Part 10: Infrastructure essentials Blogcast - OWA goes SSL (nearly)
Continuing the blogcast series on infrastructure essentials.
To re-configure our Outlook Web Access which is currently available on the Internet using http into https, we need a way of configuring the external interface of the ISA server to do "SSL Termination". By this, I mean that the SSL channel exists between the client out on the Internet, and the ISA server itself. Once at the ISA server, the secure channel is terminated. This means that the ISA server can do it's job much better as it is able to perform inspection on the traffic coming in, and block according to content rather than just by URL inspection. Of course, we could re-encrypt traffic to create a secure channel over our LAN, but for now, this is the starting point.
To allow the ISA server to do this SSL termination, it must hold the private key for the certificate being used for the encrypted traffic - only the private key is able to decrypt the incoming traffic. To do this, we use certificate services running on our domain controller and the web service of certificate services to request a certificate for the external site - mail.contoso.com from the ISA server. There is a trick you need to do though to allow this to work, as by default one of the system policy rules on the ISA server blocks traffic. Once the certificate is requested and installed correctly (remembering to install it in the local computer certificate store), we look at how to configure an MMC console to view that certificate and the path to the root certificate store. In the next part, we'll convert our ISA configuration to start using that certificate. Click here to view.
Series Index:
0. Network configuration and series background.
1. Getting started
2. ISA Server configuration to allow basic web browsing capability
3. ISA Firewall Client basic configuration
4. ISA Firewall Client auto-detection through WPAD configuration
5. Configuring an Exchange mailbox and Outlook profile
6. Fixing 0x8004010F on Outlook send/receive
7. Installing our first Certificate Authority
8. Publishing OWA through ISA using Forms Based Authentication
9. OWA /exchange redirection