Friday, 25 December 2009

SBS 2003: ISA + IIS

This is for the scenario where you are running SBS and running ISA in front of IIS for HTTP/HTTPS web publishing purposes. This needs to be configured correctly for Exchange ActiveSync and SSL OWA to work correctly.

Certificates
You need to create a self-signed certificate (or purchase a proper SSL cert) for the servers FQDN for external access. (e.g. mail.mginq.com.au)

Install the cert to the various cert stores (Trusted root, etc) on server.
Install the cert onto the HTTPS clients if its self-signed.

If server has multiple interfaces (virtual or real) for LAN and Inet access you need to configure IIS to listen only on the internal LAN iface using the httpcfg command.

Viewing all off the IP addresses that the HTTP API is listening on.
> httpcfg query iplisten

Adding an IP address to the iplisten store.
> httpcfg set iplisten -i 10.0.0.1

Deleting a record from the iplisten store.
> httpcfg delete iplisten -i 10.0.0.1

You also need to add the external FQDN to the hosts file - pointing to internal iface so that when the ISA redirects to SSL connections to the FQDN a loop does not occur.

ISA needs to be configured as follows:
Open the ISA management console
Go to properties of the server.
Go to Incoming Web requests tab
Choose 'Configure listeners individually per IP Address'
Select the listener, or create one that listens on the external iface only.
Configure the listener to 'Use a server certificate to authenticate to web clients'
Select Integrated
Configure TCP port to 80 and SSL to 443 and Enable SSL listeners.
Uncheck 'Ask unauthenticated users for identification'
Under web publishing rules
for all the generated 'Small Business ...' rules

On the 'Destinations' tab - make sure the FQDNs are correct and match the FQDN of the cert.
On the 'Action' tab select 'Redirect the request...' to the FQDN of cert.
Check the 'Send the original host header...'
Make sure the port mappings are correct

On the 'Bridging' tab
Redirect HTTP > HTTP
Redirect SSL > SSL
Check both 'Require secure channel' boxes

After that check configuration for conflicting rules in Accss Policy, etc

IIS setup
Make sure the sites configured for ports 80 and 443 are listening on the internal iface only.
Make sure the sites are using the new certificate.

Thats it!

Restart server at this point or stop and start the following processes:
IIS:
IIS Admin
WWW Publishing
SMTP
MS Exchange Routing Engine
MS Exchange POP3
FTP Publishing
HTTP SSL

ISA:
MS ISA Server Control
MS Web Proxy

No comments:

Post a Comment