August 27, 2004

Locking down OWA with ISA 2000

Sorry that I have been so quiet lately. Been emmersed in so much work it isn't funny. Top that off, I took some time this week to work on some personal development and do a leadership and skills training workshop which has had me swamped.

In the little free time I do find I have been spending some time getting to understand the relationship with ISA and SBS, and came across a REALLY good set of articles showing how to configure ISA to pre-authenticate connections BEFORE even getting to try any type of interaction with the IIS web server, and OWA. In other words, you can filter out a lot of anonymous attacks by authenticating users before they can actually send tainted data towards OWA. A really good strategy.

The articles are based on having a dedicated ISA server on a stand alone box in front of the Exchange server, but of course my limitation of having everything on one box for SBS makes that kinda of difficult. None-the-less, it was still a very insightful set of articles. Well worth reviewing if you are new to this sort of stuff.

The articles are broken down into five distinct components:

  1. Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 Part 1
  2. Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 Part 2: Understanding SSL Bridging and Installing an Enterprise CA
  3. Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 - Part 3: SSL Bridging Drill Down and Requesting a Web Site Certificate
  4. Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 - Part 4: Importing the OWA Web Site Certificate, Binding the Certificate to the Web Listener and Creating the Destination Set
  5. Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 - Part 5: Creating the OWA Web Publishing Rule, Configuring DNS and Installing URLScan 2.5 for ISA Server Firewalls
I would be interested to see if ISA 2004 is any better for this sort of thing. For now I think I better stick with ISA 2000 since it comes with SBS2003.

Anyways, enjoy if you haven't seen these articles yet. Happy Reading!

Posted by SilverStr at August 27, 2004 12:55 AM | TrackBack
Comments

Rule no. 1 in SBSland is to ensure that the documentation you are reading is SBSized. [you already figured out that what you are reading is not]

Rule no. 2 in SBSland is to begin your journey by running the CEICW wizard. Configure email and internet access. Let that "do it's thang", then you start messin' with it, tweaking, adjusting, ACLing, wacking off lanman... etc..etc...etc.

Start with the foundations. We are a compromise between business needs and security.

As to going with ISA 2004, it does additional features that will do a nicer job on a DC. That said, let me point to my latest post:

ISA 2004:
http://msmvps.com/bradley/archive/2004/08/26/12438.aspx

Posted by: Susan at August 27, 2004 07:18 AM

Stupid question... what is ISA?

Posted by: Arcterex at August 27, 2004 11:58 PM

Microsoft's Internet Security and Acceleration Server. Think strong firewall that is application aware and can work with proxy, cache and VPN support.

http://www.microsoft.com/isaserver/

Posted by: SilverStr at August 28, 2004 12:10 AM