Comments on Me, Myself and ISA Blog (MSFirewall.org.uk): Publishing Exchange 2007 Services with ISA Server ...

Thanks for the useful information, I will use this...

2011-10-31T08:11:54.807Z

Thanks for the useful information, I will use this along with my work.

Thanks Wyvern...used it for that scenario too ;)

2010-11-30T12:26:30.883Z

Thanks Wyvern...used it for that scenario too ;)

Hi Jason, Thank for you info, this works with Exc...

2010-11-30T12:24:28.374Z

Hi Jason,

Thank for you info, this works with Exchange 2010 and TMG, split DNS and 1 certificate with CN=mail.domain.org & SAN=mail.domain.org,domain.org,autodiscover.domain.org

I use two IPs, one for Discover,RPC,CDP - Certificate validation point, and other for OWA & ActiveSync.

Cheers.

Hi Eric, Yep, http auth combined with basic auth ...

2010-08-28T01:07:15.670+01:00

Hi Eric,

Yep, http auth combined with basic auth delegation should be fine for mobile devices.

Cheers

JJ

Can autodiscover for ActiveSync be accomplished wi...

2010-08-25T04:59:42.369+01:00

Can autodiscover for ActiveSync be accomplished without using KCD, for example, if the ISA servers are not in a domain? All I care about is autodiscover for ActiveSync.

Hi Aaron, This looks resolved now ;) http://foru...

2010-05-17T14:45:16.045+01:00

Hi Aaron,

This looks resolved now ;)

http://forums.isaserver.org/m_2002100926/mpage_1/key_/tm.htm#2002100926

Cheers

JJ

I did all of this; and I still get the login promp...

2010-05-14T19:18:10.146+01:00

I did all of this; and I still get the login prompt... what's the first place I should check?

'Set-OutlookProvider' do I need to do anything with that command? my EXPR is set to NULL currently... help.

Hi Mike, Wow, how many questions! ;) Please find...

2010-03-09T20:44:24.562Z

Hi Mike,

Wow, how many questions! ;)

Please find answers below:

1. I have only used this approach for Exchange 2007, so not sure about Exchange 2003. I don't think Exchange 2003 supported NTLM authentication for Outlook Anywhere, but I could be wrong here.

2. I can confirm 100% that a non-domain member *can* connect to Exchange using Outlook

Hi Jason, I have multiple questions (all related ...

2010-02-26T19:31:56.206Z

Hi Jason,

I have multiple questions (all related to the goal of securing the corporate data by ensuring we connect via trusted client machines, bear with me...)

1. First of all does this work with Exchange 2003? I have not been able to get confirmation on KCD working with Exchange 2003 with Outlook 2007 RPC/HTTPS

2. Secondly, I'm a little confused about the

>> Paul Yep, that is workable, but I prefer...

2010-01-21T16:34:33.113Z

>> Paul

Yep, that is workable, but I prefer to use internal PKI for internal certs and public PKI for ISA certs.

This is more manageable, felxible and cost effective in the long term...

Cheers

JJ

Nope, you can listen on two different public names...

2010-01-21T16:32:30.343Z

Nope, you can listen on two different public names with different certs, but send them to the same destination server name; the differing paths will be used as appropriate...

thank you for this information. quick question. if...

2010-01-21T16:29:19.417Z

thank you for this information. quick question. if i'm using a two certificates, one for owa and activesync and one for autodiscover and outlook anywhere. on the exchange server, don't i have to set up a new website for autodiscover, rpc, ews, and oab? any help would be appreciated.

Hi Jason, Re certificates; any thoughts on using o...

2010-01-04T14:22:42.335Z

Hi Jason,
Re certificates; any thoughts on using one public CA UC Certificate, for both Exchange and ISA.

The UC certificate would be
email.msfirewall.org.uk with a SAN of autodiscover.msfirewall.org.uk

If I use this this certificate on the email ISA rule, its obviously valid. If I use it for the Autodiscover rule, I believe the only consequence is the SSL setting

>>VileTasteOfDeath That is true for user ob...

2009-12-04T23:33:37.610Z

>>VileTasteOfDeath

That is true for user objects, but for KCD to work the ISA Server computer object(s) and the published server computer object(s) MUST exist in the same domain.

Check "The Limitations: Windows Requirements Item 2" in the article URL you provided...

Cheers

JJ

According to this article: http://technet.microsof...

2009-12-04T14:26:14.724Z

According to this article: http://technet.microsoft.com/en-us/library/cc752953.aspx
You can now use KCD to authenticate users cross-forest/domain with the appropriate trusts in place. You would need to be @ISA 2006 SP1 as it has a couple necessary hotfixes.

>> Vladislav You sure about that? I have q...

2009-09-28T08:59:33.899+01:00

>> Vladislav

You sure about that?

I have quite a few deployments where I am publishing Exchange 2007 64bit with ISA Server 2006 SP1 and then have SAN certs...are you talking about a specific problem?

"This configuration will negate likely proble...

2009-09-27T15:04:15.562+01:00

"This configuration will negate likely problems with ISA Server 2006 pre-SP1 from reading multiple SAN entries as discussed here."

According to my research ISA Server 2006 SP1 doesn't resolve the problem if you are using 64-bit Exchange 2007.

Strange, there is no "multiple SAN" problem on non-production 32-bit Exchange 2007 SP1.

Vladislav

Hi Jason, Just re transparent authentication with...

2009-08-14T15:58:13.310+01:00

Hi Jason,

Just re transparent authentication with non-domain joined clients.

IE (and FF via config file) can send the credentials of the logged on user transparently if the site is in the Intranet security zone. There is no need for access to the KDC as NTLM is acceptable: http://support.microsoft.com/Default.aspx?id=258063

Of course, for non-domain joined clients

>> Chris Thanks! I think this has been one ...

2009-05-05T09:23:00.000+01:00

>> Chris

Thanks! I think this has been one of my more popular posts ;)

Due to the way Exchange 2007 works, it is better to use ISA web server farm publishing (WSFP) than NLB fro CAS roles. You can still enable NLB for non-web service like POP3/IMAP, but WSFP is the best choice for web protocols needed for OWA, OA, EAS etc. You then use NLB VIPs for non-web services and

This is an excellent article, Jason! I don't know ...

2009-05-05T02:53:00.000+01:00

This is an excellent article, Jason! I don't know how I would have implemented transparent authentication without your article. I do have one question... I would like to implement redundant servers, using Network Load Balancing (NLB), that host the CAS/HUB roles to provide service high availability to my users. Is there any way to do Kerberos Constrained Delegation against multiple CAS servers

>> Abdul

Hmmm...I'm not too sure,...

2008-12-17T09:04:00.000Z

>> Abdul

Hmmm...I'm not too sure, have you actually tested this? Due to the use of KCD, I am pretty sure the machine would have to be a member of the domain in order to provide correct authentication. Not something I have tried though to be honest! ;)

I think even if you are connecting from a non-doma...

2008-12-16T11:26:00.000Z

I think even if you are connecting from a non-domain joined client, you should be able to achieve transparent authentication by adding the CAS and Mailbox server netbios and fqdn and saving the credentials for each of them in the local password store (start--->run-->control userpasswords2)

A very good and informative article. Keep up the good work!

>> Tim

Hey, Tim - yep, non-domain joi...

2008-11-14T14:51:00.000Z

>> Tim

Hey, Tim - yep, non-domain joined machines will receive an authentication prompt as there will be no transparent authentication using cached credentials. I have tested this and all works fine if you enter valid credentials in the authentication pop-up for a non-domain joined machine.

Cheers

JJ

What happens with Outlook clients on machines that...

2008-11-14T00:31:00.000Z

What happens with Outlook clients on machines that are not in the domain? Do they simply get prompted for authentication, or do they not work at all?

Pingback: http://forums.isaserver.org/m_2002055762...

2008-09-26T12:10:00.000+01:00

Pingback: http://forums.isaserver.org/m_2002055762/mpage_2/key_/tm.htm#2002074426

Comments on Me, Myself and ISA Blog (MSFirewall.org.uk): Publishing Exchange 2007 Services with ISA Server ...

Thanks for the useful information, I will use this...

Thanks Wyvern...used it for that scenario too ;)

Hi Jason, Thank for you info, this works with Exc...

Hi Eric, Yep, http auth combined with basic auth ...

Can autodiscover for ActiveSync be accomplished wi...

Hi Aaron, This looks resolved now ;) http://foru...

I did all of this; and I still get the login promp...

Hi Mike, Wow, how many questions! ;) Please find...

Hi Jason, I have multiple questions (all related ...

>> Paul Yep, that is workable, but I prefer...

Nope, you can listen on two different public names...

thank you for this information. quick question. if...

Hi Jason, Re certificates; any thoughts on using o...

>>VileTasteOfDeath That is true for user ob...

According to this article: http://technet.microsof...

>> Vladislav You sure about that? I have q...

"This configuration will negate likely proble...

Hi Jason, Just re transparent authentication with...

>> Chris Thanks! I think this has been one ...

This is an excellent article, Jason! I don't know ...

>> AbdulHmmm...I'm not too sure,...

I think even if you are connecting from a non-doma...

>> TimHey, Tim - yep, non-domain joi...

What happens with Outlook clients on machines that...

Pingback: http://forums.isaserver.org/m_2002055762...

>> Abdul

Hmmm...I'm not too sure,...

>> Tim

Hey, Tim - yep, non-domain joi...