34
1 Integrating ISA Server and Exchange Server

Integrating ISA Server and Exchange Server

Embed Size (px)

DESCRIPTION

Integrating ISA Server and Exchange Server. How email works. Mail server. An mail server is typically a combination of processes running on a server with a large storage capacity – a list of users and rules, and the capability to receive, send and store emails and attachments - PowerPoint PPT Presentation

Citation preview

Page 1: Integrating ISA Server and Exchange Server

1

Integrating ISA Server and Exchange Server

Page 2: Integrating ISA Server and Exchange Server

2

How email works

Page 3: Integrating ISA Server and Exchange Server

3

Mail server

• An mail server is typically a combination of processes running on a server with a large storage capacity – a list of users and rules, and the capability to receive, send and store emails and attachments

• Mail server software: Mdeamon, Exchange server 2003,…

Page 4: Integrating ISA Server and Exchange Server

4

Why use Exchange 2003

• Backup and restore• High availability• Help migrating from older systems• Security improvements• Protection of e-mail

Page 5: Integrating ISA Server and Exchange Server

5

Exchange 2003 Outlook Web Access (OWA)

Page 6: Integrating ISA Server and Exchange Server

6

Exchange 2003 Mobile Capabilities

ISAISAFirewallFirewall

Wireless Wireless NetworkNetwork

OWA clientsOWA clients(HTTP/HTML(HTTP/HTML))

Pocket PC, Pocket PC, Smartphone, Smartphone,

third-party sync third-party sync (HTTP/HTML)(HTTP/HTML)

Outlook Mobile AccessOutlook Mobile AccessWAP 2.0, iModeWAP 2.0, iMode(xHTML, cHTML(xHTML, cHTML))

Outlook clientsOutlook clients(RPC/HTTP)(RPC/HTTP)

Exchange 2003 Exchange 2003 ServersServers

Page 7: Integrating ISA Server and Exchange Server

7

The goal of attack

• Steal data• Blackmail• Launch bed for others attack• Bragging rights• Vandalism• Demonstrate vulnerability/satisfy curiosity• Damage company reputation• Others?

Page 8: Integrating ISA Server and Exchange Server

8

Exchange 2003 and ISA 2006

Securing SMTP Traffic:• SMTP-based attacks:

– Invalid, overly long, or unusual SMTP commands to attack a mail server or to gather recipient information

– Attacks against recipients by including malicious content, such as worms

• ISA Server protects mail servers by:– Enforcing compliance of SMTP commands with standards– Blocking disallowed SMTP commands– Blocking messages with disallowed attachment types, content,

recipient or sender• ISA Server can stop attacks before they reach ISA Server can stop attacks before they reach

your mail servers!!your mail servers!!

Page 9: Integrating ISA Server and Exchange Server

9

Exchange 2003 and ISA 2006

• RPC and Firewalls:• Traditional Firewall

– Open every port that RPC mightuse for incoming traffic

• ISA Firewall– Initial connection• Only allows valid RPC traffic• Blocks non-Exchange queries

– Secondary connection• Only allows connection to port used by Exchange• Enforces encryption

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

Traditional firewalls can’t Traditional firewalls can’t provide provide securesecure RPC RPC

accessaccess

ISA Server enables ISA Server enables secure remote email secure remote email access using Outlookaccess using Outlook

ISA Server enables ISA Server enables secure remote email secure remote email access using Outlookaccess using Outlook

Page 10: Integrating ISA Server and Exchange Server

10

OWA and Traditional Firewalls

• Web traffic to OWA is encrypted– Standard SSL encryption– Security against eavesdropping and impersonation

• Limitation– Default OWA implementation does not protect against

application layer attacks

Exchange Web Server

OWA Traffic

Password Guessing

Web Server Attacks

SSL TunnelInternet

Page 11: Integrating ISA Server and Exchange Server

11

How ISA Protects OWA

• Authentication– Unauthorised requests are blocked before they reach Exchange– Optional forms-based authentication prevents caching of credentials

• Inspection– Invalid HTTP requests or requests for non-OWA content are blocked– Inspection of SSL traffic before it reaches Exchange server

• Confidentiality– Ensures encryption of traffic over the Internet– Can prevent the downloading of attachments to client

Web Server Attacks

Password Guessing

Exchange Server

OWA Traffic

SSL Tunnel

InspectionAuthentication

Internet

Page 12: Integrating ISA Server and Exchange Server

12

Publishing Exchange Server with ISA 2006

Page 13: Integrating ISA Server and Exchange Server

13

Enabling SSL support for OWA

Page 14: Integrating ISA Server and Exchange Server

14

Understanding the Need for Third-Party CAs

• can buy a certificate from a third-party certificate authority such as Verisign, Thawte, or one of many other enterprise certificate authorities

• validate that their customers are really who they say they are, and to generate the digital certificates that validate this for digital communications

• that require encryption, such as SSL

Page 15: Integrating ISA Server and Exchange Server

15

Installing a Third-Party CA on an OWA Server

Page 16: Integrating ISA Server and Exchange Server

16

Type of CA

• Enterprise root CA: highest-level certificate authority for an organization

• Enterprise subordinate CA: subordinate to an existing enterprise root CA, and must receive a certificate from that root CA to work properly

• Stand-alone root CA:similar to an enterprise CA, in that it provides for its own unique identity and can be uniquely configured

Page 17: Integrating ISA Server and Exchange Server

17

Create certificate

Page 18: Integrating ISA Server and Exchange Server

18

Create certificate

Page 19: Integrating ISA Server and Exchange Server

19

Create certificate

Page 20: Integrating ISA Server and Exchange Server

20

Create certificate

Page 21: Integrating ISA Server and Exchange Server

21

Create certificate

Page 22: Integrating ISA Server and Exchange Server

22

Exporting and Importing the OWA Certificate to the ISA Server

On OWA serverOn OWA server

Page 23: Integrating ISA Server and Exchange Server

23

Exporting and Importing the OWA Certificate to the ISA Server

On ISA server, open MMC console

On ISA server, open MMC console

Page 24: Integrating ISA Server and Exchange Server

24

Exporting and Importing the OWA Certificate to the ISA Server

Page 25: Integrating ISA Server and Exchange Server

25

Exporting and Importing the OWA Certificate to the ISA Server

Page 26: Integrating ISA Server and Exchange Server

26

Creating Web Listener

Page 27: Integrating ISA Server and Exchange Server

27

Creating Web Listener

Page 28: Integrating ISA Server and Exchange Server

28

Creating Web Listener

Page 29: Integrating ISA Server and Exchange Server

29

Creating Exchange Publishing Rule

Page 30: Integrating ISA Server and Exchange Server

30

Creating Exchange Publishing Rule

Page 31: Integrating ISA Server and Exchange Server

31

Creating Exchange Publishing Rule

Page 32: Integrating ISA Server and Exchange Server

32

Creating Exchange Publishing Rule

Page 33: Integrating ISA Server and Exchange Server

33

Creating Exchange Publishing Rule

Page 34: Integrating ISA Server and Exchange Server

34

Testing the Solution

In Remote ClientIn Remote Client