1
Integrating ISA Server and Exchange Server
2
How email works
3
Mail server
• An mail server is typically a combination of processes running on a server with a large storage capacity – a list of users and rules, and the capability to receive, send and store emails and attachments
• Mail server software: Mdeamon, Exchange server 2003,…
4
Why use Exchange 2003
• Backup and restore• High availability• Help migrating from older systems• Security improvements• Protection of e-mail
5
Exchange 2003 Outlook Web Access (OWA)
6
Exchange 2003 Mobile Capabilities
ISAISAFirewallFirewall
Wireless Wireless NetworkNetwork
OWA clientsOWA clients(HTTP/HTML(HTTP/HTML))
Pocket PC, Pocket PC, Smartphone, Smartphone,
third-party sync third-party sync (HTTP/HTML)(HTTP/HTML)
Outlook Mobile AccessOutlook Mobile AccessWAP 2.0, iModeWAP 2.0, iMode(xHTML, cHTML(xHTML, cHTML))
Outlook clientsOutlook clients(RPC/HTTP)(RPC/HTTP)
Exchange 2003 Exchange 2003 ServersServers
7
The goal of attack
• Steal data• Blackmail• Launch bed for others attack• Bragging rights• Vandalism• Demonstrate vulnerability/satisfy curiosity• Damage company reputation• Others?
8
Exchange 2003 and ISA 2006
Securing SMTP Traffic:• SMTP-based attacks:
– Invalid, overly long, or unusual SMTP commands to attack a mail server or to gather recipient information
– Attacks against recipients by including malicious content, such as worms
• ISA Server protects mail servers by:– Enforcing compliance of SMTP commands with standards– Blocking disallowed SMTP commands– Blocking messages with disallowed attachment types, content,
recipient or sender• ISA Server can stop attacks before they reach ISA Server can stop attacks before they reach
your mail servers!!your mail servers!!
9
Exchange 2003 and ISA 2006
• RPC and Firewalls:• Traditional Firewall
– Open every port that RPC mightuse for incoming traffic
• ISA Firewall– Initial connection• Only allows valid RPC traffic• Blocks non-Exchange queries
– Secondary connection• Only allows connection to port used by Exchange• Enforces encryption
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC
accessaccess
ISA Server enables ISA Server enables secure remote email secure remote email access using Outlookaccess using Outlook
ISA Server enables ISA Server enables secure remote email secure remote email access using Outlookaccess using Outlook
10
OWA and Traditional Firewalls
• Web traffic to OWA is encrypted– Standard SSL encryption– Security against eavesdropping and impersonation
• Limitation– Default OWA implementation does not protect against
application layer attacks
Exchange Web Server
OWA Traffic
Password Guessing
Web Server Attacks
SSL TunnelInternet
11
How ISA Protects OWA
• Authentication– Unauthorised requests are blocked before they reach Exchange– Optional forms-based authentication prevents caching of credentials
• Inspection– Invalid HTTP requests or requests for non-OWA content are blocked– Inspection of SSL traffic before it reaches Exchange server
• Confidentiality– Ensures encryption of traffic over the Internet– Can prevent the downloading of attachments to client
Web Server Attacks
Password Guessing
Exchange Server
OWA Traffic
SSL Tunnel
InspectionAuthentication
Internet
12
Publishing Exchange Server with ISA 2006
13
Enabling SSL support for OWA
14
Understanding the Need for Third-Party CAs
• can buy a certificate from a third-party certificate authority such as Verisign, Thawte, or one of many other enterprise certificate authorities
• validate that their customers are really who they say they are, and to generate the digital certificates that validate this for digital communications
• that require encryption, such as SSL
15
Installing a Third-Party CA on an OWA Server
16
Type of CA
• Enterprise root CA: highest-level certificate authority for an organization
• Enterprise subordinate CA: subordinate to an existing enterprise root CA, and must receive a certificate from that root CA to work properly
• Stand-alone root CA:similar to an enterprise CA, in that it provides for its own unique identity and can be uniquely configured
17
Create certificate
18
Create certificate
19
Create certificate
20
Create certificate
21
Create certificate
22
Exporting and Importing the OWA Certificate to the ISA Server
On OWA serverOn OWA server
23
Exporting and Importing the OWA Certificate to the ISA Server
On ISA server, open MMC console
On ISA server, open MMC console
24
Exporting and Importing the OWA Certificate to the ISA Server
25
Exporting and Importing the OWA Certificate to the ISA Server
26
Creating Web Listener
27
Creating Web Listener
28
Creating Web Listener
29
Creating Exchange Publishing Rule
30
Creating Exchange Publishing Rule
31
Creating Exchange Publishing Rule
32
Creating Exchange Publishing Rule
33
Creating Exchange Publishing Rule
34
Testing the Solution
In Remote ClientIn Remote Client