5. Configure the OWA Directories
You need to configure your OWA-specific directories—ExchWeb, Exchange, and Public—to force SSL connections, require a client certificate, and require Basic authentication. Using only Basic authentication provides the greatest level of compatibility and the most transparent access for remote OWA users, but if you plan to support Exchange ActiveSync (as in our example), you'll also need to enable Integrated authentication on the Exchange directory.
In the Internet Information Services (IIS) Manager console's left pane, right-click the ExchWeb directory and select Properties from the context menu. Go to the Directory Security tab. Click Edit in the Authentication and access control section to open the Authentication Methods dialog box. Be sure that the Enable anonymous access check box is cleared. You don't want to entertain the possibility of an unauthenticated connection from remote users to any directory on the OWA server. Select the Basic authentication check box and enter the default domain's NetBIOS name in the Default domain text box. In this example we enter DOMAIN as the NetBIOS name for our default domain. Click OK.
While still on the ExchWeb Properties dialog box's Directory Security tab, click Edit in the Secure Communications section. In the Secure Communications dialog box, which Web Figure 2 shows, select the Require secure channel (SSL) and Require 128-bit encryption check boxes and the Require client certificates option. Click OK to save the secure communications options, then click OK to save the ExchWeb directory's configuration. In the Inheritance Overrides dialog box, click Select All, then click OK.
To connect to the OWA Web site, the ISA firewall must present a client certificate, but that certificate controls only the establishment of the SSL connection between the ISA firewall's internal interface and the front-end Exchange server. The user credentials that the remote user presents control mailbox access. The client certificate requirement doesn't have any influence over user mailbox access; rather, it controls only which device can make a direct connection to the front-end Exchange server. Later, you'll request a client certificate for the ISA firewall's Firewall Service and configure the ISA firewall to present this client certificate to the OWA Web site.
In the Internet Information Services (IIS) Manager console's left pane, right-click the Exchange directory and select Properties. Go directly to the Directory Security tab, open the Secure Communications dialog box as I explained earlier, and select the same check boxes and option that you selected for the ExchWeb directory. Click OK.
While still on the Directory Security tab, click Edit in the Authentication and access control section. This time, select the
Integrated Windows authentication and Basic authentication check boxes, then enter a NetBIOS name for the default domain name in the Default domain text box. Enabling Integrated authentication for the Exchange directory keeps your options open for publishing ActiveSync access. Click OK to save the authentication settings, then click OK to save the Exchange directory's configuration.
Repeat the process for the Public directory, enabling only Basic authentication in the Authentication Methods dialog box.
Well Begun
Next time, we'll continue through the process with Steps 6 through 13. When we're finished, you'll have an excellent example of how ISA Server 2004 can improve the security of network-facing applications and services such as OWA. (In the meantime, you can learn more about ISA Server 2004 in the Windows IT Pro article " Improving on ISA Server," May 15, 2004, InstantDoc ID 42409.)