Click here to load reader

Securing Exchange Server Using ISA Server 2004 and · PDF file Securing Exchange Server Using ISA Server 2004 and IPSec Objectives At the end of this lab, you will be able to: Implement

  • View
    8

  • Download
    0

Embed Size (px)

Text of Securing Exchange Server Using ISA Server 2004 and · PDF file Securing Exchange Server Using...

  • Securing Exchange Server Using ISA Server 2004 and IPSec

    Objectives At the end of this lab, you will be able to:

    Implement certificate authentication on a Microsoft® Outlook® Web Access (OWA) Web site.

    Configure Microsoft Internet and Security Acceleration (ISA) Server to secure client connections to Exchange Server.

    Configure ISA Server to secure Simple Mail Transfer Protocol (SMTP) messages.

    Encrypt communication between network clients by using Internet Protocol Security (IPSec).

    Scenario You are the administrator for Northwind Traders. The company’s internal

    network contains an Active Directory® domain called NWtraders.msft. The network also consists of an extranet domain called Northwindtraders.msft. All domain controllers run Microsoft Windows Server™ 2003. The network also contains client computers running Microsoft Windows® XP and servers running Windows Server 2003. A portion of the Northwind Traders network infrastructure is illustrated below:

    Computers This lab uses the following computers: LON-DC1, LON-ISA1, and LON-CL1. Before you begin the lab, you must start and log on to these computers.

    Estimated time to complete this lab: 75 minutes

  • 2 Securing Exchange Server Using ISA Server 2004 and IPSec

    Lab Setup To complete each lab module, you need to review the following:

    Virtual PC This lab makes use of Microsoft Virtual PC 2004, an application that allows you to run multiple virtual computers on one computer. During the lab, you will switch among different windows, each of which contains a separate virtual machine running Windows Server 2003.

    Before you start the lab, familiarize yourself with the following basics of Virtual PC:

    To switch the focus for your mouse and keyboard to the virtual machine, click inside the virtual machine window.

    To remove the focus from a virtual machine, move the mouse pointer outside the virtual machine window.

    To issue the CTRL+ALT+DEL keyboard combination inside a virtual machine, use ALT+DEL instead.

    To adjust the size of the virtual machine window, drag the right bottom corner of the window.

    To switch to full-screen mode, and to return from full- screen mode, press ALT+ENTER.

    To complete this lab, you need to start the virtual machines and then log on to the computers. In each exercise, you have to start only the virtual machines that are needed.

    To log on to a computer in a virtual machine 1. Press ALT+DEL (instead of CTRL+ALT+DEL) to open the

    logon dialog box. 2. Type the following information, and then click OK:

    • User name: Administrator

    • Password: [email protected]

    • Domain: NWTRADERS (if applicable) 3. In this lab, you will log on to LON-CL1 using the following information:

    • User name: Don

    • Password: [email protected]

    • Domain: NWTRADERS (if applicable)

  • Securing Exchange Server Using ISA Server 2004 and IPSec 3

    Exercise 1 Implementing Certificate Authentication for OWA In this exercise, you will configure secure authentication for OWA by configuring ISA Server 2004 to authenticate users using digital certificates.

    Scenario Northwind Traders has deployed Exchange Server 2003 and ISA Server 2004. As part of this deployment, you need to provide secure access to the Exchange Server mailboxes for users from the Internet. The first option for enabling this access is to use OWA so users can access their e-mail using a Web browser. However, the corporate security policy states that users should be able to access OWA only from computers with a valid client certificate. To enable this configuration, you will configure ISA Server to the required Secure Sockets Layer (SSL) certificates for all clients connecting to the OWA Web site.

    Tasks Detailed steps

    Note: This lab uses the following computers: LON-DC1, LON-ISA1, and LON-CL1.

    Note: These first steps will be used to obtain a user certificate from the NWtraders certificate authority (CA) and to move the workstation outside the company firewall. Perform the following steps on the LON-CL1 computer.

    a. Log on as Don with the password of [email protected] 1. Log on as Don and obtain a digital certificate using the Web enrollment form.

    b. On the desktop, double-click the InternalClient batch file. This batch file changes LON-CL1’s IP address to 10.10.0.10, and configures the host file for internal name resolution.

    c. Click Start, and then click Internet.

    d. Type http://LON-DC1.nwtraders.msft/certsrv in the Address box, and then press ENTER.

    e. In the logon box, log on using a user name of Don and a password of [email protected]

    f. On the Welcome page, click Request a certificate.

    g. On the Request a Certificate page, click User Certificate.

    h. On the User Certificate - Identifying Information page, click Submit.

    i. In the Potential Scripting Violation dialog box, click Yes. Click Yes at any other warnings.

    j. On the Certificate Issued page, click Install this certificate.

    k. In the Potential Scripting Violation dialog box, click Yes.

    l. Close Internet Explorer.

  • 4 Securing Exchange Server Using ISA Server 2004 and IPSec

    (continued)

    Tasks Detailed steps

    a. On the desktop, double-click the ExternalClient batch file. 2. Run a script to move LON-CL1 from the internal subnet to an external subnet outside of the firewall.

    This batch file changes LON-CL1’s IP address to 131.107.0.10, removes the static internal Domain Name System (DNS) entry, and configures a host file for external name resolution. This allows the simulation of an Internet-based host.

    Note: Perform the following steps on the LON-DC1 computer.

    a. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

    3. Configure Microsoft Internet Information Services (IIS) to require SSL on the virtual directories used by OWA:

    b. Expand LON-DC1 (local computer), and then expand Web Sites.

    c. Expand Default Web Site, right-click Exchange, and then click Properties.

    • /Exchange OWA uses the virtual directories /Exchange, /ExchWeb, and /Public. • /ExchWeb

    • /Public d. In the Exchange Properties dialog box, on the Directory Security tab, under Secure communications, click View Certificate.

    Notice that a certificate is already installed on the Exchange Server. The certificate was issued to LON-DC1.nwtraders.msft.

    e. Click OK.

    f. Under Secure communications, click Edit. The Secure Communications dialog box opens.

    g. Select the check box next to Require secure channel (SSL).

    h. Select the check box next to Require 128-bit encryption.

    i. Click OK to close the Secure Communications dialog box.

    j. Click OK to close the Exchange Properties dialog box.

    k. Right-click ExchWeb, and then click Properties.

    l. In the ExchWeb Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

    m. Select the check box next to Require secure channel (SSL).

    n. Select the check box next to Require 128-bit encryption.

    o. Click OK to close the Secure Communications dialog box.

    p. Click OK to close the ExchWeb Properties dialog box.

    q. Right-click Public, and then click Properties.

    r. In the Public Properties dialog box, on the Directory Security tab, in the Secure communications box, click Edit.

    s. Select the check box next to Require secure channel (SSL).

    t. Select the check box next to Require 128-bit encryption.

    u. Click OK to close the Secure Communications dialog box.

    v. Click OK to close the Public Properties dialog box.

    w. Close Internet Information Services (IIS) Manager.

    x. Click Start, point to Administrative Tools, and then click Services.

  • Securing Exchange Server Using ISA Server 2004 and IPSec 5

    (continued)

    Tasks Detailed steps

    3. (continued) y. Double-click Microsoft Exchange MTA Stacks. In the Startup type drop-down list, click Automatic. Click Apply.

    z. Under Service Status, click Start. After the service starts, click OK. Close the Services console.

    Note: Perform the following steps on the LON-ISA1 computer.

    a. Click Start, All Programs, Microsoft ISA Server, and then click ISA Server Management.

    4. Create a new URL set. Name: LON-DC1 CA URL: http:// LON-DC1.nwtraders.msft/ certsrv/*

    The ISA Server console opens. b. In the ISA Server console, in the left pane, expand LON-ISA1, and

    then select Firewall Policy. c. In the task pane, on the Toolbox tab, in the Network Objects section,

    right-click URL Sets, and then click New URL Set. d. In the New URL Set Rule Element dialog box, in the Name box, type

    LON-DC1 CA, and then click New. e. In the new http://NewSiteName box, replace the text by typing

    http://LON-DC1.nwtraders.msft/certsrv/*, and then press ENTER. f. Click OK to close the New URL Set Rule Element dialog box.

    A new URL set named LON-DC1 CA for the URL http://LON-DC1.nwtraders.msft/certsrv is created.

    a. In the right pane, select the first rule to indicate where the new rule is added to the rule list.

    5. Create a new access rule. Name: Allow HTTP from firewall to LON-DC1 CA Applies to: HTTP From network: Local Host To URL set: LON-DC1 CA.

Search related