ISA 2006 Enables FBA and ActiveSync-RPC/HTTP on the Same Web Listener
As you know, the best way to secure your Exchange Server organization is to put an ISA firewall in front of it. Unlike traditional hardware firewalls, the ISA firewall is purpose designed to protect Exchange Servers and services. Remote access to OWA, OMA, Exchange ActiveSync, and RPC/HTTP is critical for any business running Microsoft Exchange Servers. Only the ISA firewall contains the application layer intelligence to provide the security you require for your Exchange remote access plans.
A challenge ISA 2004 firewall admins experienced was that if you wanted to enable FBA (Forms-based authentication) on a Web listener for OWA access, you could not use that same Web listener for remote access to OMA, ActiveSync and RPC/HTTP. The reason for this is that you needed to use a second certificate for those services, and the second certificate must be bound to a second Web listener that listens on an IP address that is different from the IP address used by the OWA/FBA-enabled Web listener.
For details on why each certificate must be bound to a different IP address and Web listener, check out this post on the ISA firewall team blog at https://blogs.technet.com/isablog/archive/2006/04/...9.aspx
ISA 2006 solves this problem by reading the User-Agent HTTP header before making an authentication decision. This enables you to use the same Web listener and IP address for both OWA/FBA-enabled connections and connections from OMA/ActiveSync/RPC-HTTP clients.
For example, suppose you configured a Web Publishing Rule that allows connections to all of the Exchange Server Web services, including OWA, OMA, ActiveSync and RPC/HTTP. You have Forms-based authentication enabled on the Web listener for this rule. When an OWA client (IE6 or above or alternative Web browsers for a depleted user experience) connects to the ISA firewall to reach the OWA site, the ISA firewall presents the user with the log on form and all is good. However, when non-OWA connections reach the ISA firewall, the ISA firewall detects the User-Agent header in these requests, understands that these clients do not “understand” the form, and then the ISA firewall reverts to Basic Authentication (which is what these clients all understand). Basic authentication is secure because the user credentials are secured in an SSL tunnel.
If you have only a single IP address and want to publish all of these services, then the ISA 2006 firewall upgrade is for you!
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP — ISA Firewalls
Rune Flo Says:
May 10th, 2006 at 7:43 am
Hi Tom,
Very interesting article this one. I’ve just installed ISA Server 2006 beta [Edge firewall] to a small startup company. Works like a sharm so far. But I struggle to use the same Web listener and IP address for both OWA/FBA-enabled connections and connections from ActiveSync/RPC-HTTP clients. The Exchange Publishing rule complains about:
“You cannot require forms-based authentication when publishing an Exchange Active Sync (EAS) server”. I’ve checked “Use Basic authentication for non-browser based client requests” on the Web SSL Listener. Have you succeeded get this working? or is my problem just “beta not finish yet”
Regards,
Rune Flo.
tad braun Says:
May 12th, 2006 at 12:22 am
I would love to hear back from someone who has this new listener capability working…any caveats?
Alan Schmarr Says:
September 16th, 2006 at 6:46 pm
Hi,
I’ve got this working no problem.
Regards
Alan
James Willmott Says:
October 13th, 2006 at 11:55 am
For me, this now all works using One Listener, FBA with Delegation set to Basic Auth and Users set to “All Authenicated Users” with the exception of RPC over HTTPs…
RPC over HTTPs will only work if I use a seperate rule, and allow Integrated Auhenication and set Users to “All Users” - which is not what I want to do…
Is suspect the Exchange server may be at fault…
Igor Videc Says:
January 18th, 2007 at 10:23 am
Works fine for us except one thing, Windows mobile clients can sync without problems but clients using Sony Ericsson P990i phones can not sync any more.
Sync software in those phones is licensed activesync(Roadsync).
Reading this the cause can be that isa doesn’t detect sony phone as a ‘non understanding’ client and offers FBA to it and the sync fails?
Thomas Shinder Says:
January 18th, 2007 at 11:20 am
It would be interesting to know what client type that phone sends when connecting to the server.
Tom
Raz Says:
January 26th, 2007 at 2:37 am
It works for me too, both oma, owa and RPC/HTTP with FBA. However, i found that nokia, blackberry phones work fine. (i did not try activesync yet). However oma with Erricson 3g phone keep returning an error (very cryptic error on the phone - that the connection is not succesful). There is not even a login reqest. I will try with a separate IP to see if it resolves it.
Heino Skov Says:
June 29th, 2007 at 2:02 am
Regarding the Sony Ericsson phones, its a problem with the ISA server 2006 to understand thats its a Sony Ericsson phone and the ISA server 2006 doesnt turn off Forms Based Authentication.
You need to call Microsoft for a fix for this issue.
David B Says:
July 23rd, 2007 at 2:06 pm
OMA and OWA is working for me, however, ACTIVE SYNC will not work. “The security certificate on the server is not valid”. This is a verisign cert that is working in all browsers including the OMA verison on the phone.
fadi Says:
July 26th, 2007 at 3:09 am
Dear,
i have pap2 , and my network under ISA Fairwall 2000 but Can’t connect to login server,
please help me with this problem.
Sam Says:
August 31st, 2007 at 6:20 pm
We have the same “The security certificate on the server is not valid” problem that others are seeing, and like them, no solution found yet.
Tom Shinder Says:
September 1st, 2007 at 9:12 am
Most likely reason is that the private key is not included.
Leeburley Says:
November 21st, 2007 at 3:20 pm
i have just upgraded based on this feature. this is still not working for me. i have listerner set up for fba and owa works fine. my blackberry devices still get denied. i have a rule configured as basic and this works if i move it up the list. This of course changes owa to basic. I am only using the Blackberry internet service not bes , so in theory i thought they would hit my owa fba rule and then revert to basic . any ideas people. I have got a work aorund in that i can publish fba from exchange but didn’t need an upgrade to do that
Scott Says:
March 5th, 2008 at 6:28 pm
I’m slightly confused as to where to enable this feature. Neither Tom’s article nor any of the comments,say anything about WHERE to enable it. I’ve scoured every property page in both the web publishing rule as well as the web listener rule. Everybody is just assuming it’s obvious. So what am I missing?
tshinder Says:
March 5th, 2008 at 6:30 pm
You don’t have to enable it, it just works.