How to Use the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit

 

 

The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit is designed to help streamline remote access solutions to Exchange Server services on your internal network when using ISA Server 2000 as your firewall. ISA Server 2000 is uniquely suited to providing secure remote access to all the Exchange 2000 and Exchange 2003 Server services. It is because of the unique level of security and accessibility provided by ISA Server 2000 firewalls to Exchange Server services that we’ve created and compiled the documents in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit.

 

This kit (which is a collection of over 30 documents) provides detailed step by step instructions on how to make all the Exchange 2000/2003 services available to remote clients. All the kit documents focus on providing secure remote access to Exchange Server services. You could use any firewall to provide remote access to Exchange Server service. The advantage of using ISA Server 2000 is that it provides the ideal solution for secure remote access while not compromising security requirements.

 

Important things to consider before using the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents include:

 

• The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit focuses on secure remote access to Exchange Server services
• The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit does not support co-locating the Exchange Server on the firewall
• The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit does not provide detailed instructions on how to configure an Exchange 2000 or Exchange 2003 server

 

All the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents are constructed with the idea of secure remote being foremost. All solutions contained in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents provide detailed step by step instructions on how to provide secure remote access. Non-secure solutions are touched upon during discussions on remote access to Exchange Server services, but detailed step by step instructions are provided for only secure solutions.

 

The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents assume the ISA Server firewall is on a dedicated firewall computer. The goal is secure remote access to Exchange Server services. Adding extraneous services to the ISA Server firewall computer increases the attack surface on the firewall and reduces the overall level of security provided by the firewall. This is especially important when the ISA Server firewall is configured as a bastion host with an external interface directly connected to the Internet.

 

The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit excludes the typical Small Business Server configuration where the Exchange Server is co-located on the ISA Server firewall. Secure remote access to Exchange Server services is the guiding principle behind all the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents. You cannot create an adequately secure Exchange Server deployment on the firewall itself. Please refer to Small Business Server documentation for information on how to configure ISA Server 2000 on the same machine as the Exchange Server.

 

The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit does not provide in depth guidance regarding Exchange Server configuration. The kit does include information regarding how to configure the specific Exchange Server services that are published by the ISA Server firewall, but the kit documents do not contain detailed information regarding options not directly related to the remote access configuration.

 

The documents in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit are all self-sustaining documents that link to other documents in the kit. While there are some links to resources not contained in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit itself, none of these external links are required to achieve a secure remote access solution using ISA Server 2000 and Exchange 2000/2003.

 

 

 

Network Topology for ISA Server 2000 Exchange Server 2000/2003 Deployment Kit Examples

 

All the examples provided in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents are based on a standard network topology:

 

• An internal network where front-end and back-end Exchange Servers and other network services are located. The internal network is defined by all the addresses contained in the ISA Server’s Local Address Table (LAT).
• An external network consisting of all networks not on the LAT. The external network can be the Internet or a DMZ segment between the ISA Server firewall and the Internet gateway
• The absence of a DMZ segment for Exchange related services; no Exchange Server should be placed on an untrusted network segment because all Exchange Servers must belong to the user domain and it is poor security policy to extend the trusted network security zone into an untrusted zone

 

Note that in all circumstances the Exchange Server (and any other servers published by the ISA Server firewall) must be configured as a SecureNAT client. Under no circumstances should the Exchange Server or any other published server be configured as a Firewall client. ISA Server 2000’s publishing mechanism is designed on the assumption that the published server is a SecureNAT client.

 

This can pose a problem for networks containing network IDs other than the network directed connected to the internal interface of the ISA Server firewall. The reason is that if you wish to put a published server on a network segment that is not on the network directly connected to the internal interface, then you will need to adjust the routing infrastructure so that all routers in the path between the ISA Server firewall and the published server forward Internet bound packets to the internal interface of the ISA Server firewall. Not all organizations are interested in making such a change.

 

If you need to create Server Publishing Rules to support an Exchange Server’s remote access solution, then you can use the information contained in Knowledge Base article 311777 How to Enable Translating Client Source Address in Server Publishing. The Registry entries in this article change the nature of how NAT is performed in Server Publishing Rules.

 

Normally, the ISA Server firewall preserves the source IP address on the incoming request when it passes the request to the published server. After applying the Registry changes described in KB article 311777, the remote client’s source IP address will be replaced with the IP address of the internal interface of the ISA Server firewall.

 

This solves the problem of making the published server a SecureNAT client, because you do not need to change the default gateway (route of last resort) setting on the routers between the published servers and the ISA Server firewall. The routers only need to know how to route requests to the network ID on which the internal interface of the ISA Server firewall resides.

 

Keep in mind that the log files on the published server will contain the internal address of the ISA Server firewall after making this change. You will not be able to analyze the log files on the published server to determine what external addresses accessed the published server. If you require that the original IP address of the remote client be contained in the log file of the published Exchange Server service, then you should not employ the Registry changes in KB article 311777 and instead, make the necessary changes to the routers in the path between the internal interface of the ISA Server firewall and the published server.

 

Note:
Web Publishing Rules always forward the IP address of the internal interface of the ISA Server firewall to the published Web site on the internal network. There is no alternative when it comes to Web Publishing Rules because Web Publishing Rules perform reverse proxy, instead of reverse NAT.

 

 

Operating Systems and Network Services

 

All the current ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents are based on the following based configurations:

 

• ISA Server 2000 installed on Windows Server 2003. All current operating system services packs, ISA Server service packs, and all operating system and ISA Server hotfixes are installed.
• Exchange Server 2003 is installed on is installed on Windows Server 2003 and all the current operating system and Exchange service packs and hotfixes are installed
• The Exchange Server service’s clients on the remote network have all the current service packs and hotfixes installed for both the client operating system and their version of Office or Outlook Express

 

It is critical to note that almost all the procedures described in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents can be performed on both Exchange 2000 and Exchange 2003. The only procedure that significantly varies from what can be performed on Exchange 2000 is:

 

• Exchange 2000 does not support RPC over HTTP; only Exchange 2003 allows remote Outlook clients to connect to Exchange via RPC over HTTP

 

All the other procedures are performed in the same way on both Exchange 2000 and Exchange 2003. This includes the following procedures:

 

• SMTP/SMTPS Publishing
• POP3/POP3/ Publishing
• IMAP4/IMAP4S Publishing
• Outlook Web Access Publishing
• Obtaining a Web Site certificate
• Secure Exchange RPC Publishing

 

There are only a couple procedures that vary based on operating system. All the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents were based on Windows Server 2003. If you use Windows 2000, then the following procedures vary from what appears in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents:

 

• DCOM permissions configured when using the SMTP Message Screen on a machine that is not the ISA Server firewall itself. This information can be found on the ISA Server 2000 CD ROM in the Support folder.
• Installing ISA Server 2000. However, installing ISA Server 2000 on Windows 2000 is quite straightforward. Please refer to the ISA Server 2000 for instructions on how to install ISA Server 2000 on Windows 2000.

 

Note:

If you find that there are procedures described in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit that you can not perform on Windows 2000 or Exchange Server 2000, please write to me at tshinder@tacteam.net and let me know. I will either update the current ISA Server 2000 Exchange Server 2000/2003 Deployment Kit article that pertains to your problem, or I will write a new document and insert it into a kit update. The goal of the kit is to provide information so that all the procedures apply to both Exchange 2000 and Exchange 2003.

 

 

 

Tips and Tricks

 

The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents provide detailed, step by step instructions on how to allow secure remote access to Exchange Server services on the internal network. Each step is explained and the context in which you perform each step is made clear. Our goal is to describe detailed procedures required to provide remote access and to give you the reasons why you perform these steps. It will be much easier to troubleshooting problems with your configuration when you understand why you are performing each procedure.

 

You can get the most out of the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documentation by using one or more of the following tips and tricks:

 

• Set up a lab network or using VMware to simulate the scenario covered in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents. Don’t let the first time you attempt the configuration discussed in the documents be the first time you perform the steps
• Read the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document that applies to the configuration you’re interested in all the way through before actually carrying out the procedure. There are screen shots for almost every step, so you don’t have to guess what the configuration interface looks like. This allows you to perform a mental “run through” of the exact procedures you’ll perform in the lab or your actual production systems before you ever touch a machine
• Take notes on procedures you don’t understand or concepts that aren’t clear in the documents. When you’re done with the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document, refer to your notes and post questions on those areas you’re not 100% on yet over at the ISAServer.org Message boards. The message boards that focus on the remote access solutions discussed in the kit are the Server Publishing board and the Web Publishing board. Please feel free to send me a note at tshinder@isaserver.org after you post your question. Include the URL to your question and I’ll answer your question within 24 hours (usually within just a few hours)
• Test your publishing rules using Telnet and an unsecured connection. While I do not recommend that you allow non-secure remote access to the Exchange Server’s services, you can use Telnet to connect to non-secured service to test basic functionality. This allows you to easily determine if a basic network connectivity, publishing or service configuration issue that is causing a problem. Once you confirm that connectivity is intact, then you can troubleshoot security related issues
• Use an enterprise CA unless you have a strong reason for not using one. The enterprise Certificate Server allows you to easily request a certificates for Exchange Server services by using the Web Site Certificate Request Wizard and assign certificates to machines on the internal network domain using autoenrollment and/or the Certificates MMC standalone snap-in
• Create a simple network diagram that includes the IP addressing information for the ISA Server’s interfaces and the Exchange Server’s services. Make this diagram before making the configuration changes. One of the most common reasons for publishing rules to fail is a simple IP addressing issue.

 

All the procedures in the ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents work. The procedures described in these documents have been implemented in production environments and have withstood the test of time in terms of stability and security. If you find that you have problems getting your remote access email solution working using ISA Server 2000 and Exchange Server, then rest assured that you will be able to get it to work. Its almost always a subtle problem related to a typographical error or an overlooked configuration step.

 

 

 

Feedback and Revisions

 

The ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents are distributed in both Microsoft Word and Web format. You can download the Word document and make changes to them to fit your custom environment. You are welcome to make changes to the Word documents and send them back to me with your updates, corrections and suggestions. The overarching goal of ISA Server 2000 Exchange Server 2000/2003 Deployment Kit is to provide the information necessary to make it as easy as possible to create a secure remote email access solution to your Exchange Server.

 

Send your suggestions to tshinder@tacteam.net. Any and all input it welcomed and I’ll make the changes to both the Word and HTML online documents.