Configuration of ISA 2006 for OWA (Exchange 2007 / 2003 mixed

environment)

Summary
This article walks through the various steps required to publish OWA for users whose mailboxes
reside in a mixed Exchange Organization consisting of both Exchange 2003 and Exchange 2007
using ISA 2006.
The following steps are described:

 Pre-requisites
 Create listener / web publishing rule
 Configure HTTP to HTTPS redirection
 Configure redirection (from a "/" path to "/exchange" path)

Pre-requisites
a) Authentication option on CAS
Make sure that the CAS server does not have Forms Based Authentication option selected. This is
not supported if ISA is to use FBA. The CAS server could use Basic / Integrated Authentication as
shown below based on the requirements. This scenario makes use of Basic Authentication:

b) SSL Certificate
An appropriate SSL certificate is already installed on the CAS server and the same certificate is
also imported into the computer certificate store on the ISA server.
Exchange 2007 server is by default installed with a self signed SSL certificate. If this is being used,
this certificate also needs to be added to the trusted store on ISA and the client workstation
where users will initiate requests for OWA.
c) ISA Hot-fix
Even though the hot-fix listed in the link below is not for this particular configuration but I would
recommend installing this any way’s as there might be a need for the redirection using link path
translation.
http://support.microsoft.com/kb/925403/

Configure listener / Web client access publishing rule

On the ISA Administration Console, highlight firewall policy node / right click and select New /
Exchange web client access publishing rule wizard as shown below

Type in a name for the rule. Example OWA

Select Exchange 2007 and Outlook Web Access. Note that when you select Exchange 2007 you can
select only one web client mail service. Each client requires a separate rule.

Select to publish a single web site

Select the option to use "Use SSL ..."

Type the internal site name for the Exchange 2007 Client Access Server (CAS). In this example the
CAS is being referenced as "webmail.domain1.local" even though its FQDN is "domain1-
w2k3.domain1.local". This is done by using a hosts file on the ISA server. Alternately check the
option to "Use a computer name or IP address.."
This configuration is useful to publish the same name for both internal and external interfaces so
users on both sides of the network can use a similar name to access OWA. Of course this implies
that this configuration will need to use some sort of Split DNS infrastructure to access the same
name from two different networks.
Type in the publicly accessible name for the OWA site.

The next screen will prompt you to select a listener. Click on New to create a listener at this
stage.

Type in appropriate name for the listener as shown below.

Select "Require SSL.."

In this example, the listener is configured to listen on both networks for the same OWA site name.

Select an appropriate SSL certificate. It is assumed that the SSL certificate was already imported
into the computer store on the ISA server as per the pre-requisites.
Select HTML Form Authentication (Same as FBA).

Check "Enable SSO.." if desired. This is useful as it allows for SSO if there are other applications
published.
This completes the listener configuration and you are returned to the web publishing rule wizard.

Select the "Authentication Delegation" method. In this case Basic Authentication is selected. There
are some pros and cons of selecting other delegation methods.

Note - Some of the documentation and articles on web suggest leaving the default of "All
Authenticated Users" user set for a web publishing rule but that has not worked for me. I use the
"Require all users to Authenticate" option on the listener as the warning dialog box suggests
below.
When you click on Finish the following dialog box is displayed warning you to choose the
appropriate method on the CAS server.
This completes creation of the web rule and the listener. Do not forget to click on "Apply" to apply
the configuration.

Configure HTTP to HTTPS redirection

To redirect http://webmail.domain1.local/exchange to httpS://webmail.domain1.local/exchange
automatically, modify the listener configuration as shown below:
Open the properties of the listener just created and select the "Connections" tab and check the
options as shown below:
Enable HTTP connection on port: 80
Redirect all traffic from HTTP to HTTPS

Make sure to apply the configuration.

Configure redirection (from a "/" path to "/exchange"

path)
To redirect http://webmail.domain1.local to https://webmail.domain1.local/exchange
automatically, a new deny web publishing rule can be created as shown below:
Open the ISA Administration Console / Highlight the firewall policy node and follow the
configuration as shown below:
Note the rule is being configured for "Deny". This is because we are denying all requests for any
path other than the ones defined in the earlier OWA rule and redirecting requests to the exchange
virtual directory.
We use the same listener which was created earlier for OWA.

Note - here the delegation methods needs to be the same as whatever was selected for the earlier
rule.
This completes the rule creation. There are a few more steps required for redirections as shown
below:
Open the properties of the rule just created. In this case "Redirect" and select the "Action" tab.
Select "Redirect HTTP..." and type in the appropriate URL.
Note that we have used /exchange instead of owa. This is done to enable access to users whose
mailbox could be on Exchange 2003 mailbox server. If owa virtual directory is used, users cannot
be redirected to an Exchange 2003 mailbox server. Only the exchange virtual directory will
automatically redirect to the appropriate mailbox server based on where the mailbox resides.
(Exchange 2003 or Exchange 2007).

Select the "Application Settings: tab and check the option "Use Customized HTML..." and type in
"Exchange" as shown below (without quotes.

Also make sure that the redirect rule is above the OWA rule created earlier. This is required for
successful redirection.

Make sure you apply the configuration.

This completes the configuration for ISA.
Hopefully OWA works like a charm. If it does not then check the pre-requisites again to make sure
appropriate options are used.
Happy OWAing !!