Deploying ISA Server as a firewall for Exchange Server mobile devices

ISA Server is a software-based application that runs on top of the Windows Server operating system, which has inherent vulnerabilities. Although ISA Server offers the same functionality as most firewall appliances, it can be susceptible to attack if used alone. Therefore, when using ISA Server as a firewall for Exchange mobile messaging, I recommend placing ISA Server behind a firewall appliance, as shown in Figure 1.

[IMAGE]Figure 1. ISA Server 2006 should be placed behind a firewall appliance.

In Exchange Server 2003 SP2 and Exchange 2007, ActiveSync maintains synchronization between mobile devices and Exchange mailboxes. When ActiveSync is used, mobile devices establish an HTTP or an HTTPS session with the Client Access Server (CAS). Assuming that HTTPS is being used, the session is established over port 443. The CAS uses a certificate to provide SSL encryption for a session that the mobile device has established.

When an ISA Server is added to the network, mobile devices can no longer communicate directly with the CAS. Instead, ISA Server receives a certificate and the mobile device establishes the HTTPS session with the ISA server, even though it appears to be connected directly to the CAS.

With this type of configuration, communications between the mobile device and ISA Server are SSL-encrypted. However, communications between the ISA server and the Client Access server must also be secured. Therefore, the ISA server uses a Remote Authentication Dial In User Service (RADIUS) server

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT ISA Server and Firewalls for Microsoft Exchange Server Top 5 Exchange mobile tips of 2008 Microsoft Exchange Server security dos and don'ts Windows SBS and Exchange Server security configuration best practices Why Exchange ActiveSync fails with NAT firewalls Adjust your firewall to avoid Exchange 2007 Direct Push failures OWA stops working from external network connection Enhance OWA logon security using Microsoft ISA Server Firewall problems with Exchange Server 2007 email attachments How and why to disable certain ESMTP verbs Creating an ethical firewall in Exchange Server 2007 Mobile Devices Using Mobile Device Manager 2008 server roles in Exchange 2007 Understanding Exchange Server 2007 SP1 mobile security settings Synchronized Exchange mobile device showing deleted appointment Which ActiveSync authentication method is best for your mobile device? Disable ActiveSync in bulk with Exchange Management Shell commands Configuring ActiveSync authentication in Exchange Server 2007 Performing a remote wipe on ActiveSync devices in Exchange Server 2007 Enabling encryption with digital certificates on BlackBerry devices Issues viewing email with attachments on BlackBerry mobile device Email is appearing on BlackBerry mobile devices, but bypassing Outlook 2007 Email Encryption Enabling encryption with digital certificates on BlackBerry devices How to protect an Exchange journaling mailbox from email spoofing Using Exchange Server journaling as an email-archiving solution How to set up an SSL certificate to encrypt OWA and ActiveSync traffic SecureZip improves encryption for Microsoft Outlook A Microsoft Outlook email security tutorial -- 8 tips in 8 minutes Zip and encrypt Microsoft Outlook email attachments Microsoft Outlook email encryption simplified Microsoft repackages e-mail hosting service Time lag opening and sending encrypted e-mails

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary reverse proxy server  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

(or an IAS server) to authenticate mobile users.

Once users have been authenticated:

This isn't the only configuration architecture for deploying ISA Server, but I prefer this method for two reasons.

Despite its benefits, this configuration can be tedious to implement and requires RADIUS or IAS servers. To simplify this, you can make ISA Server a member of a domain instead. This approach doesn't require a RADIUS server. As a domain member, ISA Server can still communicate with Active Directory and use an Active Directory database to authenticate mobile clients.

When ISA Server is a domain member, its location within the network plays an important role in its function. For example, if it is a domain member, but still resides at the network perimeter, you typically would have to create an IPSec tunnel that can be used to provide encrypted communications between the ISA server and the Client Access server.

However, if the ISA server is a domain member and exists within the private network, then it can communicate with the CAS just like other servers on your network. You don't have to create an IPSec tunnel -- although using IPSec encryption is still an option. I don't recommend placing a domain-member ISA Server at the network perimeter, because information about your domain potentially could be exposed.

About the author: Brien M. Posey, MCSE, is a four-time recipient of Microsoft's Most Valuable Professional Award for his work with Windows Server, Internet Information Server (IIS) and Exchange Server. Brien has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit Brien's personal web site at www.brienposey.com.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.