- Think Like A Computer - https://www.think-like-a-computer.com -

BIS, ISA and Exchange 2007 OWA Solution

This guide is for Exchange 2007 with ISA 2006. Go here for the BIS ISA Exchange 2003 solution.

Ok firstly this guide assumes you know how to configure and publish secure websites through ISA. If you do not know how to do this then read up on it. Until you are confident you can set up and publish websites through ISA using web listeners there is not point continuing.

This guide also assumes the ISA and Exchange servers are both in the same domain. If they are not there are additional steps you must take (explained at the end of the guide).

The first thing we need to do is enable Forms Based Authentication (from now on called FBA) at the ISA box and disable FBA at the Exchange level (if enabled). There are several guides on the internet about how to publish OWA through ISA using FBA so find one of them.  The reason I say look for other guides is because of different network configurations you will all have. To accommodate the different scenarios would be a chore in itself.  What this guide will focus on are the additional tasks needed to get BIS to work with OWA. Here are some guides to enable FBA on the ISA for OWA:

Publishing Exchange Client Access with ISA 2006
Publishing Exchange 2007 OWA with ISA Server 2006

NOTE: Regardless of what the guides say to do, when you create the OWA ISA rule choose to create an “Exchange Web Client Access Publishing Rule” and go through the wizard selecting Exchange 2007 and Out Web Access when prompted. This will make sure the rule is configured as closely as it needs to be for this guide. I will tell you only what needs changing after this.

Make sure OWA now works using FBA on the ISA box before continuing (not with BIS, just normal OWA).

Ok, once you have OWA working using FBA at the ISA box we are now ready to move onto the next stage.
If you followed the guides correctly you should have the following:
1 Rule in ISA to publish OWA.
1 public certificate using your external domain ie OWA.Mydomain.com
1 internal cert used for internal client access (usually self signed) ie OWA.internaldom.local
Note: it is possible to have 1 cert used for both internal and external domains but this complicates things. I will only be covering the above scenario.
At this point OWA probably is working but your BIS account can’t use it.

On the ISA 2006 box open your web listener for your OWA rule you just created and make sure the following is set:

1.    On the “Certificates” tab make sure your public certificate/s is/are selected here.
2.    On the “Authentication” tab make sure HTML form Authentication is selected (this should be or FBA would have failed anyway).
3.    On the same tab make sure Windows (AD) is selected in Authentication Validation Method is selected (If it is not in an AD or it is in a separate AD to the Exchange box see notes at the end).
4.    Ok and close the web listener properties.
5.    Now edit the OWA rule itself and make sure the following is set:
6.    On the “To” tab make sure it is set as the picture shows.ISA Exchange OWA Rule

Where owa.internaldomain.local is the internal address that users connect to inside your network. To test this works try connecting to it from ISA. ISA must be able to connect to this address before continuing. If you can’t then you must resolve this first and type in the correct URL in this box.
Make sure the tickbox “Forward the original host header…” is unticked and make sure the requests appear to come from ISA (1st radio button). THESE ARE VERY IMPORTANT.
7.    Click on the “Paths” tab and make sure you have the same settings as in this pic. Note the additional EWS folder I have added. This is important.
ISA 2006 Exchange 2007 Rule

8.    On the “Authentication” tab make sure NTLM Authentication is set.
9.    Ok everything and close the rule properties. Do not click the Test Rule button yet as it may fail at the moment.

On the Exchange server open the Exchange Management Console, check the following:

1.    Select the Client Access node under the Server Configuration node.
2.    Edit the properties of the OWA Web app and check/set the following
OWA listener

where internal URL is the URL internal clients connect to and external URL would be the URL what external users connect on.
3.    On the “Authentication” tab make sure “Integrated Windows Authentication” is ticked and “Basic Authentication”. Nothing else should be selected.
4.    Ok and close the properties.

If all has been done correctly BIS should now work. Test the following first before testing BIS and these services must be working first before BIS will:

•    Test internal clients can still connect to OWA – They should no longer get FBA, it should log them straight into OWA because of “Windows Integrated Authentication”. Make sure the test is done with your internal name.
•    Test OWA externally on the external URL – This should prompt you with “Forms Based Authentication”. Make sure you can log in ok.
•    The last test is to go back to ISA and open the rule. Now click “Test Rule”, this must work. If any tests come back red look at the error and pay attention to it and fix it. Make sure the tests come back green.
•    Make sure you can connect to the address of https://owa.Mydomain.com/ews/exchange.asmx. Replace domain and hostname accordingly. This must be your external domain you test it on. The internal domain doesn’t matter. If it works successfully you will get an XML page that loads up.

If all of the above works you can now try BIS. This should now work.

I have the troubleshooting guide but it needs cleaning up. I will post this if I get enough of a response for it.