Thursday, July 29, 2010

Configuring ISA Server 2004 as an Exchange Frontend Server in the DMZ (Part 1)

Ever since ISA Server 2004 has been available, there have been quite different opinions on which is the best design strategy for publishing Exchange Server 2003 services securely on the web. Within this drill down we will delve a little bit deeper into the configuration details on how to make your Exchange Server 2003 publishing as secure as possible using ISA Server 2004 taking into consideration the ideas of the Exchange product team.



If you would like to read the next part of this article series please go to Configuring ISA Server 2004 as an Exchange Frontend Server in the DMZ (Part 2).
With former versions of Exchange Server, the best practise was placing an Exchange Server Front-end box in the DMZ. This meant that a lot of ports had to be opened on your firewall to allow the communication between the front-end server in the DMZ network segment and the back-end servers in your internal network. This was a very insecure configuration because if this server had been hacked by someone it could be quite easy to get access to the internal network services. Therefore a lot of companies did not want to publish anything due to security reasons.
With the release of ISA Server 2004 this has changed because of the new features where you can publish every Exchange Server 2003 service with the best security available. A few leading security experts suggest using the design covered in Tom Shinder's articles found here:
Within this drill down we will delve a little bit deeper into the configuration details on how to make your Exchange Server 2003 publishing as secure as possible using ISA Server 2004 taking into consideration the ideas of the Exchange product team.

Defining the Exchange Server Design

If you are planning your Exchange Server 2003 Design with the aspect of publishing Exchange services on the web for your employees, it is very important to make sure that your Exchange Server box does not have any direct access to the internet. This means that we need a DMZ or something similar, which means you will have to protect your internal network by placing a not quite secure network in front of it – the demilitarized Zone.
The DMZ does not mean that you will have to have two firewalls (a front end and a back end one), the DMZ can be connected to your current firewall as a third network. The most important thing is that you will have to make sure that the traffic from outside your network has to be routed through the DMZ and that no direct connection from outside to inside will be possible and vice versa.

Exchange vs. ISA Server as Front-end

But what is the reason for using ISA Server 2004 instead of Exchange Server 2003 in the DMZ? The reasons are quite easy:
  1. More security due to Firewall Rules
  2. Secure Webserver Publishing with great Application Filters
  3. No need for adding it to the domain due to the functionality of acting as RADIUS Client
  4. Lower Costs than an Exchange Server 2003 License
If you are installing Exchange Server 2003 as front end server in your environment you will have to make sure that there are enough ports open to be able to contact Active Directory directly and join your Exchange Server Organisation. For more information you could have a look at my article “Implementing Outlook Web Access with Exchange Server 2003” (http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html). This will help you to understand the configuration in detail.
ISA Server 2004 now has the great opportunity to act as a RADIUS client. This means that you can configure it to talk to the internal RADIUS- or IAS-Server on one of your internal infrastructure servers. This means you will have an infrastructure that only needs a maximum of two additional ports to contact Active Directory for authentication purposes.
The Internet Authentication Service (IAS) is Microsoft’s implementation of RADIUS Service that you probably know from Routing and Remote Access Services or IEEE 802.1x Authentication. RADIUS is a standardised secure way to contact your internal directory service for authentication. When it is being used, your employees only have to have one password in mind for internal and external authentication using Active Directory.
In addition to this the great Application Filters on your ISA Server firewall provide a good and easy way to get rid of hackers or anything else in your internal network.
And a third good reason is that the cost for a license of ISA Server 2004 Standard Edition is not as high as for Exchange Server 2003 Standard Edition.

Preparing the Exchange Organization

If you now want to prepare your complete network infrastructure for this design you will have to make sure that the following structure will work properly.

Figure 1: A good and secure configuration for publishing Exchange Services to the Internet
So here are the steps that you will have to prepare to make things work:
  1. Install and configure Internet Authentication Services (IAS) on one (or for high availability more than one) Windows Server 2003 systems.
  2. Open the RADIUS ports (in general 1812 and 1813) on your firewall for communication from ISA Server to IAS Server and vice versa.
  3. Make sure that your ISA Server can access your internal servers for DNS.
  4. Install Windows Server 2003 SP1.
  5. Harden your Server System using the Security Configuration Wizard (SCW) to prepare your system for the highest available security settings.
  6. Install ISA Server 2004 SP2 on your new Server.
  7. Place it in the DMZ.
After having tested your environment you will now be ready to configure your system to publish all Exchange Server 2003 based services. This will be shown in the second part of this article coming soon.
But why should we still use a front end server in the LAN segment? The reason is quite simple, it is just because you are able to publish one single URL to all your employees even if you still have more than one back end server available.

Conclusion

With the great combination of Exchange Server 2003 on Windows Server 2003 and ISA Server 2004 you will have a good, easy and secure solution to be able to publish your Exchange Server 2003 services on the internet with a minimum amount of risks. You will be able to ensure that all your employees (if needed) can communicate with your messaging and collaboration system anywhere in the world without any barriers.
Due to security reasons and for patching purposes you will need to implement a change management process in your company network to have all your servers (at least these ones connected to the Internet – directly or indirectly) updated with all fixes, patches and service pack that are available. Here Windows Server Update Services (WSUS) or any other patch management mechanism may help you to make your servers the most secure ones that have been possible yet.
To make sure that your configuration is as secure as it could be you will now have the opportunity to do some testing in order to hack your firewall and if you have configured everything based on Microsoft’s expectations there will not be any problem on security in general. Lots of companies have successfully configured this and are happy with their new services published to the internet for the almost well known roaming users all around the world.
If there are still further questions please do not hesitate to contact me.
If you would like to read the next part of this article series please go to Configuring ISA Server 2004 as an Exchange Frontend Server in the DMZ (Part 2).

No comments:

Post a Comment