December 26, 2004

SBS 2003 Revisited

OK, its been some time since my last update on my SBS deployment, and since I am at my wits end, Susan recommended I blog about what is going on so she can point people at the entry with some recommendations.

Although my blog is riddled with little pieces of what I have went through, I thought I would take this entry to start over. So without further adeu, here we go...

I have a need for a SBS 2003 machine that is hosting Outlook Web Access (OWA) and Outlook Mobile Access (OMA) for external parties, clients and virtual employees around the Net. The idea is that I can create a virtual office in our DMZ without having to expose critical business resources not needed by these users to the outside. SBS 2003 looks like a perfect solution for this.

To reduce the attack surface of the machine while ensuring strong audit trails, I require that ALL connections coming into these services (actually ALL services except incoming SMTP) be authenticated to Active Directory. My goal is to eliminate the potential compromise of unknown threats that may be exposed from vulnerable code or services that may exist along the code execution path between the OWA front end with IIS to the Exchange backend. It also reduces the risks of poorly configured or unknown services that may be running when they shouldn't be. Since the circle of trust for this group of users is quite small, I have a relative level of assurance that I can mitigate most risks by simply removing the ability to connect to the server anonymously and do bad things that they shouldn't. Be removing the ability for an adversary to even throw a connection request to the IIS box without authenticating, I get that assurance level.

I don't want to be forced to put a dedicated ISA box in front of this machine to accomplish this. SBS2003 has ISA2000 built in and I would like to take advantage of this. I have gotten ISA 2000 set up enough to accomplish the required authentication by setting the "Ask unauthenticated users for identification" in the Incoming Web Requests "Connection" section, and I can indeed verify that I am authenticating correctly to Active Directory.

So now that I am an authenticated user against Active Directory I get introduced to the OWA login screen. I don't mind typing in the credentials again here, and do so. (Although in the future it would be nice to have SSO between the FW and OWA)

So I log on, and it simply hangs at https://my.domain.com/exchweb/bin/auth/owaauth.dll with a blank page.

I then hit Refresh (F5) and repost in which the OWA interface loads up and all I see in my Inbox is "Loading..."

That is where I am currently stuck. I am not sure WHAT is going on at this point. To cut you off short from the obvious recommendations:

* The system has all patches and Service Packs as of Dec 26th, 2004. This was verified with thanks to Shavlik's great software.
* Yes, that includes the gzip patch
* Yes, if I turn off the Incoming Web Requests "authentication" checkbox it works. But the point is... I WANT IT ON.
* Yes, I have the Exchange SP installed.

Anyone have any ideas on what could be the problem? If you have SBS2003 hosting OWA just fine, try turning on the "Ask unauthenticated users for identification" in the Incoming Web Requests "Connection" section and see if you can repro this issue. (You can get there in the ISA Manager by right clicking on the server and selecting Properties)

Would love some help from the SBS MVPs out there. Your recommendations welcomed.

Posted by SilverStr at December 26, 2004 03:57 PM | TrackBack
Comments

I know it's not SBS but I am running ISA 2000 on Windows Server 2003 with OWA on a separate server and I had no problems with that configuration.
Normally I enter my logon credentials and I logon. I checked the box and it now asks me for the credentials twice and then logs in as before.
Did you run the "Publish Secure Mail Server" wizard? MS makes a point of saying you should NOT use server publishing for OWA, you should use the wizard.

Posted by: Peter at December 27, 2004 11:40 AM

Hey Peter,

With SBS, Microsoft has a special publishing wizard to properly integrate all the services in SBS with ISA 2000. SO that shouldn't be the problem.

When ISA is on a separate box, I am told this works fine. The problem exists when they are on the same machine, which isn't practical in this application.

Thanks for the suggestion though.

Posted by: SilverStr at December 27, 2004 12:18 PM

Odds are, you have conflicting auth methods in use. You can have user aut without checking the "must auth" checkbox if the web publishing themselves use "authenticated users" instead of "all users"

There are some important details missing; most notably the auth methods in use for ISA and OWA.
Q1 - what is the auth method in use at teh OWA; Basic, FBA, NTLM?
Q2 - what is the auth method in use at the ISA; Basic, NTLM, FDBA?
Q3 - did you use the CIECW to create the OWA web publishing rule?
Q4 - what does the web proxy log contain for those failing tests?

Posted by: Jim Harrison at December 28, 2004 03:01 PM

Hey Jim,

Sorry that this information was not included:

Q1: OWA uses FBA with "No Compression"

Q2: ISA uses "Integrated" authentication (NTLM)

Q3: Yes I used the CIECW to create the publishing rules

Q4: I will email you the logs as I would rather not have them blasted out on the net.

Posted by: SilverStr at December 28, 2004 04:05 PM