ISA 2006 and OWA 2003 Implementation Guide

Copyright
Copyright © 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any
language in any form or by any means without the written permission of CRYPTOCard Corp.
Outlook Web Access (OWA) & Internet Security and Acceleration (ISA)
Server 2006 Overview

This documentation presents an overview and necessary steps to configure Internet Security
and Acceleration (ISA) Server 2006. It is to be used in conjunction with Outlook Web Access
(OWA) to view e-mail via web browser authenticating against CRYPTO-MAS Server, using
CRYPTOCard tokens.

CRYPTO-MAS works in conjunction with ISA Server 2006 and Outlook Web Access (OWA) to
replace static passwords with strong two-factor authentication that prevents the use of lost,
stolen, shared, or easily guessed passwords when establishing a connection to gain access to
protected resources.

With CRYPTO-MAS acting as the authentication server for a enabled resource, an

authenticated connection sequence would be as follows:

1. The administrator configures ISA 2006 Server to use RADIUS Authentication.

2. The incoming authentication request is relayed over to the CRYPTO-MAS Server via
RADIUS.

ISA 2006 and OWA 2003 Implementation Guide 1

3. If the user exists, it then checks the token associated with the user for the expected PIN +
One-time password.
4. Once the PIN + One-time password is verified against the user’s token and it is valid, it
will then send an access accepted.

Prerequisites
The following systems must be installed and operational prior to configuring the VPN
concentrator to use CRYPTOCard authentication.

• Ensure that the end user can authenticate through Outlook Web Access with a static
password before configuring the Outlook Web Access to use CRYPTOCard
authentication.

• An initialized CRYPTOCard token assigned to a valid CRYPTOCard user.

The following CRYPTO-MAS server information is also required.

Primary CRYPTO-MAS RADIUS Server Fully Qualified

Hostname or IP Address:
Secondary CRYPTO-MAS RADIUS Server Fully
Qualified Hostname or IP Address (OPTIONAL):
CRYPTO-MAS RADIUS Authentication port number:

CRYPTO-MAS RADIUS Accounting port number

(OPTIONAL):
CRYPTO-MAS RADIUS Shared Secret:

ISA 2006 and OWA 2003 Implementation Guide 1

Configuring ISA 2006 Server for Two Factor Authentication via RADIUS

Using the 'Task' Pane, click on

'Publish Exchange Web Client Access'

Note: If you do not see the 'Task Pane' along the right hand
side, navigate to the 'View' menu, and select 'Task Pane'. This
will allow you too see all the available Firewall Policy Tasks.

ISA 2006 and OWA 2003 Implementation Guide 2

Give your new rule a name such
as Outlook Web Access.

This can be anything you want.

Click Next

Select Exchange Server 2003

Select Outlook Web Access

Click Next

ISA 2006 and OWA 2003 Implementation Guide 3

Select the ‘Publish a single Web
site or load balancer’ radio
button

Click Next

Select ‘Use non-secured

connections to connect the
published Web server or server
farm’ radio button.

Click Next

ISA 2006 and OWA 2003 Implementation Guide 4

Specify the address of the
exchange server.
E.G. Exchange.sparks.com

Note: This must be a valid DNS

name

Click Next

Input the address you want your

users to use, in order to access
their OWA logon page.
Note: This has to be a valid DNS
name.

Click Next

ISA 2006 and OWA 2003 Implementation Guide 5

Click on ‘New’ to start the ‘Web
Listener’ creation wizard.

The New Web Listener Wizard now

appears.

Give your Web Listener a name

In this example, the given name is
‘OWA’

Click Next

ISA 2006 and OWA 2003 Implementation Guide 6

Select the ‘Require SSL secured
connections with clients’ radio button

Click Next

Select which networks your new

listener will function on.

In this example, ‘Internal’ network

has been chosen.

You will need to specify your own

network to use.

Click Next

ISA 2006 and OWA 2003 Implementation Guide 7

Click ‘Select Certificate’ button
Select your appropriate
Certificate you have loaded onto
your ISA server.

Note: If you don’t have any

certificates loaded, please
consult Microsoft Documentation
on loading a Certificate onto your
ISA 2006 Server.

Click Next

Ensure you have selected HTML

Form Authentication in the drop
down menu.

Select ‘Collect additional

delegation credentials in the
form’

**This check box adds an

additional box at the bottom of
the OWA page which allows the
user to enter his static password
for OWA **
Select RADIUS OTP check box

Click Next

ISA 2006 and OWA 2003 Implementation Guide 8

Un-check ‘Enable SSO for Web
sites published with this Web
listener’

Click Next

From the drop down menu, select

‘NTLM authentication’

Click Next

ISA 2006 and OWA 2003 Implementation Guide 9

In the next following screens you
are going to configure the
RADIUS server ISA will use.

Click the ‘Add’ button

Input the Server name of the CRYPTO-MAS

Server in the form of an IP address.
Give this RADIUS Server entry a
description to help you identify it for future
configuration changes.

Click the ‘Change’ button to add the shared

secret.

Once you have inputted all information,

click ‘OK’ button.

ISA 2006 and OWA 2003 Implementation Guide 10

Select which user groups you
wish to have this rule applied
to.
In this example the ‘All Users’
group was selected.

Click Next

The final wizard how now

completed, and you are now
completed.

To access your new OWA page, navigate to https://address.you.specified.in.wizard/exchange

The OWA logon page provided by ISA looks different than the usual OWA provided by
exchange. It should also include a new field at the bottom, which includes the ‘users’ static
Microsoft password.

ISA 2006 and OWA 2003 Implementation Guide 11