Take Exchange Server 2003, Outlook Web Access (OWA), Forms Based Authentication (FBA), Exchange Active Sync (EAS) {also sometimes called Server Active Sync - SAS} and you have one hellufa configuration nightmare. This is especially the case if you have other applications hanging under the Default Web root in IIS. Publishing this lot securely on the Internet is fraught with complexity, pretty difficult to get right and very easy to break.
When it breaks, it can go two ways. You lock everyone out, or they start getting IIS Integrated Security dialogs instead of the nice FBA stuff. Bit of a pain, but very quickly noticeable. The other way is when someone or something accidentally lessens the security on the various roots and that often goes unnoticed for a long time.
Suddenly you are NATing outside traffic into something you really don't want published on the web. I saw someone do this once - not with Exchange specifically, but just a little bit of wrong configuration and they published their company Intranet, with anonymous access to all and sundry. Hey ho - all that very valuable private IPR was suddenly on view to all. Ran like this for about 2-3 months until someone questioned a lot of public connections to an internal ftp server (also hanging off that same IIS box). Like I said - not so easy to spot.
The obvious solution (well, it was to me anyway) was to create a new IIS root plus the relevant Exchange virtual roots and NAT the external traffic into that. We want to use FBA (because quite frankly, using IIS Integrated security for OWA is rather prone to the next person opening up the browser and getting your e-mail) and we want it to work with EAS. Not asking for much!
However, this then takes this relatively complex exercise and turns it into a complete and utter brain bust.
I've been running this sort of configuration in the office for about a year now. EAS works fine (had an XDA, now on an iMate SP5 and neither caused too many problems, over and above the standard raft of problems). However, at the time I didn't get enough time to sort out the FBA, so we use IIS Integrated for the OWA component. The number of people using this is pretty limited and they are all IT people, so they know the issues and logoff, clear cache etc.
I've been back on trying to get FBA working with this config off and on for about a month now. Today (and tonight) it's been getting an onslaught. It's been a pretty dismal experience - there's rafts of people in the newsgroups trying this and almost getting there, but coming up short.
Tonight however, I now have a new root with a new Exchange virtual root, with FBA published over SSL, NATed through the firewall, on a separate IP Address, with the Internal DNS not answering with the wrong IP addresses!
Now all I need to do is factor in the EAS, do some decent testing and then rip the whole thing out to properly document the build process. In the overall scale of OWA/FBA/EAS, the process looks like it should be relatively painless and surprisingly(?) not configured in quite the way it might be expected.
More to come....
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment