Hotfix released that supports publishing Microsoft Exchange Server 2007 with ISA Server 2006

  • Article

Today the following hotfix was released to support publishing of Excahnge Server 2007 with ISA Server 2006, http://support.microsoft.com/kb/925403. ISA Server 2006 supported publishing of pre release versions of Exchange Server 2007, with this hotfix ISA Server supports publishing the released version of Exchange Server 2007.

Notes:

  • The Attachment Blocking feature has been removed when publishing Exchange 2007. To block OWA attachments, we recommend that your configure attachment blocking in Exchange 2007.

  • This software update also updates the ISA 2006 MMC snap-in.

  • When publishing Exchange 2007, you need to run the New Exchange Publishing Rule wizard for each access method separately. You can use the same Web listener for each rule. However, you can only publish one access method at a time you select Exchange Server 2007 as the Exchange version when running the New Exchange Publishing Rule wizard.

How to publish Exchange 2007 OWA with Basic and Negotiate Authentication Delegation

If Basic is selected for authentication delegation, the following Exchange 2007 features will not function as expected:

· Outlook Web Access 2007 Web Part. Outlook Web Access 2007 Web Part requires Integrated Windows authentication configured on the /owa/* directory.

· Proxying between Exchange Client Access servers in different Active Directory sites. This requires the configuration of Integrated Windows authentication on the Exchange Client Access servers. For more information about proxying Exchange Client Access servers, see the Exchange Server 2007 product documentation.

If Negotiate is selected for Authentication delegation, the following will not work:

· Access to mailboxes residing on Exchange 2003, through legacy folders, such as /public/*, /exchange/*, and /Exchweb/*. Access to these mailboxes via this method requires Basic authentication.

· Clients that access the user's mailbox through the legacy folders, such as Microsoft Entourage 2004 for Mac and custom written applications using WebDAV extensions. This requires Basic authentication.

To take advantage of the new Exchange 2007 features that require Negotiate authentication delegation and still provide access to the legacy folders that require Basic authentication delegation, two publishing rules are required.

The following procedures enable you to properly publish Outlook Web Access with different authentication delegation methods for the /OWA/* and the legacy directories and configure Integrated Windows authentication on the Exchange 2007 Client Access server.

To configure Integrated Authentication on the OWA directory on the Exchange Client Access Server.

1. Start the Exchange Management Console.

2. In the Exchange Management Console, expand Server Configuration, and then click Client Access.

3. Select your Client Access server, such as cas01, and then select owa (Default Web Site) on the Outlook Web Access page.

4. In the action pane, click Properties under owa (Default Web Site) .

5. Select the Authentication page, and select Integrated Windows authentication. You will now have both Basic and Integrated Windows authentication selected.

6. Click OK.

You need to now publish Outlook Web Access for both Basic and Negotiate authentication delegation.

Note After you have configured Basic and Negotiate authentication delegation for Outlook Web Access, you can clear the Basic authentication (password is sent in clear text) option from the Authentication page for the /OWA folder.

To Configure both Basic nd Negotiate authentication delegation when publishing OWA.

1. Publish Outlook Web Access for Exchange 2007. For Exchange Publishing rule name, type Exchange 2007 OWA Basic, and on the Authentication Delegation page, select Basic Authentication.

2. Right-click the rule you just created and click Copy.

3. Right-click the rule you just created again and click Paste. This will paste the rule above the selected rule. The pasted rule name will be Exchange 2007 OWA Basic (1).

4. Right-click the pasted rule from Step 3 and click Properties.

5. On the General tab, change the name of the rule to Exchange 2007 OWA Negotiate.

6. Select the Path tab, select the /public/* path, and click Remove. Repeat this step for the /Exchweb/* and /Exchange/* paths. The only listed path should be /OWA/* .

7. Select the Authentication Delegation tab and select Negotiate (Kerberos/NTLM) .

8. Click OK.

9. Right-click the rule named Exchange 2007 OWA Basic and click Properties.

10. Select the Path tab, select the /OWA/* path, and click Remove.

11. Click OK.

12. Click the Apply button in the details pane to save the changes and update the configuration.

13. Configure Integrated Windows authentication on the /OWA/ folder on the Client Access server. For details, see the next procedure.

ISA Server will now use Negotiate as the authentication delegation method for /OWA/* path and Basic as the authentication delegation method for the /public/*, /Exchange/*, and /Exchweb/* folders.

Gershon Levitz, ISA Server UE Team