Blog du Tristank

Migrating to . And still so terrific that 3 of 4 readers rated it "soporific"

ISA 2004: Configuring RADIUS (IAS) Authentication for OWA/Web Publishing

Note: This is a mildly edited dump of my OneNote page on getting RADIUS authentication configured for a standard HTTP connection through ISA Server 2004, with Basic Delegation enabled (so that you authenticate once for ISA’s rules, and the same credentials are used to the back end server. It assumes you’re starting with an ABSOLUTELY PRISTINE ISA 2004 installation, with no other rules, and that all the basics are correct.) For a quick diatribe on why you might want to do this, see Why ISA RADIUS Auth is Cool.

At some point, I’m sure there’ll be some prescriptive guidance available on how to configure this end-to-end. In the meantime, feel free to try out my quick’n’dirty procedure.

If you’re considering doing this on the Internet, you’ll need to make sure you get certificates and configure SSL auth *only* for the listener (eg, disallow unencrypted HTTP), and it’s a good idea to similarly encrypt traffic inside the network too (though it’s up to you) – these steps are to get a proof-of-concept server working with a minimum of fuss.


1. If using AD for IAS/RADIUS auth, ensure users have the option of using Remote Access Policy to grant/deny access on the Dial in tab of user properties in ADUC. This requires an AD Native Mode domain (Win2K or above).
2. Get OWA installed, configured and working, and ready to accept both Integrated and Basic credentials.

ISA Setup

3. Install ISA Server 2004 on dual-homed Windows 2003 Server (if using Edge firewall layout). When using RADIUS authentication, the server does not have to be a domain member to authenticate users.
4. Configure the internal adapter to use AD DNS (or don’t… as long as the names you use internally for publishing are resolvable)
5. Open Firewall Policy, right-click and choose New -> Mail Server Pub Rule (Mail Publishing Wizard Follows)
6. Wiz: I’m calling mine “Mail Server Rule”.
7. Wiz: Pick “Web Client Access”
8. Wiz: OWA and OMA, with high bit characters enabled
9. Wiz: Standard Connections Only  (for now, we’ll come back to this)
10. Wiz: Server Name is TK2K3AD (the internal name of the IIS Server you’re publishing, or IP is fine for now)
11. Wiz: Accept Requests for Any domain name (while testing)
12. Wiz: -> Pick Listener -> New Web Listener (Listener Wizard follows)
13. ListWiz: IP Addresses: ticked External only. Reduces possibility of binding conflicts.
14. ListWiz: HTTP only for now (SSL won’t be available without a Cert – if you have a Server Authentication certificate and associated private key available, by all means feel free to use it!)
15. ListWiz: Edit Listener properties once created, go Preferences, Authentication, untick all except RADIUS
16. ListWiz: hit Radius Servers button, and specify IP address and port details of IAS/RADIUS server you want to authenticate against, shared secret, etc. This is the easy part, just make sure it’s right!
17. Wiz User Sets – Remove All Users, hit Add…, then New to bring up the New User Sets dialog
18. UserWiz Name: Tristan’s RADIUS Group, Next.
19. UserWiz Users: Add, RADIUS…, All Users in Namespace, OK, Finish
20. UserWiz Add Tristan’s RADIUS Group, close
21. Wiz Next in User Sets dialog, Next, Finish.

22. — (Now we’re back at the Firewall Policy area)
23. Double click the rule to get Properties
24. Users Tab: Forward Basic Credentials ticked (RADIUS auth means client talks to ISA in basic, so basic delegation is workable. Do not test this across an insecure network, we’re in plaintext mode here!), OK.

25. — (Now we’re ready to hit Apply…)

RADIUS Server Config

0. (Note) You need ISA’s IP defined as a RADIUS Client in the IAS MMC, with the same parameters you used when configuring the ISA Server RADIUS details (same shared secret etc).
1. Create a Windows group containing the users you want to allow access to: “OWA-OMA Allowed Users”.
2. Put users in that group. Set each user’s Dial-In tab to “Control Access through Remote Access Policy”. If this option isn’t available, you probably don’t have a native mode domain. You need one.
3. R-click, choose Create a new Remote Access Policy
4. Choose Custom, call the policy ISA OWA Access
5. Add, Windows-Groups, Add, type the windows group you want to use for authentication, OK, OK
6. Add, NAS-IP-Address, type the IP of the ISA Server (it’s a RADIUS client, remember), OK
7. Next, Grant Access, Next
8. Click Edit Profile. On the Authentication tab, untick all except Unencrypted (eg, tick only Unencrypted PAP), OK
9. No, if it asks about displaying help for authentication methods, unless you’re curious.
10. Next, Finish

And we’re done. It should be the top policy in the list for the time being, at least while we’re testing it.

Post Setup Notes

If this all works, great, go back and get the appropriate Server Authentication certificates and upgrade the security to SSL. If not, you can at least take some easy-to-read network traces to work out what’s going wrong and where.

If IE Hardening is enabled, you might need to add the site to the Trusted Sites zone to be able to test it locally. Otherwise, make sure IE is set to NOT use any proxy or autodetection in Tools/Internet Options->Connections->LAN Settings on the ISA console. That’s ALL unticked, and to test, type the following in the address bar: http://(external IP Address)/exchange/

You should be prompted for credentials (remember if you’re not using SSL, you’re sending these in next-to-plaintext, so please don’t send the Domain Admin credentials across an unsecured network!), and when you provide them, it should work.

Now, complexify!