Microsoft OWA with ISA Implementation Guide
Transcript of Microsoft OWA with ISA Implementation Guide
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
1/13
Copyright
Copyright 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may bereproduced, transmitted, transcribed, stored in a retrieval system, or translated into anylanguage in any form or by any means without the written permission of CRYPTOCard Corp.
ISA 2006 and OWA 2003 Implementation Guide
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
2/13
ISA 2006 and OWA 2003 Implementation Guide 1
Outlook Web Access (OWA) & Internet Security and Acceleration (ISA)Server 2006 Overview
This documentation presents an overview and necessary steps to configure Internet Securityand Acceleration (ISA) Server 2006. It is to be used in conjunction with Outlook Web Access(OWA) to view e-mail via web browser authenticating against CRYPTO-MAS Server, usingCRYPTOCard tokens.
CRYPTO-MAS works in conjunction with ISA Server 2006 and Outlook Web Access (OWA) toreplace static passwords with strong two-factor authentication that prevents the use of lost,stolen, shared, or easily guessed passwords when establishing a connection to gain access toprotected resources.
With CRYPTO-MAS acting as the authentication server for a enabled resource, anauthenticated connection sequence would be as follows:
1. The administrator configures ISA 2006 Server to use RADIUS Authentication.
2. The incoming authentication request is relayed over to the CRYPTO-MAS Server viaRADIUS.
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
3/13
ISA 2006 and OWA 2003 Implementation Guide 1
3. If the user exists, it then checks the token associated with the user for the expected PIN +One-time password.
4. Once the PIN + One-time password is verified against the users token and it is valid, itwill then send an access accepted.
Prerequisites The following systems must be installed and operational prior to configuring the VPNconcentrator to use CRYPTOCard authentication.
Ensure that the end user can authenticate through Outlook Web Access with a staticpassword before configuring the Outlook Web Access to use CRYPTOCardauthentication.
An initialized CRYPTOCard token assigned to a valid CRYPTOCard user.
The following CRYPTO-MAS server information is also required.
Primary CRYPTO-MAS RADIUS Server Fully QualifiedHostname or IP Address:
Secondary CRYPTO-MAS RADIUS Server FullyQualified Hostname or IP Address ( OPTIONAL ):
CRYPTO-MAS RADIUS Authentication port number:
CRYPTO-MAS RADIUS Accounting port number( OPTIONAL ):
CRYPTO-MAS RADIUS Shared Secret:
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
4/13
ISA 2006 and OWA 2003 Implementation Guide 2
Configuring ISA 2006 Server for Two Factor Authentication via RADIUS
Using the 'Task' Pane, click on'Publish Exchange Web Client Access'
Note: If you do not see the 'Task Pane' along the right hand
side, navigate to the 'View' menu, and select 'Task Pane'. Thiswill allow you too see all the available Firewall Policy Tasks.
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
5/13
ISA 2006 and OWA 2003 Implementation Guide 3
Give your new rule a name suchas Outlook Web Access.
This can be anything you want.
Click Next
Select Exchange Server 2003
Select Outlook Web Access
Click Next
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
6/13
ISA 2006 and OWA 2003 Implementation Guide 4
Select the Publish a single Website or load balancer radiobutton
Click Next
Select Use non-secured
connections to connect thepublished Web server or serverfarm radio button.
Click Next
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
7/13
ISA 2006 and OWA 2003 Implementation Guide 5
Specify the address of theexchange server.E.G. Exchange.sparks.com
Note: This must be a valid DNSname
Click Next
Input the address you want yourusers to use, in order to access
their OWA logon page.Note: This has to be a valid DNSname.
Click Next
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
8/13
ISA 2006 and OWA 2003 Implementation Guide 6
Click on New to start the WebListener creation wizard.
The New Web Listener Wizard nowappears.
Give your Web Listener a nameIn this example, the given name is
OWA
Click Next
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
9/13
ISA 2006 and OWA 2003 Implementation Guide 7
Select the Require SSL securedconnections with clients radio button
Click Next
Select which networks your newlistener will function on.
In this example, Internal networkhas been chosen.
You will need to specify your ownnetwork to use.
Click Next
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
10/13
ISA 2006 and OWA 2003 Implementation Guide 8
Click Select Certificate buttonSelect your appropriateCertificate you have loaded ontoyour ISA server.
Note: If you dont have anycertificates loaded, pleaseconsult Microsoft Documentationon loading a Certificate onto yourISA 2006 Server.
Click Next
Ensure you have selected HTMLForm Authentication in the dropdown menu.
Select Collect additionaldelegation credentials in theform
**This check box adds anadditional box at the bottom of the OWA page which allows theuser to enter his static passwordfor OWA **Select RADIUS OTP check box
Click Next
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
11/13
ISA 2006 and OWA 2003 Implementation Guide 9
Un-check Enable SSO for Websites published with this Weblistener
Click Next
From the drop down menu, select NTLM authentication
Click Next
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
12/13
ISA 2006 and OWA 2003 Implementation Guide 10
In the next following screens youare going to configure theRADIUS server ISA will use.
Click the Add button
Input the Server name of the CRYPTO-MASServer in the form of an IP address.Give this RADIUS Server entry adescription to help you identify it for futureconfiguration changes.
Click the Change button to add the sharedsecret.
Once you have inputted all information,click OK button.
-
8/14/2019 Microsoft OWA with ISA Implementation Guide
13/13
ISA 2006 and OWA 2003 Implementation Guide 11
Select which user groups youwish to have this rule appliedto.In this example the All Users group was selected.
Click Next
The final wizard how nowcompleted, and you are nowcompleted.
To access your new OWA page, navigate to https://address.you.specified.in.wizard/exchange
The OWA logon page provided by ISA looks different than the usual OWA provided byexchange. It should also include a new field at the bottom, which includes the users staticMicrosoft password.
https://address.you.specified.in.wizard/exchangehttps://address.you.specified.in.wizard/exchangehttps://address.you.specified.in.wizard/exchange