Our remote access setup through ISA 2006 and EX 2007 is getting closer. There are many steps for the uninitiated that have to be completed to commission an ISA server and secure an Exchange server for web / remote access.
We determined first of all that, once ISA was more or less ready to go, that it could be put in parallel with the direct connection through the hardware firewall. (The ISA server is in a back-end configuration, meaning it is inside a hardware firewall) With a rule set up to give maximum access through the ISA firewall – for now – we started testing web proxy and installing the ISA Firewall Client. The most major issue found to date is a conflict with AB Tutor Control v6’s client application, which had to be uninstalled from a group of PCs that we had hoped to remote administer with this software. Maybe later on I will try testing it on a non-production machine. My Windows 7 box played up a bit the first time the FW client was installed as well, but a restart fixed this and so far there haven’t been further problems. As we have one Mac and the occasional non-domain Windows PC on the network, they will have to use the Web Proxy to authenticate when we force user authentication. When I first tried that I realised that people without the FW client installed would be locked out, so at that stage we programmed mass installation of FWcli through a GPO. DHCP was also set to provide the default WPAD URL, having previously been configured for a 4-hour lease time to effect the changeover as quickly as possible. User authentication is essential if you want to have usernames logged against every access, the main challenge being that Web Proxy can only work for the protocols that support proxying on the computer in question.
At this time we will leave ISA running as is for a week while some other steps are completed. After purchasing the certificate from GoDaddy.com, I had to install it, which fortunately they provide instructions for. After I changed the IIS server’s https binding to use my new certificate, Outlook 2007 kept popping up a security warning saying “The name of the security certificate is invalid or does not match the name of the site”. I found a solution here, which involves configuring Exchange to recognise the new certificate. After that, all of the warnings have gone away. The next step is to put rules into ISA for the main services/ports that are needed – such as IMAP, IMAPS, SMTPS, POP3S etc. Then a proper rule for web browsing (HTTP/HTTPS) will be put in. The main timing issue is simply waiting to see what problems show up after each step. You may ask why we need two firewalls, the front firewall (hardware) is free and facilitates our web filtering service. The ISA firewall facilitates easy configuration and publication of Microsoft services such as TSGS and OWA / OA. It also gives us full logging of internet access and the option to add internet quota management software at a later date. And finally it is two layers of defence against the outside world. I am a bit paranoid about this, but I think this pays off, because in a smaller school with limited support resources, we need strong defences to cover for the fact that our primary focus isn’t security. Locking this thing down to the max is a better defence strategy and it also gives us monitoring capabilities that simple hardware firewalls can’t do (although the front firewall has Netflow, which we are monitoring with a free application, it can’t authenticate the users like ISA can).
So in a way I am glad we missed our planned deployment deadline… because it was unrealistic.