Logo
programming4us
programming4us
programming4us
programming4us
 Home
programming4us
 XP
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server
programming4us
 Windows Phone
 
Windows Server

Exchange Server 2007 : Securing Access to ActiveSync Using Internet Security and Acceleration (ISA) Server 2006

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
11/4/2011 9:17:08 AM
Allowing your information workers access to a technology like ActiveSync can do wonders for productivity, but can also potentially expose your organization to threats from the outside. Just like Outlook Web Access or Outlook Anywhere, ActiveSync requires a web connection to be available to a CAS. Because ActiveSync is meant to be used when out of the office, the web traffic must go over the Internet and must be accessible without requiring a specific virtual private network (VPN) client to be utilized.

This creates somewhat of a dilemma, as the HTTP used by ActiveSync can be subject to attack, potentially exposing your organization to unnecessary risk. Fortunately, however, Microsoft Exchange Server 2007 can be readily secured against these types of attack with the use of an Application-layer inspection product such as the Internet Security and Acceleration (ISA) Server 2006 product available from Microsoft.

Understanding How ISA Server 2006 Can Protect ActiveSync

ISA Server 2006 is an Application-layer aware firewall that can filter HTTP traffic for exploits and scumware. It can reside inline to the ActiveSync traffic (as a traditional firewall), or as a dedicated reverse proxy system that sits in the demilitarized zone (DMZ) of a packet-filter firewall, similar to the scenario shown in Figure 1.

Figure 1. Understanding ISA securing concepts for ActiveSync.

In this scenario, the client believes it is directly accessing the CAS, but it is instead being secretly authenticated and scanned at the ISA server itself. Using this scenario or the inline firewall scenario with ISA Server 2006 is a highly useful way to secure the ActiveSync traffic.

Creating an ActiveSync Securing Rule in ISA Server 2006

To create the rule in the ISA Server console, perform the following steps:

1.
Open the ISA Management Console and navigate to the Firewall Policy node in the console pane.

2.
On the Tasks tab of the tasks pane, click the Publish Exchange Web Client Access link.

3.
Enter a descriptive name in the welcome dialog box, such as “ActiveSync Rule,” and click Next.

4.
In the Select Services dialog box, shown in Figure 2, change the Exchange version to Exchange Server 2007, and then check the Exchange ActiveSync check box. Click Next to continue.
Figure 2. Creating an ActiveSync rule with ISA Server 2006.


5.
In the Publishing Type dialog box, click the Publish a Single Web Site or Load Balancer, and click Next to continue.

6.
In the Server Connection Security dialog box, shown in Figure 3, click the Use SSL to Connect to the Published Web Server or Server Farm option. This creates an end-to-end SSL connection. Click Next to continue.
Figure 3. Securing the ISA rule with SSL.


7.
For the internal site name, enter the FQDN that clients use to connect to the CAS, as shown in Figure 4. In this case, the name should match what the external clients use, as problems can be encountered when using SSL if the names do not match. If internal DNS does not forward that FQDN to the CAS, you might need to fool the ISA server by using a hosts file to make it resolve the FQDN to the CAS. Click Next to continue.
Figure 4. Creating an ActiveSync securing rule with ISA.


8.
Under Public Name Details, enter “This domain name,” and then type in the FQDN of the public name, such as mail.companyabc.com. Click Next to continue.

9.
For Web Listener, either choose an existing listener that can be used for OWA or Outlook Anywhere, or click the New button. This scenario assumes you are creating a new listener. Click the New button.

10.
At the start of the Web Listener Wizard, enter a descriptive name for the listener, such as Exchange HTTP/HTTPS Listener, and click Next to continue.

11.
A prompt appears to choose between SSL and non-SSL. This prompt refers to the traffic between the client and ISA, which should always be SSL whenever possible. Click Next to continue.

12.
Under Web Listener IP addresses, select the External Network, and leave it at All IP Addresses. Click Next to continue.

13.
Under Listener SSL Certificates, click Select Certificate.

14.
Select the mail.companyabc.com certificate. If the certificate is not on the ISA server, it must be installed into the Certificates store of the ISA server.

15.
Click Next to continue.

16.
For the type of authentication, choose HTTP Authentication and then check the Basic check box, as shown in Figure 5. Leave Windows (Active Directory) selected, and click Next.
Figure 5. Selecting Basic authentication for the ISA ActiveSync rule.


17.
Click Next at the Single Sign on Settings dialog box. SSO is not available with Basic authentication.

18.
Click Finish to end the wizard.

19.
Click Next after the new listener is displayed in the Web Listener dialog box.

20.
Under Authentication Delegation, choose Basic from the drop-down list. Basic is used as the secured transport mechanism chosen. Click Next to continue.

21.
Under User Sets, leave All Authenticated Users selected. In stricter scenarios, only specific AD groups can be granted rights to OWA using this setting. In this case, the default is fine. Click Next to continue.

22.
Click Finish to end the wizard.

23.
Click Apply in the details pane, and then click OK when you are finished to commit the changes.

The ActiveSync Policy will then show up in the details pane, as shown in Figure 6. Further customization of the rule can take place if necessary.

Figure 6. Viewing the ActiveSync rule in ISA Server 2006.
Other -----------------
- Exchange Server 2007 : Working with ActiveSync Policies
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 3)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 2)
- Microsoft Lync Server 2010 Edge : Reverse Proxy Configuration (part 1) - Create Web Listener
- InfoPath Designer 2010 : Create an InfoPath 2010 Add-In & Create a Custom Task Pane
- InfoPath Designer 2010 : Access Your Form Within a Visual Studio Workflow
- Microsoft SQL Server 2008 R2 : Query Plan Caching (part 2) - Monitoring the Plan Cache
- Microsoft SQL Server 2008 R2 : Query Plan Caching (part 1) - Query Plan Reuse & Query Plan Aging
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Posting general journals
- Microsoft Dynamics AX 2009 : Processing Business Tasks - Creating new general journals
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
 Windows Vista
programming4us
 Windows 7
programming4us
 Windows Azure
programming4us
 Windows Server