Publishing Exchange 2007 Client Access (OWA, Outlook Anywhere, ActiveSync) on ISA 2006
Of late I have had the fortunate experience (or unfortunate in some cases) of publishing Exchange 2007 CAS servers on ISA Server 2006 reverse proxies. This has indeed proved to be interesting & at times trying or troublesome so I'm gonna try give a few pointers here to cover quite a bit of what was missed out / not clear on many of the articles on the same subject which I found before.
First off, lets start at thise brilliant article by Rui Silva of the MSExchange.org which can be found here. I used this in my first ever Exchange 2007/ISA 2006 publishing procedure & found it covers the publishing procedure quite comprehensively, no matter if you ar using a uni or multi-homed ISA Server.
There are however a few basic guidelines & rules which need to be followed that are not covered in Rui's Article.
In my opinion, the most important of these is the fact that, if not setup correctly, multiple Subject Alternative Name (SAN) certificates can BREAK, yes BREAK, your ISA Web Publishing Rules. How so? Well, it appears that ISA Server 2006, although SAN Aware to some degree, can ONLY use either the Certificate Subject Name or the FIRST SAN entry in a certificate. This means that if you have placed the name of the site you are publishing in the SAN attributes of the Certificate & its NOT at the top of the list then you in for some trouble. Well its just not gonna work.
More on this can be found on the ISA Server Team Blog.
A coleague, Suraj Masrani, brought the above to my attention after he had been doing some research. Out of shear luck, the first time I tried to publish Exchange 2007 on ISA I actually matched ALL the certificates to the above rule! Kudo's to Suraj!!
Secondly is that in some cases you actually need to patch ISA 2006 to add the Exchange Server 2007 Web Publishing Rules. The patch can be downloaded from this Microsoft Web Page.
Now a Third thing I learnt along the way, Do NOT Specify a Gateway on the Network Connection Properties of your ISA Server, this may well lead to disaster for you. Instead add persistant static routes via Command Line Route Add tool. This is especially important, as I discovered, in a multi-homed environment.
You can do this by typing Route Add Ip_Range Mask Subnet_Mask Gateway_IP -P from command line for each subnet / vlan you are running. In my case I had to add the following:
route add 172.16.0.0 mask 255.255.0.0 172.16.0.254 -p (for the internal, 172.16.x.x, VLANS)
route add 0.0.0.0 mask 0.0.0.0 83.111.190.254 -p (for all other traffic)
Simply adding the gateway to the network connection TCP/IP properties on each interface cause ISA Publishing to cease to work regularly & required a reload to bring them back up. Now I suppose to someone who knows ISA quite well & networking too this would make sense, but then I profess to be no Guru in either.
So with that all done, I follow Rui's Article above & successfully manage to publish my Exchange 2007 on ISA 2006.
Now I am stuck on 1 (2 potentially) more fronts:
Potential Problem #1.
I want my internal clients to access Webmail using the same URL internally as they would Externall & still make sure they get the same Forms Based Authentication page that they would from without the LAN.
This is easily solved by setting up a split DNS infrastructure where you add an additional Primary Zone to your internal DNS Servers to make them 'Authoritative' for the public domain (from within the corporate network).
Now all you so is manually create host records for WWW, Webmail, Intranet, Extranet etc & have them point to the correct private / public IP so the users are still able to browse their sites & connect to internal sites using the same public url they would from home.
So where should your internal Webmail Host record point to? Well the ISA server, ofcourse, for if it pointed to the Exchange 2007 CAS then your users would get the basic authentication login prompt as opposed to the pretty FBA one.
The trick is, the ISA Web Listener you created before needs to be configured to listen on both Internal & External Networks for this to work properly though.
Potential Problem #2:
I have multiple Exchange 2007 Client Access Servers with Multiple ISA 2006 Reverse Proxies, how can I enforce some form of load balancing / redundancy in this scenario when manipulating the Hosts record allows me to only point a single IP to the Published Host Name when DNS Round Robin MUST point to the ISA Servers for internal resolution of the public hostname?
In my scenario above, the work around I used was to deploy DNS on the ISA Servers, make the local DNS Authoritative for the public domain (internally ONLY) & create the necessary Host (A) records for DNS Round Robin to work. DNS Forwarders for the Private Domain & All other domains were added to the DNS on ISA & finally ISA pointed to itself & its peer for DNS Resolution.
This meant that ISA was able to resolve the public webmail URL (hostname) to either one of the internal CAS Servers while the Corporate Clients, using internal DNS would resolve the same URL (hostname) to either of the ISA servers.
Any clients accessing Webmail / CAS Services from the public would be directed to my public IP's by the relevant authoritative Public DNS servers which also had redundant DNS Records Registered for Round Robin, so Availability & redundancy requirements were met without the complications of using Load Balancing with Exchange 2007.
Next up are some useful tips & tricks learnt when trying to use Nokia Mail for Exchange (M4E) with Exchange 2007, Subject Alternative Name Certificates & ISA Server 2006
First off, lets start at thise brilliant article by Rui Silva of the MSExchange.org which can be found here. I used this in my first ever Exchange 2007/ISA 2006 publishing procedure & found it covers the publishing procedure quite comprehensively, no matter if you ar using a uni or multi-homed ISA Server.
There are however a few basic guidelines & rules which need to be followed that are not covered in Rui's Article.
In my opinion, the most important of these is the fact that, if not setup correctly, multiple Subject Alternative Name (SAN) certificates can BREAK, yes BREAK, your ISA Web Publishing Rules. How so? Well, it appears that ISA Server 2006, although SAN Aware to some degree, can ONLY use either the Certificate Subject Name or the FIRST SAN entry in a certificate. This means that if you have placed the name of the site you are publishing in the SAN attributes of the Certificate & its NOT at the top of the list then you in for some trouble. Well its just not gonna work.
More on this can be found on the ISA Server Team Blog.
A coleague, Suraj Masrani, brought the above to my attention after he had been doing some research. Out of shear luck, the first time I tried to publish Exchange 2007 on ISA I actually matched ALL the certificates to the above rule! Kudo's to Suraj!!
Secondly is that in some cases you actually need to patch ISA 2006 to add the Exchange Server 2007 Web Publishing Rules. The patch can be downloaded from this Microsoft Web Page.
Now a Third thing I learnt along the way, Do NOT Specify a Gateway on the Network Connection Properties of your ISA Server, this may well lead to disaster for you. Instead add persistant static routes via Command Line Route Add tool. This is especially important, as I discovered, in a multi-homed environment.
You can do this by typing Route Add Ip_Range Mask Subnet_Mask Gateway_IP -P from command line for each subnet / vlan you are running. In my case I had to add the following:
route add 172.16.0.0 mask 255.255.0.0 172.16.0.254 -p (for the internal, 172.16.x.x, VLANS)
route add 0.0.0.0 mask 0.0.0.0 83.111.190.254 -p (for all other traffic)
Simply adding the gateway to the network connection TCP/IP properties on each interface cause ISA Publishing to cease to work regularly & required a reload to bring them back up. Now I suppose to someone who knows ISA quite well & networking too this would make sense, but then I profess to be no Guru in either.
So with that all done, I follow Rui's Article above & successfully manage to publish my Exchange 2007 on ISA 2006.
Now I am stuck on 1 (2 potentially) more fronts:
Potential Problem #1.
I want my internal clients to access Webmail using the same URL internally as they would Externall & still make sure they get the same Forms Based Authentication page that they would from without the LAN.
This is easily solved by setting up a split DNS infrastructure where you add an additional Primary Zone to your internal DNS Servers to make them 'Authoritative' for the public domain (from within the corporate network).
Now all you so is manually create host records for WWW, Webmail, Intranet, Extranet etc & have them point to the correct private / public IP so the users are still able to browse their sites & connect to internal sites using the same public url they would from home.
So where should your internal Webmail Host record point to? Well the ISA server, ofcourse, for if it pointed to the Exchange 2007 CAS then your users would get the basic authentication login prompt as opposed to the pretty FBA one.
The trick is, the ISA Web Listener you created before needs to be configured to listen on both Internal & External Networks for this to work properly though.
Potential Problem #2:
I have multiple Exchange 2007 Client Access Servers with Multiple ISA 2006 Reverse Proxies, how can I enforce some form of load balancing / redundancy in this scenario when manipulating the Hosts record allows me to only point a single IP to the Published Host Name when DNS Round Robin MUST point to the ISA Servers for internal resolution of the public hostname?
In my scenario above, the work around I used was to deploy DNS on the ISA Servers, make the local DNS Authoritative for the public domain (internally ONLY) & create the necessary Host (A) records for DNS Round Robin to work. DNS Forwarders for the Private Domain & All other domains were added to the DNS on ISA & finally ISA pointed to itself & its peer for DNS Resolution.
This meant that ISA was able to resolve the public webmail URL (hostname) to either one of the internal CAS Servers while the Corporate Clients, using internal DNS would resolve the same URL (hostname) to either of the ISA servers.
Any clients accessing Webmail / CAS Services from the public would be directed to my public IP's by the relevant authoritative Public DNS servers which also had redundant DNS Records Registered for Round Robin, so Availability & redundancy requirements were met without the complications of using Load Balancing with Exchange 2007.
Next up are some useful tips & tricks learnt when trying to use Nokia Mail for Exchange (M4E) with Exchange 2007, Subject Alternative Name Certificates & ISA Server 2006
Comments