OWA/ActiveSync on ISA2004

[cscc]

Basically, what we’re trying to do is publish OWA 2003 and Exchange Activesync through our ISA 2004 firewall. Currently, these two things are configured successfully on our front end exchange server.

 

The problem lies in the fact that on ISA 2004 forms based authentication and other forms of authentication are mutually exclusive on the same listener. Basically, if forms based authentication is enabled on a web listener accepting incoming connections, then no other authentication method can be used at the same time on that IP address.

 

Currently, we have a rule in the firewall for OWA as follows:

 

OWA Firewall Rule

Action = Allow

From = Anywhere

To = frontendexchange. Domain.sch.uk

HTTP + HTTPS, tick notify users to use HTTPS instead.

Listener = IntranetIP

Public Name = intranet. Domain.sch.uk

217.xxx.xx.xx

Users = All users

Paths - /exchange/*

/exchweb/*

/Microsoft-Server-ActiveSync/*

/Public/*

Bridging = Web Server, Redirect requests to HTTP port 80

 

Web Listener (intranetip)

Networks = External, Internal

Port (HTTP) 80

Port (HTTPS) 443

Certificate = Same as above

Authentication Methods= OWA FBA

Always Authenticate? Yes

Domain = Domain.Sch.Uk

 

If I want to get Exchange Activesync working, I have to edit the firewall rule, remove the above web listener and replace it with one specifically tailored for Activesync. This then enables Activesync to work, but OWA to fail. The configuration for Activesync is as follows:

 

Exchange ActiveSync Firewall Rule

It is a Mail Server Publishing Rule (will appear as a web rule when completed)

 

Action = Allow

From = Anywhere

To = frontendexchange.Domain.sch.uk

HTTPS only

Listener = Microsoft Activesync Listener

Public Name = intranet. Domain.sch.uk

217.xxx.xx.xx

Users = All users

Paths - /exchange/*

/exchweb/*

/Microsoft-Server-ActiveSync/*

/Public/*

Bridging = Web Server, Redirect requests to HTTP port 80

 

Exchange Activesync Listener Rule

Networks = External

Port (HTTP) = Disabled

Port (HTTPS) 443

Cerificate = Same as above

Authentication Methods = Basic

Always Authenticate? No

Domain = Domain.Sch.Uk

 

I’m aware that I can have the two firewall rules existing at the same time, but haven’t bothered because it isn’t fully functional at the moment anyway.

 

I have already tried this:

 

ISA Server 2004: Supporting Both Basic and Forms-based Authentication with a Single External IP Address and Web Listener (v1.1)

 

It didn’t work as expected.

 

I’m now going to try and do the it official “Microsoft” way, but I’m a bit stuck. As we’re a school, we operate through SWGfL, who control which servers have what published over the internet. We can get most ports/protocols allowed but it involves having to go through a change request process.

 

The web address intranet.domain.sch.uk currently resolves to 10.x.x.x which has been assigned to us by SWGfL.

 

Do I need to move the Exchange Activesync configuration onto a different server, obtain a different external IP address, and different web address (and certificate) for it, or is there another way I can do it by just using our front end exchange server, and it’s one IP address/web address? If it helps, I believe our front end exchange server has 2 network cards, one of which isn’t in use.

 

Lots of people seem to think I need to bind another external IP address to our firewall, but isn’t it going to get a bit confused if I have 2 IP addresses pointing to the same web address?

 

Any tips and advice would be greatly appreciated.

 

Thanks!