Comments on Me, Myself and ISA Blog (MSFirewall.org.uk): Publishing Exchange 2007 Services with ISA Server ...

Hi Eric, Yep, http auth combined with basic auth ...

2010-08-28T01:07:15.670+01:00

Hi Eric,

Yep, http auth combined with basic auth delegation should be fine for mobile devices.

Cheers

JJ

Can autodiscover for ActiveSync be accomplished wi...

2010-08-25T04:59:42.369+01:00

Can autodiscover for ActiveSync be accomplished without using KCD, for example, if the ISA servers are not in a domain? All I care about is autodiscover for ActiveSync.

Hi Aaron, This looks resolved now ;) http://foru...

2010-05-17T14:45:16.045+01:00

Hi Aaron,

This looks resolved now ;)

http://forums.isaserver.org/m_2002100926/mpage_1/key_/tm.htm#2002100926

Cheers

JJ

I did all of this; and I still get the login promp...

2010-05-14T19:18:10.146+01:00

I did all of this; and I still get the login prompt... what's the first place I should check?

'Set-OutlookProvider' do I need to do anything with that command? my EXPR is set to NULL currently... help.

Hi Mike, Wow, how many questions! ;) Please find...

2010-03-09T20:44:24.562Z

Hi Mike,

Wow, how many questions! ;)

Please find answers below:

1. I have only used this approach for Exchange 2007, so not sure about Exchange 2003. I don't think Exchange 2003 supported NTLM authentication for Outlook Anywhere, but I could be wrong here.

2. I can confirm 100% that a non-domain member *can* connect to Exchange using Outlook

Hi Jason, I have multiple questions (all related ...

2010-02-26T19:31:56.206Z

Hi Jason,

I have multiple questions (all related to the goal of securing the corporate data by ensuring we connect via trusted client machines, bear with me...)

1. First of all does this work with Exchange 2003? I have not been able to get confirmation on KCD working with Exchange 2003 with Outlook 2007 RPC/HTTPS

2. Secondly, I'm a little confused about the

>> Paul Yep, that is workable, but I prefer to us...

2010-01-21T16:34:33.113Z

>> Paul

Yep, that is workable, but I prefer to use internal PKI for internal certs and public PKI for ISA certs.

This is more manageable, felxible and cost effective in the long term...

Cheers

JJ

Nope, you can listen on two different public names...

2010-01-21T16:32:30.343Z

Nope, you can listen on two different public names with different certs, but send them to the same destination server name; the differing paths will be used as appropriate...

thank you for this information. quick question. if...

2010-01-21T16:29:19.417Z

thank you for this information. quick question. if i'm using a two certificates, one for owa and activesync and one for autodiscover and outlook anywhere. on the exchange server, don't i have to set up a new website for autodiscover, rpc, ews, and oab? any help would be appreciated.

Hi Jason, Re certificates; any thoughts on using o...

2010-01-04T14:22:42.335Z

Hi Jason,
Re certificates; any thoughts on using one public CA UC Certificate, for both Exchange and ISA.

The UC certificate would be
email.msfirewall.org.uk with a SAN of autodiscover.msfirewall.org.uk

If I use this this certificate on the email ISA rule, its obviously valid. If I use it for the Autodiscover rule, I believe the only consequence is the SSL setting

>>VileTasteOfDeath That is true for user objects,...

2009-12-04T23:33:37.610Z

>>VileTasteOfDeath

That is true for user objects, but for KCD to work the ISA Server computer object(s) and the published server computer object(s) MUST exist in the same domain.

Check "The Limitations: Windows Requirements Item 2" in the article URL you provided...

Cheers

JJ

According to this article: http://technet.microsof...

2009-12-04T14:26:14.724Z

According to this article: http://technet.microsoft.com/en-us/library/cc752953.aspx
You can now use KCD to authenticate users cross-forest/domain with the appropriate trusts in place. You would need to be @ISA 2006 SP1 as it has a couple necessary hotfixes.

>> Vladislav You sure about that? I have quite a...

2009-09-28T08:59:33.899+01:00

>> Vladislav

You sure about that?

I have quite a few deployments where I am publishing Exchange 2007 64bit with ISA Server 2006 SP1 and then have SAN certs...are you talking about a specific problem?

"This configuration will negate likely problems wi...

2009-09-27T15:04:15.562+01:00

"This configuration will negate likely problems with ISA Server 2006 pre-SP1 from reading multiple SAN entries as discussed here."

According to my research ISA Server 2006 SP1 doesn't resolve the problem if you are using 64-bit Exchange 2007.

Strange, there is no "multiple SAN" problem on non-production 32-bit Exchange 2007 SP1.

Vladislav

Hi Jason, Just re transparent authentication with...

2009-08-14T15:58:13.310+01:00

Hi Jason,

Just re transparent authentication with non-domain joined clients.

IE (and FF via config file) can send the credentials of the logged on user transparently if the site is in the Intranet security zone. There is no need for access to the KDC as NTLM is acceptable: http://support.microsoft.com/Default.aspx?id=258063

Of course, for non-domain joined clients

>> Chris Thanks! I think this has been one of my ...

2009-05-05T09:23:00.000+01:00

>> Chris

Thanks! I think this has been one of my more popular posts ;)

Due to the way Exchange 2007 works, it is better to use ISA web server farm publishing (WSFP) than NLB fro CAS roles. You can still enable NLB for non-web service like POP3/IMAP, but WSFP is the best choice for web protocols needed for OWA, OA, EAS etc. You then use NLB VIPs for non-web services and

This is an excellent article, Jason! I don't know ...

2009-05-05T02:53:00.000+01:00

This is an excellent article, Jason! I don't know how I would have implemented transparent authentication without your article. I do have one question... I would like to implement redundant servers, using Network Load Balancing (NLB), that host the CAS/HUB roles to provide service high availability to my users. Is there any way to do Kerberos Constrained Delegation against multiple CAS servers

>> AbdulHmmm...I'm not too sure, have you actually...

2008-12-17T09:04:00.000Z

>> Abdul

Hmmm...I'm not too sure, have you actually tested this? Due to the use of KCD, I am pretty sure the machine would have to be a member of the domain in order to provide correct authentication. Not something I have tried though to be honest! ;)

I think even if you are connecting from a non-doma...

2008-12-16T11:26:00.000Z

I think even if you are connecting from a non-domain joined client, you should be able to achieve transparent authentication by adding the CAS and Mailbox server netbios and fqdn and saving the credentials for each of them in the local password store (start--->run-->control userpasswords2)

A very good and informative article. Keep up the good work!

>> TimHey, Tim - yep, non-domain joined machines w...

2008-11-14T14:51:00.000Z

>> Tim

Hey, Tim - yep, non-domain joined machines will receive an authentication prompt as there will be no transparent authentication using cached credentials. I have tested this and all works fine if you enter valid credentials in the authentication pop-up for a non-domain joined machine.

Cheers

JJ

What happens with Outlook clients on machines that...

2008-11-14T00:31:00.000Z

What happens with Outlook clients on machines that are not in the domain? Do they simply get prompted for authentication, or do they not work at all?

Pingback: http://forums.isaserver.org/m_2002055762...

2008-09-26T12:10:00.000+01:00

Pingback: http://forums.isaserver.org/m_2002055762/mpage_2/key_/tm.htm#2002074426

>>HenningThanks for the detailed feedback!I tend t...

2008-08-02T00:27:00.000+01:00

>>Henning

Thanks for the detailed feedback!

I tend to enable HTTP to HTTPS redirection for most applications that require SSL. I would agree that in this particular case it is not strictly necessary as there is no real user interaction.

I did consider including inforamtion on wildcard certificate, but wanted to keep things simple for the first entry. I may do a

Hello Jason,Thanks for a great article. I’ve spent...

2008-07-31T12:36:00.000+01:00

Hello Jason,
Thanks for a great article. I’ve spent weeks migrating from exchange 2003 to 2007 and at the same time also migrating from win 2003 to win 2008 including new forests and sanitizing name spaces for several customers. Reading your article summarizes the very elegant way of doing the NTLM to KCD authentication for Oulook anywhere users through ISA server. During my struggle for

>>artyomThese additional steps are only necessary ...

2008-07-31T10:39:00.000+01:00

>>artyom

These additional steps are only necessary if you plan to use certificate based authentication (as is required for ActiveSync).

Some of these additional steps are required for OWA Document Access so keep tuned to see when similar additional delegation configuration is needed!