Next, if you're setting up SSL bridging option 1, you need to configure the OWA Web-publishing rule's bridging properties to ensure that the SSL tunnel terminates at the ISA Server HTTP proxy and that no new SSL tunnel initiates to the OWA front-end Web server. Select the Bridging tab in the rule's properties dialog box, then select the HTTP requests radio button in the Redirect SSL requests as box.
To make the SSL bridging option 1 setup work with OWA, you must add a setting to the registry on the ISA Server system. (This registry hack works only with ISA Server SP1 and later.) Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters registry subkey. From the Edit menu, select New, DWORD Value; name the value AddFrontEndHttpsHeader; then set it to 1. The Microsoft article "Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header" (http://support.microsoft.com/?kbid=307347) provides additional information about this registry setting. To make sure that your ISA Server configuration changes go into effect, stop and restart ISA Server's Web Proxy and Firewall services.
You can also use the Bridging tab of the OWA Properties dialog box to configure ISA Server for SSL bridging options 2 and 3. To add an SSL tunnel for unsecured HTTP requests (SSL bridging option 2), select the SSL requests (establish a secure channel to the site) radio button in the Redirect HTTP requests as box. To add an SSL tunnel between the HTTP proxy and the OWA front-end Web server (SSL bridging option 3), select the SSL requests (establish a new secure channel to the site) radio button in the Redirect SSL requests as box. Keep in mind that both bridging options require an SSL certificate on the OWA front-end Web server.
The Bridging tab contains two other important SSL-related configuration options. If you want ISA Server to connect only to the published Web site on condition that the user types an HTTPS URL in the browser address bar, select the Require secure channel (SSL) for published site check box (this setting applies only to SSL bridging options 1 and 3). If you want ISA Server to perform a strong SSL certificate-based authentication to the OWA front-end Web server, select the Use a certificate to authenticate to the SSL Web server check box and select a certificate (this setting applies only to SSL bridging options 2 and 3). In the latter case, you should install ISA Server's SSL client-side authentication certificate in the W3Proxy service's certificate store on the ISA Server system.
To help facilitate the configuration of SSL bridging in an OWA environment, Microsoft has provided an OWA Publishing Wizard in ISA Server Feature Pack 1, which is available for download at http://www.microsoft.com/downloads/details.aspx?familyid=2f92b02
c-ac49-44df-af6c-5be084b345f9&displaylang=en. The new wizard, which Figure 6 shows, is accessible from the ISA Web Publishing Rules container—simply right-click the container, then select New, Publish Outlook Web Access Server. The wizard guides you through the different configuration options and automatically adds the AddFrontEndHttpsHeader registry setting.
Configuring ISA Server for SSL Tunneling
To configure ISA Server for SSL tunneling, you need to use ISA Server's Server Publishing feature. Compared with configuring SSL bridging, setting up SSL tunneling is easy because you don't need to create an SSL certificate for ISA Server.
Start by making sure that ISA Server's SSL listener is disabled. The SSL listener doesn't need to be enabled because it's used only for ISA Server's Web-publishing function. To make sure the SSL listener is disabled, clear the Enable SSL listeners check box on the Incoming Web Requests tab of the ISA Server object's Properties dialog box.
Next, create a server-publishing rule for your OWA front-end Web server. From the ISA Management snap-in, expand the publishing container, then right-click the Server Publishing Rules container. Select New, Rule to open the New Server Publishing Rule Wizard, as Figure 7 shows. Type a name for the rule (e.g., OWA), and click Next. On the Address Mapping page, type the IP address of your OWA front-end Web server in the IP address of internal server box, then type the IP address from which your ISA Server is accessible to the outside world in the External IP address on ISA Server box. On the Protocol Settings page, select the HTTPS Server protocol. On the Client Type page, select Any request. To make sure that your ISA Server configuration changes go into effect, stop and restart ISA Server's Web Proxy and Firewall services.
Don't Forget the SSL Processing Load
Throughout this article, I've discussed how to configure ISA Server to support various SSL tunneling and bridging flavors, but I haven't addressed how SSL processing affects ISA Server performance. These performance considerations are especially important if you're setting up SSL bridging option 1 or 3 in large OWA environments (see Web Table 1 for a more detailed explanation of the different SSL bridging options). In either situation, you might want to evaluate SSL crypto-accelerator cards or dedicated SSL-processing hardware appliances to help offload SSL processing from ISA Server.
End of Article
Prev. page
1
2
[3]
next page -->
