting users for credentials or you plan to use OA for non-domain joned clients (home users) then option 1 is fine. If you want a seamless experience for OA which will use cached domain credentials automatically and not prompt the user then you need to use two web listeners and go for option 2.
To elaborate on the above:
As a bare minimum you need two SSL certs and two public names for Exchange 2007 publishing. One will be used for users e.g. what they type into a browser for OWA or what they type into their SmartPhone for ActiveSync - an example would be email.domain.com. The other public name (or FQDN) will be autodiscover.domain.com as this is hard coded into Outlook. If you have lots of IP addresses and can afford more SSL certs, personally I like the idea of using multiple public names like webmail.domain.com, outlook.domain.com, mobile.domain.com etc to make things much easier for users to remember and somehow seems logical for setup.
If you go for option1, you will then need to configure ISA as follows:
- Create web publishing rules for OWA, OA, ActiveSync etc. using the ISA wizards
- Define the same web listener for each publishing rule
- Configure the rules to use SSL bridging
- Configure the listener to use HTML Forms Authentication
- Configure the listener to use Basic or NTLM delegation (depending upon your Exchange OWA setup)
- Configure the web listener with two public names email.domain.com and autodiscover.domain.com
- Configure the web listener to use two IP addresses
- Confgiure the web listener to use two SSL certs for email.domain.com and autodiscover.domain.com
Continued...
_____________________________
Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 1.Nov.2007 8:16:01 PM
|
|
|
Jason Jones
Posts: 1801
Joined: 30.Jul.2002
From: United Kingdom
Status: online
|
If you go for option2, this is a little more complicated and you will then need to configure ISA as follows:
- Create web publishing rules for OWA, OA, ActiveSync etc. using the ISA wizards
- Define the two web listeners; one for OA and one for all the rest
- Configure the rules to use SSL bridging
- Configure the OA listener to use HTTP Authentication using Integrated
- Configure the other listener to use HTML Forms Authentication
- Configure the OA listener to use KCD delegation
- Configure the other listener to use Basic or NTLM delegation (depending upon your Exchange setup)
- Configure the OA listener with the public name of autodiscover.domain.com and matching SSL cert
- Configure the other listener with the public name of email.domain.com and matching SSL cert
For all this to work, you also need to ensure that your Exchange 2007 environment is configured to use the correct external URLs. OWA and ActiveSync need to be configured with email.domain.com FQDNs whilst OA and the other OA related elements like EWS, OAF, OOF, UM etc. needs to use autodiscover.domain.com.
If you used mutiples names you can start using these as you define your Exchange external URLs. Eg. OA can use outlook.domain.com, OWA can use webmail.domain.com, EWS can use autodiscover.domain.com, ActiveSync can use mobile.domain.com - you get the idea...
If you are using option2, then you also need to ensure that OA is configured for NTLM auth within Exchange to allow KCD to work correctly.
There are lots more variations and issues that I have not covered above, but that is the general concept based upon my understanding and current deployments.
Hopefully, as Tom says, we can pull this all together in a nice walkthough article series later in the year...
Hope this helps set the scene for now...
Cheers
JJ
< Message edited by Jason Jones -- 1.Nov.2007 8:25:48 PM >
_____________________________
Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 1.Nov.2007 11:41:30 PM
|
|
|
MistHill
Posts: 8
Joined: 1.Nov.2007
Status: offline
|
Hi Tom,
As Rumple said about the certificates issue, I found the switch in MS whitepaper Managing Client Access in Exchange Server 2007 and followed the article Creating a Certificate or Certificate Request for TLS when I first publish the OWA.
But, later when I publish the MOSS 2007 for the SSO reason, I need a wildcard certificate.
This time I didn't follow the approach of Exchange PowerShell, just by accessing the CA's web site.
I have an Enterprise Root CA in my lab box, the private key export is disabled in Web Server template by default.
So we need to create a new Web Server template by duplicating the original one first, modifying the new created template's property, then we can request a certificate with private key exportable at the CA site.
Thanks,
Mist Hill
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 2.Nov.2007 9:16:47 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Jason,
Thanks! Very nice overview of the process. Can't wait to get my new computer so that we can start elaborating on these scenarios.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 2.Nov.2007 9:19:16 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
ORIGINAL: MistHill
Hi Tom,
As Rumple said about the certificates issue, I found the switch in MS whitepaper Managing Client Access in Exchange Server 2007 and followed the article Creating a Certificate or Certificate Request for TLS when I first publish the OWA.
But, later when I publish the MOSS 2007 for the SSO reason, I need a wildcard certificate.
This time I didn't follow the approach of Exchange PowerShell, just by accessing the CA's web site.
I have an Enterprise Root CA in my lab box, the private key export is disabled in Web Server template by default.
So we need to create a new Web Server template by duplicating the original one first, modifying the new created template's property, then we can request a certificate with private key exportable at the CA site.
Thanks,
Mist Hill
Hi Mist,
If you have an enterprise CA, why not the certificates MMC?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 3.Nov.2007 12:33:16 AM
|
|
|
MistHill
Posts: 8
Joined: 1.Nov.2007
Status: offline
|
Hi Tom,
My apologize, I didn't make my situation clear.
1. My ISA Server has not joined in domain currently.
2. The Certificates MMC console doesn't allow me to request a wildcard certificate or to choose a specific certificate template.
3. I left the certificate of my Client Access Server untouched, just replaced the ISA Server's certificate.
I think that the Web enrollment site is much more convenient and flexible than the Certificates MMC.
The command line tool Certreq.exe supplies more custom control also, but it difficult for me to use.
If I want to export the private key, I have to modify the certificate template - the Figure 8 in your article's Part 5 shows that - the "Mark keys as exportable" option is grayed out.
Thanks,
Mist Hill
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 3.Nov.2007 12:35:57 PM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Mist,
I think you're running into a lot of problem because:
1. The ISA Firewall is not joined to the domain -- this is not a good security practice. You should join the ISA Firewall to the domain
2. The CA is not in the same domain as the ISA Firewall.
Since the ISA Firewall can't fully utilize SANs (that is to say, can't 'consume' the SANs provided by the CAS), there's no reason to use the Web enrollment site.
IMHO,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 3.Nov.2007 11:31:45 PM
|
|
|
MistHill
Posts: 8
Joined: 1.Nov.2007
Status: offline
|
Hi Tom,
You are right!
I am at the lab test stage for the moment.
In fact, I am in trouble to implement the domain user’s identity authentication of ISA firewall while I am still hesitating over the choice between in Domain and Workgroup for the better security practice reason.
I have to face the facts of missing features or functions if I stay out of domain.
I just found your another great article "Debunking the Myth that the ISA Firewall Should Not be a Domain Member". It's really helpful.
Thanks,
Mist Hill
|
|
|
|
|
RE: Discussion about article on publishing Exchange 2007 - 5.Nov.2007 10:54:16 AM
|
|
|
tshinder
Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Mist,
The security advantages of joining the ISA Firewall to the domain far outweigh any speculative disadvantages.
One piece of advice: create a dedicated GPO for the ISA Firewall -- sometimes security settings you put in general domain GP will interfere with the ISA Firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
