Here is one conflicting information goes around the Internet. ISA 2004 cannot publish all four Exchange features (OWA, OMA, ActiveSync and RPC/HTTP) in one single listener. I have searched the Microsoft site (technet) and ISAServer.org. Here is the links for related ISA 2004 and Exchange publishing.
None of the above links describes how to run all 4 features published in one single listener on same External network card. The problem I am talking about is this….
-OWA needs to be setup with Forms Based Athentication on ISA 2004 server (more secure design)
– Rest of the items (OMA, ActiveSync and RPC/HTTP) requires Basic Authentication (over SSL). Outlook 2003 or mobile devices will not handle the Form Based Authentication, so it needs to be on Basic authentication.
So, all the Microsoft and other documents leads to create two different listeners (one with FBA and one with Basic authentication). Two listener cannot listen on same IP address and same port (443). Two different listener means two different IP addresses. And it also means two different domain names (owa.xxx.com and rpc.xxx.com). It complicates more like we have to buy two different digital certifications from provides (VeriSign) unless you choose to run Certificate Services in home.
Then, I found this article and may shed light for the solution: http://www.isaserver.org/tutorials/2004pubowamobile.html.
After I reading the above link, I realized this is not going to work for me. We bought a SSL certificate from legitimate provider and we don’t run certificate services at my company and we don’t plan to setup. For some small business and other companies, it may do some magic.
I was frustrated and about to gave up. I fiddled around and found something in the middle. All four features (OWA, OMA,ActiveSync and RPC/HTTP) are working on a single listener. Here is my setup. See the drawing and I will explain it below.
Here is the steps:
– Create a Listener called FBA_443_Listener with above settings in the drawing. Note this listener has only FBA selected. Don’t forget to set the default domain (your AD domain). If the users are from different domain in the forest, they have to type "domainusername" format.
– Create a Firewall Rule with Mail Server Publishing Wizard. Name it "OWA Publishing Rule". Select only OWA during the wizard. Setup the rule with above settings as it is in the drawing. When asked, select FBA_443_Listener. You need to enter path after finish creating the rule.
– Create a second firewall rule with Web Server Publishing Wizard and name it "RPC/HTTP,OMA and ActiveSync Publishing Rule". (Note the bold letters, this has to be created using web server publishing wizard and NOT using mail server publishing wizard). When asked, provide the path name as /rpc/* with your OWA domain name (mail.xxx.com). Make sure the settings are correct with above drawing. You need to add all the paths manually after creating the rule.
Voila! It worked. I am no geek on ISA server side, but here the explanation. The magic here is you create the rule for RPC, OMA and ActiveSync using WEB SERVER PUBLISHING WIZARD. I still don’t get it that how Outlook and my Mobile handles Form based authentication with above setup. But some how it handles it.
One possibility is Microsoft made Outlook and WM5 to manage the FBA through the latest patches. OR ISA 2004 with SP2 handles the NON Browser calls with Basic Authentication. So, don’t forget to patch your servers and clients.
Here is the result:
– Outlook Web Access link is provided with FBA logon page
– OMA provided with Basic Authentication page
– ActiveSync works and NO errors
– RPC/HTTP is provided with logon window in Outlook 2003 and it works without errors
This above setup works and I can do all four Exchange features beautifully. With all that above, I am running ISA 2004 in single network configuration. The listener is set to listen on local network.
Hope it helps someone desperately looking for the information.