Securing Exchange Server Using ISA Server 2004 and IPSecdownload.microsoft.com/documents/australia/teched... · Securing Exchange Server Using ISA Server 2004 and IPSec Objectives

Securing Exchange Server Using ISA Server 2004 and IPSec

Objectives At the end of this lab, you will be able to:

Implement certificate authentication on a Microsoft® Outlook® Web Access (OWA) Web site.

Configure Microsoft Internet and Security Acceleration (ISA) Server to secure client connections to Exchange Server.

Configure ISA Server to secure Simple Mail Transfer Protocol (SMTP) messages.

Encrypt communication between network clients by using Internet Protocol Security (IPSec).

Scenario You are the administrator for Northwind Traders. The company’s internal

network contains an Active Directory® domain called NWtraders.msft. The network also consists of an extranet domain called Northwindtraders.msft. All domain controllers run Microsoft Windows Server™ 2003. The network also contains client computers running Microsoft Windows® XP and servers running Windows Server 2003. A portion of the Northwind Traders network infrastructure is illustrated below:

Computers This lab uses the following computers: LON-DC1, LON-ISA1, and LON-CL1. Before you begin the lab, you must start and log on to these computers.

Estimated time to complete this lab: 75 minutes

2 Securing Exchange Server Using ISA Server 2004 and IPSec

Lab Setup To complete each lab module, you need to review the following:

Virtual PC

This lab makes use of Microsoft Virtual PC 2004, an application that allows you to run multiple virtual computers on one computer. During the lab, you will switch among different windows, each of which contains a separate virtual machine running Windows Server 2003.

Before you start the lab, familiarize yourself with the following basics of Virtual PC:

To switch the focus for your mouse and keyboard to the virtual machine, click inside the virtual machine window.

To remove the focus from a virtual machine, move the mouse pointer outside the virtual machine window.

To issue the CTRL+ALT+DEL keyboard combination inside a virtual machine, use <RIGHT>ALT+DEL instead.

To adjust the size of the virtual machine window, drag the right bottom corner of the window.

To switch to full-screen mode, and to return from full- screen mode, press <RIGHT>ALT+ENTER.

To complete this lab, you need to start the virtual machines and then log on to the computers. In each exercise, you have to start only the virtual machines that are needed.

To log on to a computer in a virtual machine

1. Press <RIGHT>ALT+DEL (instead of CTRL+ALT+DEL) to open the logon dialog box.

2. Type the following information, and then click OK:

• User name: Administrator

• Password: P@ssw0rd

• Domain: NWTRADERS (if applicable) 3. In this lab, you will log on to LON-CL1 using the following information:

• User name: Don

• Password: P@ssw0rd

• Domain: NWTRADERS (if applicable)

Securing Exchange Server Using ISA Server 2004 and IPSec 3

Exercise 1 Implementing Certificate Authentication for OWA In this exercise, you will configure secure authentication for OWA by configuring ISA Server 2004 to authenticate users using digital certificates.

Scenario Northwind Traders has deployed Exchange Server 2003 and ISA Server 2004. As part of this deployment, you need to provide secure access to the Exchange Server mailboxes for users from the Internet. The first option for enabling this access is to use OWA so users can access their e-mail using a Web browser. However, the corporate security policy states that users should be able to access OWA only from computers with a valid client certificate. To enable this configuration, you will configure ISA Server to the required Secure Sockets Layer (SSL) certificates for all clients connecting to the OWA Web site.

Tasks Detailed steps

Note: This lab uses the following computers: LON-DC1, LON-ISA1, and LON-CL1.

Note: These first steps will be used to obtain a user certificate from the NWtraders certificate authority (CA) and to move the workstation outside the company firewall. Perform the following steps on the LON-CL1 computer.

a. Log on as Don with the password of P@ssw0rd. 1. Log on as Don and obtain a digital certificate using the Web enrollment form.

b. On the desktop, double-click the InternalClient batch file. This batch file changes LON-CL1’s IP address to 10.10.0.10, and configures the host file for internal name resolution.

c. Click Start, and then click Internet.

d. Type http://LON-DC1.nwtraders.msft/certsrv in the Address box, and then press ENTER.

e. In the logon box, log on using a user name of Don and a password of P@ssw0rd.

f. On the Welcome page, click Request a certificate.

g. On the Request a Certificate page, click User Certificate.

h. On the User Certificate - Identifying Information page, click Submit.

i. In the Potential Scripting Violation dialog box, click Yes. Click Yes at any other warnings.

j. On the Certificate Issued page, click Install this certificate.

k. In the Potential Scripting Violation dialog box, click Yes.

l. Close Internet Explorer.


(continued)


a. On the desktop, double-click the ExternalClient batch file. 2. Run a script to move LON-CL1 from the internal subnet to an external subnet outside of the firewall.

This batch file changes LON-CL1’s IP address to 131.107.0.10, removes the static internal Domain Name System (DNS) entry, and configures a host file for external name resolution. This allows the simulation of an Internet-based host.

Note: Perform the following steps on the LON-DC1 computer.

a. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

3. Configure Microsoft Internet Information Services (IIS) to require SSL on the virtual directories used by OWA:

b. Expand LON-DC1 (local computer), and then expand Web Sites.

c. Expand Default Web Site, right-click Exchange, and then click Properties.

• /Exchange OWA uses the virtual directories /Exchange, /ExchWeb, and /Public. • /ExchWeb

• /Public d. In the Exchange Properties dialog box, on the Directory Security tab, under Secure communications, click View Certificate.

Notice that a certificate is already installed on the Exchange Server. The certificate was issued to LON-DC1.nwtraders.msft.

e. Click OK.

f. Under Secure communications, click Edit. The Secure Communications dialog box opens.

g. Select the check box next to Require secure channel (SSL).

h. Select the check box next to Require 128-bit encryption.

i. Click OK to close the Secure Communications dialog box.

j. Click OK to close the Exchange Properties dialog box.

k. Right-click ExchWeb, and then click Properties.

l. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

m. Select the check box next to Require secure channel (SSL).

n. Select the check box next to Require 128-bit encryption.

o. Click OK to close the Secure Communications dialog box.

p. Click OK to close the ExchWeb Properties dialog box.

q. Right-click Public, and then click Properties.

r. In the Public Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

s. Select the check box next to Require secure channel (SSL).

t. Select the check box next to Require 128-bit encryption.

u. Click OK to close the Secure Communications dialog box.

v. Click OK to close the Public Properties dialog box.

w. Close Internet Information Services (IIS) Manager.

x. Click Start, point to Administrative Tools, and then click Services.


(continued)


3. (continued) y. Double-click Microsoft Exchange MTA Stacks. In the Startup type drop-down list, click Automatic. Click Apply.

z. Under Service Status, click Start. After the service starts, click OK. Close the Services console.

Note: Perform the following steps on the LON-ISA1 computer.

a. Click Start, All Programs, Microsoft ISA Server, and then click ISA Server Management.

4. Create a new URL set. Name: LON-DC1 CA URL: http:// LON-DC1.nwtraders.msft/certsrv/*

The ISA Server console opens. b. In the ISA Server console, in the left pane, expand LON-ISA1, and

then select Firewall Policy. c. In the task pane, on the Toolbox tab, in the Network Objects section,

right-click URL Sets, and then click New URL Set. d. In the New URL Set Rule Element dialog box, in the Name box, type

LON-DC1 CA, and then click New. e. In the new http://NewSiteName box, replace the text by typing

http://LON-DC1.nwtraders.msft/certsrv/*, and then press ENTER. f. Click OK to close the New URL Set Rule Element dialog box.

A new URL set named LON-DC1 CA for the URL http://LON-DC1.nwtraders.msft/certsrv is created.

a. In the right pane, select the first rule to indicate where the new rule is added to the rule list.

5. Create a new access rule. Name: Allow HTTP from firewall to LON-DC1 CA Applies to: HTTP From network: Local Host To URL set: LON-DC1 CA.

b. In the task pane, on the Tasks tab, click Create New Access Rule. c. In the New Access Rule Wizard dialog box, in the Access rule name

text box, type Allow HTTP from firewall to LON-DC1 CA, and then click Next.

d. On the Rule Action page, select Allow, and then click Next. e. On the Protocols page, in the This rule applies to list box, select

Selected protocols, and then click Add. f. In the Add Protocols dialog box, click Common Protocols, click

HTTP, and click Add. Click Close to close the Add Protocols dialog box.

g. On the Protocols page, click Next. h. On the Access Rule Sources page, click Add. i. In the Add Network Entities dialog box, click Networks, click Local

Host, and click Add. Click Close to close the Add Network Entities dialog box.

j. On the Access Rule Sources page, click Next. k. On the Access Rule Destinations page, click Add. l. In the Add Network Entities dialog box, click URL Sets, click

LON-DC1 CA, and click Add. Click Close to close the Add Network Entities dialog box.

m. On the Access Rule Destinations page, click Next. n. On the User Sets page, click Next.


(continued)


o. On the Completing the New Access Rule Wizard page, click Finish. 5. (continued) A new firewall policy rule is created that allows Hypertext Transfer Protocol (HTTP) from the Local Host network (ISA Server) to the certificate request URL on LON-DC1.

p. Click Apply to apply the new rule, and then click OK.

a. Open Internet Explorer. In the Address box, type http://LON-DC1.nwtraders.msft/certsrv, and then press ENTER.

6. Connect to the CA on LON-DC1 to request a certificate. Template: Web Server Name: mail.nwtraders.msft Use computer store: Yes.

b. In the Connect to LON-DC1.nwtraders.msft dialog box, complete the following information: • User name: Administrator • Password: P@ssw0rd • Remember my password: disable (default)

c. Click OK. The Northwind Traders CA Certificate Services Web page appears.

d. On the Welcome page, click Request a certificate. e. On the Request a Certificate page, click advanced certificate

request. f. On the Advanced Certificate Request page, click

Create and submit a request to this CA. g. On the next Advanced Certificate Request page, complete the

following information: • Certificate Template: Web Server • Name: mail.nwtraders.msft • Store certificate in the local computer certificate store: enable • Leave all other settings as default

h. Click Submit. i. In the Potential Scripting Violation message box, click Yes to

confirm that you want to request a certificate now. j. If a message box appears that warns you it might be possible for others

to see the information when you send this to the Internet, click Yes to confirm that you want to continue.

k. On the Certificate Issued page, click Install this certificate. l. In the next Potential Scripting Violation message box, click Yes to

confirm that you want to add the certificate. Internet Explorer reports that the certificate is successfully installed. This certificate will be used to configure SSL connections from the OWA clients to the ISA Server computer.

m. Close Internet Explorer.

a. In the ISA Server console, in the left pane, right-click LON-ISA1, and then click Refresh.

7. Refresh the ISA Server console, so that installed certificates are reread. This step ensures that ISA Server rereads the list of installed

certificates on LON-ISA1.


(continued)


a. In the left pane, select Firewall Policy. 8. Create a new Web listener. Name: SSL Port: 443 Certificate: mail.nwtraders.msft Network: External.

b. In the task pane, on the Toolbox tab, in the Network Objects section, right-click Web Listeners, and then click New Web Listener.

c. In the New Web Listener Definition Wizard dialog box, in the Web listener name text box, type SSL, and then click Next.

d. On the IP Addresses page, select External, and then click Next. e. On the Port Specification page, complete the following information:

• Enable HTTP: disable • Enable SSL: enable • SSL port: 443 (default)

f. Click Select. g. In the Select Certificate dialog box, select the mail.nwtraders.msft

certificate, and then click OK. h. On the Port Specification page, click Next. i. On the Completing the New Web Listener Wizard page, click

Finish. A new Web listener (using the mail.nwtraders.msft certificate on SSL port 443, on the IP address on the adapter on the External network) with the name SSL is created.

a. Double-click the SSL Web listener. 9. Configure the Web listener to accept only client certificates.

b. Click the Preferences tab. c. Click the Authentication button. d. Under Method, select SSL certificate. e. Under Method, clear Integrated. f. Click the check box next to Require all users to authenticate, and

then click OK. Selecting SSL certificate authentication means that the OWA clients must have a client certificate installed in order to connect to the SSL Web listener. This listener will be used for the OWA publishing rule.

g. Click OK to close the SSL Properties dialog box. h. At the Microsoft Internet and Acceleration Server 2004 prompt,

click Yes.


(continued)


a. In the right pane, select the first rule to indicate where the new rule is added to the rule list.

10. Create an OWA mail server publishing rule. Name: Publish mail (OWA) Web mail server: LON-DC1.nwtraders.msft Public name: mail.nwtraders.msft Web listener: OWA SSL

b. In the task pane, on the Tasks tab, click Publish a Mail Server. c. In the New Mail Server Publishing Rule Wizard dialog box, in the

Mail Server Publishing Rule name text box, type Publish mail (OWA), and then click Next.

d. On the Select Access Type page, select Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync, and then click Next.

e. On the Select Services page, complete the following information and then click Next:

• Outlook Web Access: enable (is default)

• Outlook Mobile Access: disable (is default)

• Exchange ActiveSync: disable (is default)

• Enable high bit characters used by non-English character sets: enable

f. On the Bridging Mode tab, select Secure connection to clients and mail server, and then click Next.

g. On the Specify the Web Mail Server page, in the Web mail server box, type LON-DC1.nwtraders.msft, and then click Next.

The specified name of the Web mail server must match exactly the name in the Web Server certificate on LON-DC1. Otherwise, Internet Explorer on the client computers fails to connect and displays an error message (500 Internal Server Error - The target principal name is incorrect).

h. On the Public Name Details page, complete the following information: • Accept requests for: This domain name (type below): • Public name: mail.nwtraders.msft

i. Click Next. The specified public domain must match exactly the name in the Web Server certificate on LON-ISA1. Otherwise the connecting client computers will display a security alert message. (The name on the security certificate is invalid.)

j. On the Select Web Listener page, in the Web Listener list box, select SSL, and then click Next.

k. On the User Sets page, click Next. l. On the Completing the New Mail Server Publishing Rule Wizard,

click Finish. A new Web publishing rule is created that publishes the three OWA virtual directories on the Web site LON-DC1.nwtraders.msft as mail.nwtraders.msft on the External network.


(continued)


a. In the right pane, right-click Publish mail (OWA), and then click Properties.

11. Examine the new OWA mail server publishing rule named Publish mail (OWA). b. In the Publish mail (OWA) Properties dialog box, select the To tab.

OWA requires that the original host headers (https://mail.nwtraders.msft) be forwarded to the published server (LON-DC1).

c. Select the Traffic tab. The OWA publishing rule allows only Hypertext Transfer Protocol Secure (HTTPS) access, not HTTP access.

d. Select the Paths tab. The OWA publishing rule allows access only to the three virtual directories needed for OWA (/exchange, /exchweb and /public).

e. Select the Listener tab. The certificate name (mail.nwtraders.msft) exactly matches the name on the Public Name tab.

f. Select the Bridging tab. ISA Server redirects incoming requests to the HTTPS (443) port.

g. Click Cancel to close the Publish mail (OWA) Properties dialog box.

a. In the right pane, click Apply to apply the new rule, and then click OK. 12. Apply the new rule. The new Publish mail (OWA) rule is applied.

Note: Perform the following steps on the LON-CL1 computer.

a. Open Internet Explorer. In the Address box, type https://mail.nwtraders.msft/exchange, and then press ENTER.

13. Use Internet Explorer to securely connect to https://mail.nwtraders. msft/exchange.

b. Click OK at the security alert. c. In the Choose a digital certificate dialog box, click OK.

The certificate is used to authenticate on the ISA Server computer. If the client computer did not have a client certificate, then the connection would be denied.

d. In the Connect to mail.nwtraders.msft dialog box, complete the following information: • User name: Don • Password: P@ssw0rd • Remember my password: disable (default)

e. Click OK. This logon is required to log on to the Exchange server. Internet Explorer displays the Outlook Web Access Inbox of the Administrator. The yellow lock icon at the bottom of the screen indicates that the connection uses SSL.

f. Close Internet Explorer.


Exercise 2 Configuring ISA Server to Secure Client Access to Exchange Server In this exercise, you want to provide remote Outlook clients with the full functionality of Outlook when they connect to the Exchange server. You will configure ISA Server to enable two options for Outlook access. You will first configure ISA Server to publish the Exchange server for Outlook remote procedure call (RPC) clients. Then you will configure Exchange Server and ISA Server to publish the Exchange server for Outlook 2003 clients that can use RPC over HTTPS.

Scenario In addition to configuring secure OWA access, some users at Northwind Traders also require access to their Exchange Server mailboxes using their Outlook clients. Some users use Outlook 2002, while others use Outlook 2003. You need to enable secure access to the Exchange server for both clients. For the Outlook 2002 clients, you need to enable Outlook RPC Publishing. For the Outlook 2003 clients, you need to implement RPC over HTTPS.



a. In the ISA Server console, in the left pane, select Firewall Policy. 1. Create a mail server publishing rule. Name: Publish mail Exchange RPC Server Protocols: Outlook (RPC) Server: 10.10.0.2

b. In the right pane, select the first rule to indicate where the new rule will be added to the rule list.

c. In the task pane, on the Tasks tab, click Publish a Mail Server. d. In the New Mail Server Publishing Rule Wizard dialog box, in the

Mail Server Publishing Rule name box, type Publish mail Exchange RPC Server, and then click Next.

e. On the Select Access Type page, select Client access: RPC, IMAP, POP3, SMTP, and then click Next.

f. On the Select Services page, complete the following information: • Outlook (RPC) - Standard port: enable • Leave all other check boxes cleared

g. Click Next. h. On the Select Server page, in the Server IP address text box, type

10.10.0.2, and then click Next. i. On the IP Addresses page, select External, and then click Next. j. On the Completing the New Mail Server Publishing Rule Wizard

page, click Finish.


(continued)


a. In the left pane, select Firewall Policy. 2. Examine the new mail server publishing rule named Publish mail Exchange RPC Server.

b. In the right pane, select Publish mail Exchange RPC Server, and then, in the task pane, on the Tasks tabs, click Edit Selected Rule.

c. In the Publish mail Exchange RPC Server Properties dialog box, click the Traffic tab.

The new mail server publishing rule allows traffic for the Exchange RPC Server protocol. This is a specialized version of the RPC Server protocol. The RPC Filter will only dynamically open ports for RPC requests that are related to Exchange Server.

d. On the Traffic tab, click Properties. e. In the Exchange RPC Server Properties dialog box, select the

Interfaces tab. A service can register itself with the RPC Service, using its Universal Unique Identifier (UUID). Client computers include the UUID in the RPC requests, to indicate which service they want to connect to. The default Exchange RPC Server protocol in ISA Server 2004 supports 17 different RPC UUIDs related to Exchange services. These are all published on a dynamically assigned port, if a connection request is received.

f. Click Cancel to close the Exchange RPC Server Properties dialog box.

g. Click Cancel to close the Publish mail Exchange RPC Server Properties dialog box.

a. Click Apply to apply the new rule, and then click OK. 3. Apply the new rule.


a. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Outlook 2003.

4. Start Outlook 2003, and connect to the Exchange server using Outlook RPC. b. If a prompt appears that Outlook has detected a new account, click NO

to skip importing the account. c. In the Connect to LON-DC1.nwtraders.msft dialog box, complete

the following information: • User name: Don • Password: P@ssw0rd • Remember my password: disable (default)

d. Click OK. e. Click New. f. In the new message window, complete the following information:

• To: Don • Subject: Test mail through RPC • (Message): Publish Exchange using RPC

g. Click Send. After a few moments click Send/Receive. Ignore any errors.

After a few moments Outlook sends the message from the Outbox. It will then appear in the Inbox. This result shows that Outlook successfully connected to the Exchange Server on LON-CL1 by using RPC connections to the ISA Server computer.


(continued)


h. In the Inbox, select the new message. 4. (continued) i. Close Outlook.


a. Click Start, point to Control Panel, and then click Add or Remove Programs.

5. Install the RPC over HTTP Proxy network service. b. In the Add or Remove Programs window, click

Add/Remove Windows Components. c. On the Windows Components page, select the Networking Services

component (do not select the check box), and then click Details. d. In the Networking Services dialog box, select the

RPC over HTTP Proxy check box, and then click OK. e. On the Windows Components page, click Next. If prompted for a file

location, type C:\win2k3\i386. Please wait while Setup installs the RPC over HTTP Proxy network service.

f. Click OK at the Microsoft Certificate Services error, if it appears. g. On the Completing the Windows Components Wizard page, click

Finish. h. Close the Add or Remove Programs window.

a. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

6. In the IIS Manager console, examine the RPC Proxy Server extension. The IIS Manager console opens.

b. In the IIS Manager console, expand LON-DC1 (local computer), and then in the left pane, select Web Service Extensions.

A new Web Service Extension is installed (RPC Proxy Server Extension). The status of the extension is Allowed.

a. In the IIS Manager console, expand Web Sites, expand Default Web Site, and then, in the left pane, select Rpc.

7. Configure the /Rpc virtual directory. Anonymous access: No Authentication method: Basic authentication only Require SSL: Yes.

b. Right-click Rpc, and then click Properties. c. In the Rpc Properties dialog box, on the Directory Security tab, in

the Authentication and access control section, click Edit. d. In the Authentication Methods dialog box, enable

Basic authentication. e. In the IIS Manager warning message box, click Yes to confirm that

you want to continue. f. In the Authentication Methods dialog box, clear the options

for Enable anonymous access and Integrated Windows authentication, and then click OK.

g. On the Directory Security tab, in the Secure communications box, click Edit.

h. In the Secure communications box, enable Require secure channel (SSL), and then click OK.

i. Click OK to close the Rpc Properties dialog box. j. Close the IIS Manager console.


(continued)


Note: Perform the following steps on the LON-DC1 computer

a. Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.

8. Configure LON-DC1 as an RPC back-end server.

b. In Exchange System Manager, expand Administrative Groups, First Administrative Group, expand the Servers object, right-click LON-DC1, and then click Properties.

c. In the LON-DC1 Properties dialog box, click the RPC-HTTP tab, and then select the option next to RPC-HTTP back-end server.

d. In the Exchange System Manager warning message, click OK. e. Click OK in the LON-DC1 Properties dialog box. f. Click OK to configure the required ports automatically. g. Click OK again at the reboot warning. h. Close Exchange System Manager.

9. Configure the RPC Proxy network service to communicate with the Exchange server (LON-DC1. nwtraders.msft) on the following ports: 6001, 6002, and 6004 Because we do have only one Exchange server rather than a front-end server and a back-end server, we must still edit the registry to configure the Exchange server to use the required ports.

a. Open a Command Prompt window.

b. At the command prompt, type cd c:\tools, and then press ENTER.

c. Type rpccfg.exe /hd. The output of the command displays which ports on which computer the RPC Proxy service is allowed to create an RPC connection to. The default setting is: LON-DC1 100-5000.

d. Type rpccfg.exe /hr LON-DC1. This removes the current port range settings for LON-DC1. The next set of commands add the required port ranges for both the NetBIOS name and the fully qualified domain name (FQDN) of the (back-end) computer running Exchange Server and the Global Catalog server. The RPC connections to the computer running Exchange Server are made at ports 6001, 6002, and 6004.

e. Type rpccfg.exe /ha LON-DC1 6001-6002 6004.

f. Type rpccfg.exe /ha LON-DC1.Nwtraders.msft 6001-6002 6004.

g. Type rpccfg.exe /hd. Notice that LON-DC1 is now configured to receive RPC connections at the 6001-6002 and 6004 port locations.


(continued)


a. In the Command Prompt window, type net stop iisadmin. Type Y. 10. Restart the computer. b. Type net stop msexchangesa. Type Y.

These commands shut down most of the Exchange Server services, which will speed up the restart.

c. Close the Command Prompt window. d. Click Start and then click Shut Down.

In the next step, ensure that you restart LON-DC1 instead of shutting down LON-DC1.

e. In the Shut Down Windows dialog box, complete the following information: • What do you want the computer to do: Restart

f. Click OK. The LON-DC1 computer restarts. This will take a few minutes. You can continue with steps 12, 13, and 14 until LON-DC1 restarts.

a. After the restart, at the Welcome to Windows dialog box, press <RIGHT>ALT-DEL (instead of CTRL-ALT-DEL).

11. Log on to the computer again as follows: User name: Administrator Password: P@ssw0rd Log on to: NWtraders

In the Log On to Windows dialog box, complete the following information: • User name: Administrator • Password: P@ssw0rd • Domain: Nwtraders Then click OK to log on.


Note: In an earlier exercise to configure OWA, you have already requested a Web server certificate named mail.nwtraders.msft and created a Web listener on SSL port 443 that uses that certificate.

a. In the ISA Server Management console click Firewall Policy. 12. Configure the SSL Web listener to use Basic authentication.

b. In the task pane, on the Toolbox tab, in the Network Objects section, expand Web Listeners.

c. Right-click SSL, and then click Properties. d. In the SSL Properties dialog box, on the Preferences tab, click

Authentication. e. In the Authentication dialog box, in the Method list, disable SSL

Certificate. A warning message box appears because currently no authentication method is selected.

f. In the warning message box, click OK to confirm that (currently) a request that requires authentication will be denied.

g. In the Authentication dialog box, in the Method list, enable Basic. Another warning message box appears, because Basic authentication results in passwords being transmitted over the network without encryption, if SSL is not used.

h. In the warning message box, click Yes to confirm that you want to continue.


(continued)


i. Clear the check box next to Require all users to authenticate. 12. (continued) j. Click OK to close the Authentication dialog box. k. Click OK to close the SSL Properties dialog box.

The Web listener is now configured to use Basic authentication.

a. In ISA Server Management, click Firewall Policy. 13. Disable the Publish mail Exchange RPC Server. b. Right-click Publish mail Exchange RPC Server, and then click

Disable. c. Click Apply to apply the change, and then click OK.

You are going to create a new publishing rule that will enable the use of RPC over HTTP to access the Exchange server. By disabling the Exchange RPC rule, you can test the RPC over HTTP rule.

a. In the right pane, select the first rule to indicate where the new rule will be added to the rule list.

14. Create a secure Web publishing rule. Name: Publish mail (RPC over HTTPS) Web server: LON-DC1.nwtraders.msft/rpc Send host headers: Yes Public name: mail.nwtraders.msft/rpc Web listener: External Web 443 Forward basic authentication: Yes

b. In the task pane, on the Tasks tab, click Publish a Secure Web Server. The RPC connection from the Outlook client is inside a secure Web connection (HTTPS) to LON-ISA1.nwtraders.msft/rpc.

c. In the New SSL Web Publishing Rule Wizard dialog box, in the SSL Web publishing rule name text box, type Publish mail (RPC over HTTPS), and then click Next.

d. On the Publishing Mode page, select SSL Bridging, and then click Next.

e. On the Select Rule Action page, select Allow, and then click Next. f. On the Bridging Mode page, select

Secure connection to clients and Web server, and then click Next. g. On the Define Website to Publish page, complete the following

information: • Computer name or IP address: LON-DC1.nwtraders.msft • Forward the original host header: enable • Path: rpc/*

h. Click Next. The published Web site is LON-DC1.nwtraders.msft/rpc.

i. On the Public Name Details page, complete the following information:• Accept requests for: This domain name (type below): • Public name: mail.nwtraders.msft • Path: /rpc/* (default)

j. Click Next. The public name of the Web site is mail.nwtraders.msft/rpc.

k. On the Select Web Listener page, in the Web Listener list box, select SSL, and then click Next.

l. On the User Sets page, click Next. m. On the Completing the New Web Publishing Rule Wizard page,

click Finish. A new secure Web publishing rule is created that publishes the Web site at LON-DC1.nwtraders.msft/rpc as mail.nwtraders.msft/rpc on the External network.


(continued)


n. In the right pane, right-click Publish mail (RPC over HTTPS), and then click Properties.

14. (continued)

o. In the Publish mail (RPC over HTTPS) Properties dialog box, on the Users tab, enable Forward Basic authentication credentials, and then click OK.

In the current configuration, ISA Server allows anonymous connections. However, if the publishing rule or the Web listener is configured to require authentication, then the authentication credentials should be forwarded to the RPC Proxy on LON-DC1. This will prevent multiple authentication dialog boxes, when a user creates a connection.

p. Click Apply to apply the new rule, and then click OK.


a. Click Start, click Control Panel, and then double-click Mail. 15. Configure the e-mail account in the current Outlook profile to use RPC over HTTP: URL: mail.nwtraders.msft Use SSL only: Yes Principal name: msstd:mail.nwtraders.msft On fast/slow networks, use HTTP first: Yes Proxy authentication: Basic

b. In the Mail Setup - Outlook dialog box, click E-mail Accounts. c. In the E-mail Accounts dialog box, select

View or change existing e-mail accounts, and then click Next. d. On the E-mail Accounts page, ensure that Microsoft Exchange

Server is selected, and then click Change. e. On the Exchange Server Settings page, click More Settings. f. In the Microsoft Exchange Server dialog box, on the Connection tab,

enable Connect to my Exchange mailbox using HTTP, and then click Exchange Proxy Settings.

g. In the Exchange Proxy Settings dialog box, complete the following information: • Use this URL (https://): mail.nwtraders.msft • Connect using SSL only: enable (default) • Mutually authenticate the session: enable • Principal name for proxy server: msstd:mail.nwtraders.msft • On fast networks, connect using HTTP first: enable • On slow networks, connect using HTTP first: enable (default) • Proxy authentication setting: Basic Authentication

h. Click OK. The msstd form is Microsoft's standard to refer to RPC principal names. After connecting, Outlook verifies that it is connected to the correct server, by using the msstd principal name. The distinction between a fast network and a slow network is determined by the speed that the network adapter reports. If it reports less than 128 Kbps, it is considered a slow network. If this option is enabled, Outlook attempts to connect by using HTTP (RPC over HTTP) first, and then by using TCP/IP (RPC).

i. Click OK to close the Microsoft Exchange Server dialog box. j. On the Exchange Server Settings page, click Next. k. On the E-mail Accounts page, click Finish. l. Click Close to close the Mail Setup - Outlook dialog box. m. Close Control Panel.


(continued)


a. Open a Command Prompt window. 16. Start Outlook 2003, and then examine the network connections. Use: netstat -ano Use: Connection Status

b. At the command prompt, type netstat -ano | find "EST", and then press ENTER.

The output of the command displays zero or more established Transmission Control Protocol/Internet Protocol (TCP/IP) network connections from the LON-CL1 computer before Outlook is started.

c. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Outlook 2003.

d. In the Connecting to LON-DC1.nwtraders.msft dialog box, complete the following information: • User name: nwtraders\Don • Password: P@ssw0rd

e. Click OK. Outlook 2003 starts and displays Don Hall’s Inbox.

f. Switch to the Command Prompt window. g. At the command prompt, type netstat -ano | find "EST", and then

press ENTER. h. The output of the command displays multiple established connections

from LON-DC1 (131.107.0.10) to the ISA Server computer (131.107.0.1). All the connections are using TCP port 443 on the ISA Server computer.

i. Close the Command Prompt window. j. Press the CTRL key, and then click the Outlook icon in the system tray

area. k. In the context menu of the system tray Outlook icon, click

Connection Status. The Exchange Server Connection Status window lists a number of connections from Outlook to LON-DC1.nwtraders.msft. The HTTPS values in the Conn column indicate that RPC over HTTPS connections are used.

l. Click Close to close the Exchange Server Connection Status window. m. Close Outlook.


Exercise 3 Implementing SMTP Message Security In this exercise, you will configure both the ISA Message Screener and the Exchange Intelligent Message Filter (IMF) in order to increase SMTP message security.

Scenario Northwind Traders has been receiving a large amount of unsolicited commercial e-mail (UCE) or what is also known as spam. You have decided to use two forms of defense against spam. First you will configure the ISA Message Screener at the edge of your network. This gateway configuration will stop all e-mail that explicitly matches your configuration. Next you will configure the Exchange IMF, which will rate every e-mail received in the organization to determine if it is junk e-mail.


Note: Perform the following steps on the LON-ISA1 computer. Note that the Message Screener and the Exchange IMF have already been installed on the computers.

a. Open Internet Information Services (IIS) Manager from the Administrative Tools folder.

1. Configure the SMTP service on LON-ISA1. Because the SMTP message screener component is installed on the same server as ISA Server, you must configure the SMTP server to listen only on the internal IP address of the computer running ISA Server. Then you will configure ISA Server to publish that IP address as the SMTP server. You also need to configure the SMTP server to relay messages for the internal domain, nwtraders.msft.

b. Expand LON-ISA1(local computer), and then right-click Default SMTP Virtual Server and click Properties.

c. On the General tab, in the IP address list, click 10.10.0.1.

d. On the Access tab, click Relay. In the Relay Restrictions dialog box, ensure that Only the list below is selected, and that Allow all computers which successfully authenticate to relay regardless of the list above is selected. This configuration means that authenticated users can relay through this server, but no one else can. Click OK, and then click OK again to close the Default SMTP Virtual Server Properties.

e. Expand Default SMTP Virtual Server, right-click Domains and point to New, and then click Domain.

f. On the Welcome to the New SMTP Domain Wizard page, accept the default choice of Remote, and then click Next.

g. On the Domain Name page, type nwtraders.msft, and then click Finish.

h. Select Domains, right-click nwtraders.msft, and then click Properties.

i. On the General tab, click Allow incoming mail to be relayed to this domain. Under Route domain, click Forward all mail to smart host, and type [10.10.0.2] (including the brackets). Click OK.

j. Right-click Default SMTP Virtual Server and then click Stop. Right-click Default SMTP Virtual Server again, and click Start.

k. Close Internet Information Services (IIS) Manager.


(continued)


a. Open ISA Server Management. In the console tree, click Firewall Policy.

2. Configure the SMTP firewall policy.

b. On the Tasks tab, click Publish a Mail Server. The New Mail Server Publishing Rule Wizard starts.

c. Name the policy LON-DC1, and then click Next.

d. In the Select Access Type dialog box, click the radio button next to Client access: RPC, IMAP, POP3, SMTP. Click Next.

Normally, you would create an SMTP Server publishing rule. However, you will be configuring a Microsoft Outlook Express profile for Don Hall to test the message filter, and that profile requires Post Office Protocol 3 (POP3) and SMTP.

e. In the Select Services dialog box, under Standard Ports, select SMTP and POP3. Click Next.

f. In the Select Server dialog box, type 10.10.0.2 and then click Next.

g. In the IP Addresses dialog box, select the check box next to External. Click Next.

h. Click Finish.

a. Right-click the LON-DC1 SMTP Server access rule, and click Properties.

3. Configure the Message Screener to delete any e-mail message that contains the word Diploma. You will also configure the Message Screener to delete any e-mail message that has an attachment with a .bat extension.

b. On the To tab, change the IP address to 10.10.0.1. Click OK.

c. Expand Configuration, and then click Add-ins. On the Application Filters tab, right-click SMTP Filter, and then click Properties.

d. On the Keywords tab, click Add to open the Mail Keyword Rule dialog box. In the Keyword box, type diploma.

e. In the Action list, click Delete message. Click OK.

f. Click the Attachments tab, and then click Add.

g. Click Attachment extension and in the Attachment extension box, type .bat.

h. Accept the default option of deleting the message, and then click OK.

i. Click OK to close the SMTP Filter Properties dialog box.

j. Click Apply to apply the changes, and then click OK when the changes have been applied.


Click Start, All Programs, and then click Outlook Express. 4. Test the SMTP message screener configuration.

a.

Create a new e-mail and send it to [email protected]. Use a subject line of Free Diploma!!!

b.

Send a second e-mail with a subject line of Attachment to [email protected]. Link the Externalclient.bat attachment to the e-mail message. (You can find the attachment on the desktop.)

c.

d. Close Outlook Express.


(continued)


Note: Perform the following steps on the LON-DC1 computer

5. Verify that the administrator did not receive the e-mail message with the subject line of Free Diploma.

Open Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Clear the check box beside Use a proxy server for your LAN. Click OK twice.

a.

Type https://LON-DC1.nwtraders.msft/exchange in the Address box, and then press ENTER. Click OK at the Security Alert.

b.

In the Connect to LON-DC1.nwtraders.msft dialog box, log on using nwtraders\administrator and a password of P@ssw0rd.

c.

Click the Inbox and confirm that the administrator did not receive the e-mail message with the subject line of Free Diploma or the e-mail message with the Externalclient.bat attachment.

d.

e. Close Internet Explorer.

a. Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.

6. Configure the Exchange IMF. To add another layer of defense against spam, you configure the Exchange IMF.

Microsoft Exchange Server opens.

b. Expand Global Settings, right-click Message Delivery, and then click Properties.

c. On the Intelligent Message Filtering tab, configure the Gateway Blocking Configuration rating to 9, and the Store Junk E-mail Configuration to 1.

This configuration setting of 1 will configure all e-mail to be considered junk mail for this exercise.

d. Configure the When blocking messages drop down menu to show Archive.

e. Click OK.

f. In the left pane, expand Administrative Groups, First Administrative Group, Servers, LON-DC1, Protocols, and SMTP, and then click Intelligent Message Filtering.

g. Right-click Intelligent Message Filtering, and then click Properties.

h. In the Virtual Server list, verify that the check box next to Default SMTP Virtual Server is selected. Click OK.

i. Click Start, point to Administrative Tools, and then click Services.

j. Right-click Microsoft Exchange System Attendant and then click Restart. Restart associated services as prompted.


Start, point to All Programs, and then click Outlook Express. 7. Test the message security using the Intelligent Message Filtering utility.

a. Click

b. Send an e-mail message to [email protected]. Use a subject line of This is not a hoax – junk email.


(continued)



8. Verify that e-mail is routed to the Junk E-mail folder.

Open Internet Explorer and type https://LON-DC1.nwtraders.msft/ exchange in the Address box. Press ENTER. Click OK at the Security Alert.

a.

In the Connect to LON-DC1.nwtraders.msft dialog box, log on using nwtraders\administrator and a password of P@ssw0rd.

b.

Click the Junk E-mail folder and confirm that the administrator received an e-mail message with the subject line This is not a hoax – junk email.

c.

You should have an e-mail message in the Junk E-mail folder. Note that the ISA Message Screener is still protecting specific entries, while the IMF is catching any spam that makes it past the Message Screener.

d. Close all windows in LON-ISA1, LON-DC1, and LON-CL1.


Exercise 4 Implementing IPSec to Secure Network Traffic In this exercise, you will secure communication between all computers and the LON-DC1 computer.

Scenario You want to increase security by configuring all domain controllers to request IPSec security. All client computers will be configured to respond to communicate with IPSec when requested.



a. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

1. Configure the Domain Controllers OU to request IPSec security.

b. Expand nwtraders.msft, and then click the Domain Controllers OU.

c. Right-click the Domain Controllers OU, and then click Properties.

d. In the Domain Controllers Properties dialog box, click the Group Policy tab.

e. Click Edit. The Default Domain Controllers Policy opens in the Group Policy Object Editor.

f. In the left pane, expand Computer Configuration, Windows Settings, Security Settings, and then click IP Security Policies on Active Directory (nwtraders.msft).

g. In the right pane, right-click Server (Request Security).

h. Click Assign.

i. Close the Group Policy Object Editor window.

j. In the Domain Controllers Properties dialog box, click OK.

a. Right-click nwtraders.msft and then click New, Organizational Unit. 2. Configure the client computers to respond to IPSec requests.

b. In the Name text box, type Trusted clients. Click OK.

c. Click the Computers container.

d. Select all computer objects in the Computers container.

e. Click the highlighted objects and drag them to the Trusted Clients OU.

All of the computer objects are moved to the Trusted Clients OU.

f. Right-click the Trusted Clients OU, and then click Properties.

g. In the Trusted Clients Properties dialog box, click the Group Policy tab.

h. Click New.

i. Name the policy IPSec Policy.

j. Click Edit. The IPSec Policy opens in the Group Policy Object Editor.


(continued)


2. (continued) k. In the left pane, expand Computer Configuration, Windows Settings, Security Settings and then click IP Security Policies on Active Directory (nwtraders.msft).

l. In the right pane, right-click Client (Respond Only).

m. Click Assign.

n. Close the Group Policy Object Editor window.

o. In the Trusted Clients Properties dialog box, click Close.

p. Close Active Directory Users and Computers.

q. Open a Command Prompt window. Type GPUpdate /force.

r. Close the Command Prompt window.


a. Open Internet Explorer. In the Address box, type https://mail.nwtraders.msft/exchange, and then press ENTER.

3. Verify that you can still connect from an outside client (LON-CL1) to the internal Exchange server.

b. Click OK at the security alert. c. In the Connect to mail.nwtraders.msft dialog box, complete the

following information: • User name: Don • Password: P@ssw0rd • Remember my password: disable (default)

d. Click OK.


a. Click Start, click Run, and then type MMC in the Open box. Click OK.

4. View IPSec Active Policy details by using the IP Security Monitor. b. On the File menu, and then click Add/Remove Snap-in.

c. Click Add.

d. In the Add Standalone Snap-in, scroll down and select IP Security Monitor.

e. Click Add, click Close, and then click OK again to close the Add/remove snap-in dialog box.

f. Expand IP Security Monitor, expand LON-DC1, and then click Active Policy.

g. In the details pane, view the Active Policy information.

h. In the left pane, expand the Quick Mode node and then click Statistics.

i. Click Security Associations.

j. Notice the association between 10.10.0.1 (LON-ISA1) and 10.10.0.2 (LON-DC1).

Note: Perform the following step on all computers.

5. Shut down computers. a. Shut down all virtual machines without saving the changes.

THIS PAGE INTENTIONALLY LEFT BLANK

Documents

Securing Exchange Server Using ISA Server 2004 and IPSecdownload.microsoft.com/documents/australia/teched... · Securing Exchange Server Using ISA Server 2004 and IPSec Objectives