Designing and Implementing Mobility in Exchange Server 2010 : Securing Access to ActiveSync Using Internet Security and Acceleration (ISA) Server 2006

2/23/2011 9:02:39 AM
Allowing your information workers to have access to a technology like ActiveSync can do wonders for productivity, but can also potentially expose your organization to threats from the outside. Just like Outlook Web App or Outlook Anywhere, ActiveSync requires a web connection to be available to a CAS. Because ActiveSync is meant to be used when out of the office, the web traffic must go over the Internet and must be accessible without requiring a specific virtual private network (VPN) client to be utilized.

This creates somewhat of a dilemma, as the HTTP used by ActiveSync can be subject to attack, potentially exposing your organization to unnecessary risk. Fortunately, however, Microsoft Exchange Server 2010 can be readily secured against these types of attack with the use of an application-layer inspection product such as the Internet Security and Acceleration (ISA) Server 2006 product available from Microsoft.

Note that ISA Server 2006 does not include native understanding of Exchange Server 2010, but rules can be created for Exchange Server 2007 ActiveSync that apply to Exchange Server 2010 as well. When the new version of ISA server is released, currently named Forefront Edge Threat Management Gateway (TMG), it is recommended to use this Exchange Server 2010-aware version to replace ISA Server 2006.

Understanding How ISA Server 2006 Can Protect ActiveSync

ISA Server 2006 is an application-layer aware firewall that can filter HTTP traffic for exploits and scumware. It can reside inline to the ActiveSync traffic (as a traditional firewall), or as a dedicated reverse proxy system that sits in the demilitarized zone (DMZ) of a packet-filter firewall.

In this scenario, the client believes it is directly accessing the CAS, but it is instead being secretly authenticated and scanned at the ISA server itself. Using this scenario or the inline firewall scenario with ISA Server 2006 is a highly useful way to secure the ActiveSync traffic.

Creating an ActiveSync Securing Rule in ISA Server 2006

This section of the article briefly explains how to create a web publishing rule with ISA Server 2006 for ActiveSync.

To create the rule in the ISA Server console, perform the following steps:

Open the ISA Management Console and navigate to the Firewall Policy node in the console pane.

On the Tasks tab of the tasks pane, click the Publish Exchange Web Client Access link.

Enter a descriptive name in the welcome dialog box, such as ActiveSync Rule, and click Next.

In the Select Services dialog box, shown in Figure 1, change the Exchange Server version to Exchange Server 2007 (this works for Exchange Server 2010 as well), and then check the Exchange ActiveSync check box. Click Next to continue.

Figure 1. Creating an ActiveSync rule with ISA Server 2006.

In the Publishing Type dialog box, click the Publish a Single Web Site or Load Balancer, and click Next to continue.

In the Server Connection Security dialog box, shown in Figure 2, click the Use SSL to Connect to the Published Web Server or Server Farm option. This creates an end-to-end SSL connection. Click Next to continue.

Figure 2. Securing the ISA rule with SSL.

For the internal site name, enter the FQDN that clients use to connect to the CAS, as shown in Figure 3. In this case, the name should match what the external clients use, as problems can be encountered when using SSL if the names do not match. If internal DNS does not forward that FQDN to the CAS, you might need to fool the ISA server by using a hosts file to make it resolve the FQDN to the CAS. Click Next to continue.

Figure 3. Creating an ActiveSync securing rule with ISA.

Under Public Name Details, enter "This domain name" and then type in the FQDN of the public name, such as mail.companyabc.com. Click Next to continue.

For Web Listener, either choose an existing listener that can be used for OWA or Outlook Anywhere, or click the New button. This scenario assumes you are creating a new listener. Click the New button.

At the start of the Web Listener Wizard, enter a descriptive name for the listener, such as Exchange HTTP/HTTPS Listener, and click Next to continue.

A prompt appears to choose between SSL and non-SSL. This prompt refers to the traffic between the client and ISA, which should always be SSL whenever possible. Click Next to continue.

Under Web Listener IP addresses, select the External Network, and leave it at All IP Addresses. Click Next to continue.

Under Listener SSL Certificates, click Select Certificate.

Select the mail.companyabc.com certificate. If the certificate is not on the ISA server, it must be installed into the Certificates store of the ISA server.

Click Next to continue.

For the type of authentication, choose HTTP Authentication and then check the Basic check box, as shown in Figure 4. Leave Windows (Active Directory) selected, and click Next.

Figure 4. Selecting Basic authentication for the ISA ActiveSync rule.

Click Next at the Single Sign on Settings dialog box. SSO is not available with Basic authentication.

Click Finish to end the wizard.

Click Next after the new listener is displayed in the Web Listener dialog box.

Under Authentication Delegation, choose Basic from the drop-down list. Basic is used as the secured transport mechanism chosen. Click Next to continue.

Under User Sets, leave All Authenticated Users selected. In stricter scenarios, only specific AD groups can be granted rights to OWA using this setting. In this case, the default is fine. Click Next to continue.

Click Finish to end the wizard.

Click Apply in the details pane, and then click OK when you are finished to commit the changes.

The ActiveSync Policy will then show up in the details pane, as shown in Figure 5. Further customization of the rule can take place if necessary.

Figure 5. Viewing the ActiveSync rule in ISA Server 2006.

  •  Monitoring a SharePoint 2010 Environment : Understanding Timer Jobs for SharePoint 2010
  •  Monitoring a SharePoint 2010 Environment : Using SharePoint’s Native Reporting Capabilities
  •  Designing and Implementing Mobility in Exchange Server 2010: Securing Access to ActiveSync with Secure Sockets Layer Encryption
  •  Enabling ActiveSync in Exchange Server 2010
  •  Understanding Mobility Enhancements in Exchange Server 2010
  •  Monitoring a SharePoint 2010 Environment : Using the SharePoint Health Analyzer
  •  Using SharePoint 2010 Management PowerShell for Backup and Restore
  •  Restoring SharePoint Using SharePoint Central Administration
  •  Windows Azure : Static reference data (part 2) - Performance disadvantages of a chatty interface & Caching static data
  •  Windows Azure : Static reference data (part 1) - Representing simple static data in SQL Azure & Representing simple static data in the Table service
  •  Performing Granular Backup Using the SharePoint Central Administration
  •  Using SharePoint Central Administration for Backup and Restore
  •  Backing Up and Restoring a SharePoint Environment : Using the Recycle Bin for Recovery
  •  Using Non-Windows Systems to Access Exchange Server 2010 : Understanding Other Non-Windows Client Access Methods
  •  Using Non-Windows Systems to Access Exchange Server 2010 : Remote Desktop Connection Client for Mac
  •  Using Non-Windows Systems to Access Exchange Server 2010 : Configuring and Implementing Entourage for the Mac
  •  Using Non-Windows Systems to Access Exchange Server 2010 : Mac Mail, iCal, and Address Book
  •  Parallel Programming with Microsoft .Net : Futures - Variations
  •  Parallel Programming with Microsoft .Net : Futures - Example: The Adatum Financial Dashboard
  •  Parallel Programming with Microsoft .Net : Futures - The Basics
    Top 10
    Windows Server 2003 : Domain Name System - Command-Line Utilities
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 2)
    Microsoft .NET : Design Principles and Patterns - From Principles to Patterns (part 1)
    Brother MFC-J4510DW - An Innovative All-In-One A3 Printer
    Computer Planet I7 Extreme Gaming PC
    All We Need To Know About Green Computing (Part 4)
    All We Need To Know About Green Computing (Part 3)
    All We Need To Know About Green Computing (Part 2)
    All We Need To Know About Green Computing (Part 1)
    Master Black-White Copying
    Most View
    Editor’s Picks: Tablet Photo-Editing Apps (Part 1) - Photogene, Photos Hop Touch, Snapseed, Gimp 2.8
    Ultrabook vs MacBook (Part 1)
    Build A $600 PC
    jQuery 1.3 : Headline rotator
    Accutone Pisces Band Headphones - Clear And Discrete Sound
    Windows 7 : Working with the Windows Firewall (part 2) - Configuring Security for the Basic Windows Firewall & Troubleshooting the Basic Windows Firewall
    Find Out The Best Bargain For Technological Products
    Configure Windows Firewall with Advanced Security
    Logitech Keyboard Case for IPAD 2 - All In One Solution
    Acer Aspire S3-391 Ultrabook - Cheap Ultrabook With Attractive Features
    SQL Azure : Database Growth-Management Strategies
    Blackberry Curve 9360 Throws A Curve
    Create Your Own E-Books (Part 2) - Creation Services
    ASP.NET 3.5 Social Networking : Messaging (part 1)
    Mass Effect Infiltrator
    Review: Nikon D4 – The master of the dark arts (Part 3)
    Sinclair ZXS1 Kits (Part 1)
    Blind SQL Injection Exploitation : Using Response-Based Techniques
    Do More With Mail (Part 4) - Mailpro, SmartSender
    Choosing The Right Components (Part 1)