I have seen many people encounter issues with publishing Symantec Enterprise Vault behind ISA 2006. For our scenario, OWA users go through ISA both internally as well as externally. Why do we do this? Well, when you are publishing OWA 2007 behind ISA 2006, one of the requirements is to go onto your Exchange 2007 Client Access Server (CAS) and disable Forms Based Authentication and enable Basic Authentication instead. This is because ISA 2006 will be using Forms Based Authentication. Switching OWA on Exchange 2007 to use Basic Authentication instead of Forms Based Authentication allows us to avoid being prompted twice for authentication (once by ISA and then once by Exchange). Basic Authentication on the CAS allows ISA to pass the authentication through to Exchange without being prompted a second time.
So why do we point both internal and external users through ISA? That is because we want users to get the same OWA experience both internally and externally. We don’t want internal users pointed directly to Exchange and get a Basic Authentication prompt while external users get Forms Based Authentication when outside the corporate network. By pointing internal and external users directly through ISA, they will get the same experience internally and externally.
As you can see in the following image, in Symantec Enterprise Vault, IIS contains several directories which include a directory called EnterpriseVault:
Properly configure IIS on your Client Access Server (CAS) to host the certificate(s) needed for external and internal access. The certificate recommended for this configuration is a Unified Communications (UC) certificate. You can read more about these different configurations here.
Note: For this article, we will be using a UC certificate that contains 4 Subject Alternative Names (SANs). Our requested certificate’s CN was webmail.shudnow.net. The first SAN name requested was also webmail.shudnow.net. Our request was created using the following EMS command:
New-Exchangecertificate -domainname webmail.shudnow.net, autodiscover.shudnow.net, casserver.shudnow.net, casserver -Friendlyname Shudnow -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true -subjectname “c=US, o=Shudnow Inc, CN=webmail.shudnow.net”
- NetBIOS name of CAS (casserver)- used if there is a need/want to connect to services such as OWA using the NetBIOS name of the CAS while connected to the internal network.
- FQDN name of CAS (casserver.shudnow.net)- used so we can publish Autodiscover internal URLs to point directly to the CAS. This name is required if your Exchange Server will be hosting the Unified Messaging rule and you plan on integrating Unified Messaging into your Office Communications Server 2007 Enterprise Voice envirnment. If you have an internal PKI, I would recommend leaving this FQDN out and requesting a certificate with this FQDN to avoid exposing your servername to the public.
- Autodiscover.shudnow.net – used so external clients can retrieve external URLs to connect to web distributed services.
- Intuitivname.shudnow.net – used for services such as Outlook Web Access, Outlook Anywhere, Exchange ActiveSync, web service distribution (OAB, OOF, and Availability). Common FQDNs used are exchange.domain.com, owa.domain.com, mail.domain.com, webmail.domain.com, etc. This article will use the example FQDN: webmail.shudnow.net.
Note: For purposes of this article, the only name in your certificate that is essential for publishing Symantec Enterprise Vault is #4 (Intuitivename.shudnow.net). But since you are requesting a certificate, I would advise you to properly create a certificate with any other names that are required which include #1-4.
You will also want to do the following:
- At the minimum, the ISA 2006 Supportability Update is required which is located here. I would recommend using SP1 instead which is located here.
- Create an Exchange Web Listener
ISA 2006 Configuration
You must ensure that you go onto the CAS and export the certificate with its private key and import that into ISA 2006 (Please make sure you have the licenses needed for installing a certificate on multiple servers if required by your certificate vendor). A guide on how to do this is out of the scope of this blog. Once the certificate has been imported on the ISA 2006, ISA configuration can begin. Start by publishing each Exchange 2007 role as needed. For purposes of this article, we will only show how to publish your Enterprise Vault rule and steps needed to configure your OWA publishing rule to get Enterprise Vault to work through OWA.
Enterprise Vault Publishing Rule
For our Enterprise Vault publishing rule, we will go to Servername > Firewall Policy > New > Website Publishing Rule.
Give your Website Publishing Rule a name. Click Next to Continue.
Select Allow. Click Next to Continue.
Since we will be publishing a single Enterprise Vault Server, choose “Publish a single Web site or load balancer.” Click Next to Continue.
If you have installed a certificate for your Enterprise Vault Server, choose “Use SSL to connect to the published Web server or server farm.” If you have not installed a certificate for your Enterprise Vault Server, choose “Use non-secured connections to connect the published Web server or server farm.” We did install a certificate on our Enterprise Vault Server, so we will choose the first option. Click Next to Continue.
Enter the Internal Site name of your Enterprise Vault Server. Then enter the IP Address of your Enterprise Vault Server. Click Next to Continue.
Because the IIS directory name on your Enterprise Vault Server is called EnterpriseVault, you must enter that name in the Path (Optional) field as is displayed in the following screenshot. Click Next to Continue.
Because we will be accessing Enterprise Vault through OWA, we will want to make to enter our OWA URL name in the Public Name field. For purposes of this lab, our OWA URL will be webmail.shudnow.net. Click Next to Continue.
You will want to select the Listener you created for your Exchange environment. Click Next to Continue.
Select Basic Authentication. Click Next to Continue.
Leave the setting to All Authenticated Users. Click Next and then Finish.
Once you have finished the creating the publishing rule, go into the properties of your Enterprise Vault publishing rule and go to the Paths tab. Ensure your paths display as follows (which they should if you followed the above correctly). Click OK to Finish.
OWA Publishing Rule
Typically, you create your OWA publishing rule using the Firewall Policy, “Exchange Web Client Access publishing Rule.” There is a bug that prevents you from setting up Link Translation rules that are needed to get Enterprise Vault to work. Because of this, make sure you write down all your settings for OWA because we will need to re-create the OWA publishing rule using a regular, “Web Site Publishing Rule.” We will not go through the entire steps of creating the OWA publishing rule, but will rather go through the modification of this rule to ensure Symantec Enterprise Vault works.
So now we have our two publishing rules:
Open your Exchange OWA publishing rule and go to the Link Translation tab and select “Apply link translation to this rule.” Click Next to Continue.
We will now want to make some Link Translation Mappings
These mappings include:
How does this work?
A user connects to OWA using webmail.shudnow.net. They will attempt to access Enterprise Vault. Because they are connected to OWA, you want them using the webmail.shudnow.net name. ISA will create a link translation rule so when the user tries to access the Enterprise Vault rule, they will use the webmail.shudnow.net name instead. But because ISA has the Enterprise Vault publishing rule, ISA knows how to proxy those requests to Enterprise Vault. The reason we created the Public Name as webmail.shudnow.net for the Enterprise Vault rule is because this rule uses the listener for Exchange which contains a certificate that does not include the certificate that contains the entvault.shudnow.net name. It does contain the webmail.shudnow.net name though.