Designing and Implementing Mobility in Exchange Server 2010 : Securing Access to ActiveSync Using Internet Security and Acceleration (ISA) Server 2006

Allowing your information workers to have access to a technology like ActiveSync can do wonders for productivity, but can also potentially expose your organization to threats from the outside. Just like Outlook Web App or Outlook Anywhere, ActiveSync requires a web connection to be available to a CAS. Because ActiveSync is meant to be used when out of the office, the web traffic must go over the Internet and must be accessible without requiring a specific virtual private network (VPN) client to be utilized.

This creates somewhat of a dilemma, as the HTTP used by ActiveSync can be subject to attack, potentially exposing your organization to unnecessary risk. Fortunately, however, Microsoft Exchange Server 2010 can be readily secured against these types of attack with the use of an application-layer inspection product such as the Internet Security and Acceleration (ISA) Server 2006 product available from Microsoft.

Note that ISA Server 2006 does not include native understanding of Exchange Server 2010, but rules can be created for Exchange Server 2007 ActiveSync that apply to Exchange Server 2010 as well. When the new version of ISA server is released, currently named Forefront Edge Threat Management Gateway (TMG), it is recommended to use this Exchange Server 2010-aware version to replace ISA Server 2006.

Understanding How ISA Server 2006 Can Protect ActiveSync

ISA Server 2006 is an application-layer aware firewall that can filter HTTP traffic for exploits and scumware. It can reside inline to the ActiveSync traffic (as a traditional firewall), or as a dedicated reverse proxy system that sits in the demilitarized zone (DMZ) of a packet-filter firewall.

In this scenario, the client believes it is directly accessing the CAS, but it is instead being secretly authenticated and scanned at the ISA server itself. Using this scenario or the inline firewall scenario with ISA Server 2006 is a highly useful way to secure the ActiveSync traffic.

Creating an ActiveSync Securing Rule in ISA Server 2006

This section of the article briefly explains how to create a web publishing rule with ISA Server 2006 for ActiveSync.

To create the rule in the ISA Server console, perform the following steps:

1.	Open the ISA Management Console and navigate to the Firewall Policy node in the console pane.
2.	On the Tasks tab of the tasks pane, click the Publish Exchange Web Client Access link.
3.	Enter a descriptive name in the welcome dialog box, such as ActiveSync Rule, and click Next.
4.	In the Select Services dialog box, shown in Figure 1, change the Exchange Server version to Exchange Server 2007 (this works for Exchange Server 2010 as well), and then check the Exchange ActiveSync check box. Click Next to continue. Figure 1. Creating an ActiveSync rule with ISA Server 2006.
5.	In the Publishing Type dialog box, click the Publish a Single Web Site or Load Balancer, and click Next to continue.
6.	In the Server Connection Security dialog box, shown in Figure 2, click the Use SSL to Connect to the Published Web Server or Server Farm option. This creates an end-to-end SSL connection. Click Next to continue. Figure 2. Securing the ISA rule with SSL.
7.	For the internal site name, enter the FQDN that clients use to connect to the CAS, as shown in Figure 3. In this case, the name should match what the external clients use, as problems can be encountered when using SSL if the names do not match. If internal DNS does not forward that FQDN to the CAS, you might need to fool the ISA server by using a hosts file to make it resolve the FQDN to the CAS. Click Next to continue. Figure 3. Creating an ActiveSync securing rule with ISA.
8.	Under Public Name Details, enter "This domain name" and then type in the FQDN of the public name, such as mail.companyabc.com. Click Next to continue.
9.	For Web Listener, either choose an existing listener that can be used for OWA or Outlook Anywhere, or click the New button. This scenario assumes you are creating a new listener. Click the New button.
10.	At the start of the Web Listener Wizard, enter a descriptive name for the listener, such as Exchange HTTP/HTTPS Listener, and click Next to continue.
11.	A prompt appears to choose between SSL and non-SSL. This prompt refers to the traffic between the client and ISA, which should always be SSL whenever possible. Click Next to continue.
12.	Under Web Listener IP addresses, select the External Network, and leave it at All IP Addresses. Click Next to continue.
13.	Under Listener SSL Certificates, click Select Certificate.
14.	Select the mail.companyabc.com certificate. If the certificate is not on the ISA server, it must be installed into the Certificates store of the ISA server.
15.	Click Next to continue.
16.	For the type of authentication, choose HTTP Authentication and then check the Basic check box, as shown in Figure 4. Leave Windows (Active Directory) selected, and click Next. Figure 4. Selecting Basic authentication for the ISA ActiveSync rule.
17.	Click Next at the Single Sign on Settings dialog box. SSO is not available with Basic authentication.
18.	Click Finish to end the wizard.
19.	Click Next after the new listener is displayed in the Web Listener dialog box.
20.	Under Authentication Delegation, choose Basic from the drop-down list. Basic is used as the secured transport mechanism chosen. Click Next to continue.
21.	Under User Sets, leave All Authenticated Users selected. In stricter scenarios, only specific AD groups can be granted rights to OWA using this setting. In this case, the default is fine. Click Next to continue.
22.	Click Finish to end the wizard.
23.	Click Apply in the details pane, and then click OK when you are finished to commit the changes.

The ActiveSync Policy will then show up in the details pane, as shown in Figure 5. Further customization of the rule can take place if necessary.

Figure 5. Viewing the ActiveSync rule in ISA Server 2006.