Recently (July 2007), a deployment lab guide for Microsoft® Communicator Web Access 2007 was published on Microsoft Download Center. That white paper will guide you through the configuration of ISA Server 2006 and Microsoft Office Communicator Web Access 2007 (I will refer to CWA 2007 in this post) to allow single sign on authentication. The scenario described in the document uses LDAP to access the Active Directory® and validate user credentials. After that, the user will be automatically signed in to CWA 2007.
However, the entry page that ISA Server 2006 publishes externally is the ISA Server 2006 page, which uses forms-based authentication. This means that we don’t have the Microsoft Communicator Web Access 2007 interface published. Some customers might want to offer their users a single-interface experience to access CWA 2007 through Internet and Intranet.
This post will explain the steps to achieve this goal on the Microsoft Communicator Web Access 2007 side as well as on the ISA Server 2006 side.
2. Configuring Office Communicator Web Access 2007 for External Access
The first step to configure CWA 2007 for external access is to create a new virtual Web server that will listen to the requests from the ISA Server 2006. To do this, follow the steps below:
1. On the Office Communicator Web Access Manager Console, right-click the server, and then click Create a Virtual Web Server. In the wizard, click Next.
2. On the Select Virtual Server Type page, select the option External, and then click Next.
3. Leave Use Built-in Authentication selected, and then click Next.
4. Since the virtual server type is external, verify that Forms-based authentication is selected, and then click Next.
5. On the connection type, select HTTPS, select the certificate that was issued for this server, and then click Next.
6. On the Select IP Address and Port Settings window, type the port number that the ISA Server will be listening to for external CWA requests. This port needs to match with the Bridging tab on the ISA Server Web Publishing rule. Click Next.
7. Type a description for this site.
8. Leave the default option selected to start the virtual server after finishing the wizard, and then click Next.
9. Review the options that you selected (this is the time to make any changes, if you wish), and then click Next.
10. The Virtual Server will be created, and a log will be available to review the result. After reviewing the results, click Finish.
After creating, you can review the main points highlighted in the figure below:
As you can see, the Windows® authentication option appears with the red mark. This is normal, as mentioned on the step by step, due the type of virtual server that we just created. It is important to mention that the Office Communicator Web Access server should be dedicated to this role. For instance, we should not have the SharePoint® portal server installed on the same box. This is actually a supportability recommendation from the OCS Support Team.
3. Configuring the ISA Server 2006 Web publishing rule
Now that CWA 2007 is ready to access, we need to create the Web publishing rule on the ISA Server. To be able to do that, it is important that we have a certificate installed on the ISA Server 2006 that will be used for the external access. The certificate FQDN needs to match the public name that the Web listener will have. In this scenario, the name will be cwa.alpineskihouse.com. Follow the steps below to create the Web publishing rule:
1. Right-click Firewall Policy, select the option New, and then click Web Site Publishing Rule.
2. Type the name of the rule, and then click Next.
3. On the Select Rule Action window, select the option Allow, and then click Next.
4. On the Publishing Type window, select the option to Publish a single Web Site or load balancer, and then click Next.
5. On the Server Connection Security window, select the option Use SSL to connect to the published web server or server farm, and then click Next.
6. On the Internal Publishing Details page, in the Internal site name box, type the name of the internal site. Select the Use a computer name or IP address to connect to the published server check box, and then, in the Computer name or IP address box, type the server name.
If you do not know the name of the server, click Browse to navigate to its location.
7. On the Internal Publishing Details window, in the Path (optional) box, type /*, and then click Next.
8. On the Public Name Details window, from the Accept requests for dropdown list, select This domain name (type below), and then, in the Public name box, type the public name that matches the certificate that was issued for this URL. Click Next.
9. On the Select Web Listener window, click New, type the name for this Web listener, and then click Next.
10. On the Client Connection Security window, select the option Require SSL secured connection with clients, and then click Next.
11. Click to highlight the External interface, and then click in Select IP Address.
12. In the External Network Listener IP Selection dialog box, select the option Specified IP addresses on the ISA Server computer in the selected network. In the Available IP address field, select the IP address, click Add, and then click OK. In the Web Listener IP Addresses window, click Next.
13. On the Listener SSL Certificates window, select Use a single certificate for this Web Listener, and then click Select Certificate. Select the certificate that was installed on this ISA Server 2006 computer, and then click Select.
14. In the Authentication Settings window, select No Authentication. The authentication will be done by the forms-based authentication on the CWA 2007 server.
15. On the Single Sign On Settings window, click Next, and then click Finish.
16. In the Web Publishing Rule wizard, click Next.
17. In the Authentication Delegation window, select the option No delegation, but client may authenticate directly, and then click Next.
18. On the User Set window, verify that the default option (All Users) is selected, click Next, and then click Finish.
19. Right-click the rule, and then click Properties. In the Form on CWA Properties dialog box, in Bridging tab, change the SSL port to 4445, click OK, and then, in the User Set window, click Apply.
Now that we have everything set up, we can access the site from outside. Here is the web page that should come up for this example:
On this page, you need to type in the domain credentials and click Sign In. The following page will appear:
As you can see, dev2 user doesn’t have too many contacts, only dev1. The Communicator Web Access 2007 interface is pretty much the same as the Windows client. From now on, you can set up your environment to have IM through the web.
Security Support Engineer – Microsoft ISA Server Team (
Microsoft Communicator Web Access 2007 reviewed by:
Support Engineer – Microsoft Networking/OCS Team (Charlotte)
Daniel SevesoSupport Escalation Engineer – Microsoft Latam Team (