Many Exchange administrators have ISA Server firewalls (aka ISA firewalls) installed in their networks to provide application-level security to Exchange Server 2003 or Exchange Server 2000 services, including OWA, Exchange ActiveSync (EAS), and Outlook Anywhere (formerly known as Remote Procedure Call over HTTP—RPC over HTTP). With the release of Exchange 2007, many Exchange administrators will need to know how to protect their Exchange environments with ISA Server 2006, which is designed to work closely with Exchange 2007.
The topic of configuring various versions of the ISA firewall to protect various versions of Exchange has been discussed countless times in various publications. So, I won’t provide a step-by-step guide because many of the configuration steps are the same or similar to what you’ve used in Exchange 2003 and Exchange 2000.
I spent quite a bit of time searching the Internet for the resources I needed to successfully set up my environment. I’ll provide you with a basic overview of my environment as well as a list of the resources that I used at various stages so that you don’t have to hunt around as I did.
My environment consists of an ISA Server 2006 server sitting behind a Cisco 851 router. The ISA firewall is a member of a Windows Server 2003 domain that all my servers and workstations are a member of. The firewall sits between a protected network and the demilitarized zone (DMZ). My Exchange 2007 server, two Windows 2003 domain controllers (DCs), and client machines (Windows Vista and Windows XP) are behind the ISA firewall. Initially, I had only the DCs and client machines set up, so both Exchange 2007 and ISA Server 2006 were new installs for me.
To prepare for the Exchange 2007 installation, I read the Microsoft article "Exchange Server 2007 Deployments: 10 Tips When Installing". I found this article very helpful. Before you begin any Exchange 2007 deployment, you should review these 10 tips. You should also review the articles posted on the Exchange & Outlook Pro VIP Web site, where many, if not all, of your initial Exchange 2007 questions will be answered. Finally, you should keep TechNet's Exchange 2007 documentation saved as one of your favorite Web pages.
I was completely new to the ISA firewall up until several months ago. So, to prepare for the ISA Server 2006 installation, I read various articles on the ISAserver.org Web site to get up to speed. If you run into trouble, the ISAserver.org forums are an excellent place to converse with peers and resolve any problems you might encounter.
To learn how to configure the ISA firewall to securely publish OWA, EAS, and Outlook Anywhere to the Internet, I found the Microsoft article "Publishing Exchange Server 2007 with ISA Server 2006" a worthwhile read. Even if you're experienced in this area, you'll probably find this article informative.
You’ll likely want to replace the self-signed Secure Sockets Layer (SSL) certificate that Exchange 2007 creates during installation with a certificate that's signed by a trusted Certificate Authority (CA). By doing so, clients that trust the root certificate from your CA will automatically trust any certificates you issue for your Exchange 2007 services. In my case, I didn't have an enterprise CA set up and I wanted to be able to use SSL from machines that wouldn’t have access to the enterprise root certificate, so I elected to go with a third-party CA. To learn how to export a certificate request and import it into Exchange 2007, I read the blog post "Exchange 2007 lessons learned - generating a certificate with a 3rd party CA" on the Microsoft Exchange Team Blog.
Thanks to these resources, I was able to perform a relatively smooth installation of Exchange 2007 and ISA Server 2006. However, I had some trouble initially with understanding how the Autodiscover service would work with my internal clients and when accessing Exchange 2007 remotely through Outlook Anywhere, specifically with downloading the Offline Address Book (OAB) successfully. I educated myself by reading the Exchange 2007 Autodiscover service documentation on Microsoft TechNet. The section that gives an overview of the Autodiscover service is at http://technet.microsoft.com/en-us/library/bb124251.aspx. I also found the "Outlook Automatic Account Configuration" documentation helpful in understanding how Outlook 2007 clients use the Autodiscover service.
You now have a collection of resources to use when setting up ISA Server 2006 with Exchange 2007. I wish I had this list before I began!
Share Your Exchange and Outlook Experiences
Share your Exchange and Outlook discoveries, comments, solutions to problems, and experiences with products. Email your contributions to [email protected] Please include your full name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you’ll get $100.