Slowly but surely, I'm making a dent in the Q&A logs from the Exchange 2007 Webcast series.  Here is the log from Part 15 (Using ISA 2006 to Securely Publish Exchange 2007 Client Access).  Please let me know if you have any questions.

Harold Wong
harold.wong@microsoft.com

Exchange Server 2007 Webcast Series (Part 15 of 24) Questions and Answers Log (03-09-07)


Question: can I stop all exchange services and copy a public folder database from another exchange2007 into our exchange 2007 and restart services? Will it be work? Thanks.

Answer: If the public folder database is from another Exchange 2007 Organization, this will not work.


Question: I download the backgroup jpg hoever it won't have the "Exchange Server 2007" title on it. do you know why? or you have another backgroup with that title?

Answer: You can easily edit the background to add your own title.


Question: should be able to mount a DB on any server in E2K7

Answer: Yes, you can take a database from one Exchange 2007 Mailbox server and mount it on any other Exchange 2007 mailbox server in the same Exchange Organization.


Question: Under ISA Server 2004 the authentication type was configured on the Web Listener. This meant that if you only had one external IP address and wanted to publish not just OWA but also EAS or Outlook RPC over HTTP, you had to set for Basic Authentication. This meant you could not use the additional functionality of Forms-Based Authentication. Can ISA Server 2006 configur the authentication type on the individual published URL now? That would be great!

Answer: Yes, this is indeed possible.


Question: Do you have to use ISA 2006 with Exchange 2007?

Answer: No, you don’t have to use ISA 2006 with Exchange 2007.  We recommend that you do use it for publishing Exchange Client access.  If you don’t use ISA 2006, please use another application firewall product to secure the communications.


Question: is outlook anywhere RPC/HTTP? we use RPC/HTTP so will this work with ISA?

Answer: Yes, Outlook Anywhere is the new name for RPC over HTTP(S).


Question: Can the ISA server be on the Edge server?

Answer: No!  ISA Server is not available in 64 bit so they cannot co-exist in a production environment.


Question: For SMTP flow, ISA is acking as mail-relay or just port forwarding?

Answer: If you are using the Edge Transport server, you wouldn’t push inbound our outbound SMTP through the ISA server unless the ISA Server is also your main Firewall.  If that is the case, you would just pass the traffic from the Edge Transport through to the Hub Transport.


Question: if you have relay servers sitting in a DMZ and then exchange FE and BE servers, where would the ISA server live? in front of the Relay server?

Answer: The FE/BE “roles” do not exist in Exchange 2007.  Instead, you install Edge Transport server(s) in the Perimeter network.  You do not need to place the Edge Transport Server behind the ISA 2006 Server since it was designed to sit in the Perimeter network.


Question: can you load balance the ISA servers? if so what should the hardware be able to do to maintain connection

Answer: You can use ISA 2006 Enterprise Edition to create an Array.


Question: Do you have the doc to setup ActiveSync?

Answer: http://technet.microsoft.com/en-us/library/bb124234.aspx and http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfp_6.mspx (from the device side).  The second one was written for Exchange 2003 SP2, but also applies to Exchange 2007 (for the most part).


Question: why i cannot stop both information store service and system attendant sercices at same time?

Answer: Why do you need to stop both of them at the same time?  You can always create a batch file that stops one and then the other.


Question: DNS 'A' record question -- add it to ident the ISA server?

Answer: The DNS A Record is to define the external (public) name and the IP address for it.  If you are using ISA Server 2006, this will be one of the external IP addresses on the ISA Server that faces the Internet and will host the incoming connections.


Question: is there a guide anywhere to customising the forms based authentication page within exchgange 2007 and / or isa 2006 with corporate branding ?

Answer: Here is an article for Exchange 2003 OWA: http://technet.microsoft.com/en-us/library/720b0cd2-fb9a-4538-ab6f-681353315582.aspx.  For Exchange 2007, look here: http://technet.microsoft.com/en-us/library/bb310750.aspx.


Question: What would be the difference if one uses ISA Pre 2007 (2004/2003/2000) vs. ISA 2007? If ISA 2007 is not out yet what would be the difference once ISA 2007 is released?

Answer: Are you referring to ISA 2006?  We constantly make improvements in our products.  ISA 2006 has a full understanding of Exchange 2007 Client Access publishing and the Wizards have been updated to recognize this.


Question: Does the Edge-Transport server have to sit on a 64-bit Windows OS?

Answer: Yes.


Question: Is there a link to set up the Exchange OWA certificate?

Answer: This article is a great starting point: http://technet.microsoft.com/en-us/library/aa998023.aspx.


Question: Can ISA sit on 64-bit Windows OS? I am wondering if we need two separate servers for Edge and ISA.

Answer: No, ISA is not a 64 bit application and does not install on Windows 2003 64 bit.  You must implement two separate servers.


Question: what if you use mulitple domains, can you register different SSL certs with ISA for exchange access?

Answer: Sure you can.  You would need to have multiple IP addresses though.


Question: What does Acceleration mean in ISA?

Answer: ISA Server also performs caching for web access for your internal users.  This is essentially the “acceleration” portion.


Question: Do I need anti Virus software on ISA server boxes- if so does it need a special version of antivirus to also scan ISA?

Answer: No, you do not need anti-virus on the ISA Server box.


Question: is MSCE: Messaging going to be updated with Exchange 2007?

Answer: Yes, it will.


Question: Can you provide the url to the labcasts? Is the certificate that is put on the ISA server the same as the one that is put on the exchange SErver? Why doesn't Exchange 2007 support Outlook Mobile Acess?

Answer: 1. http://www.microsoft.com/events/series/tnexchangeserver.mspx is the main landing page. The labcast section is here: http://www.microsoft.com/events/series/tnexchangeserver.mspx#ExchangeServer2007GuidedLabcasts. 2. No, these are different certificates. The one I put on the ISA Server is for the public name (mail.contoso.com). In my example, I used an internal certificate server. In reality, I would be using a public certificate on the ISA Server. 3. It is not a secure communication mechanism. I'm not 100% sure why it was removed, but my guess is that there was no good way to secure it and very few customers were using this feature with WAP phones.


Question: How is it possible to put ISA on an Edge Server when there is no ISA x64, or is there?

Answer: That was the point I made. You CAN'T. I did it because I was too lazy to bring up another server. In my demo, I am running the 32 bit demo version of Exchange 2007 so I was "technically" able to do it. In production, you cannot do this. I also disabled my Exchange 2007 services from running on this machine - it already had all the OS components configured so I didn't want to build a brand new Virtual Machine just to install ISA 2006.  -  Harold Wong


Question: Does CAS have built-in or add-on support to interface with SecureID server for 2-factor authentication? Or ISA must be used?

Answer: The 2 factor authentication with RSA SecureID is not built into the Client Access. You don't have to install ISA 2006 to get this integration, but the integration point is built into ISA 2006 since it is the recommended Server product for publishing Exchange Client access. You can integrate RSA SecureID directy without ISA if you would like. Just make sure you secure the connection point between the Internet and you Exchange Server.


Question: We use PKI certificates, how will this affect ISA? Can we use OWA without a username and password?

Answer: If you use Client Certificates, ISA 2006 will support that.


Question: In order to utilize Outlook Anywhere, do you have to have ISA 2006 in place?

Answer: No. From a security perspective, you should have some form of Application Layer firewall that can analyze the traffic while publishing this resource. We just happen to recommend ISA 2006 and have that capability built into ISA 2006.


Question: Do you need a public cert when setting up ActiveSync? I don't see it mentioned in the TechNet docs, but heard about it on other sites/forums. Thanks.

Answer: You REALLY, REALLY, REALLY should. I would go as far as to say "YES"!


Question: Do we need to disable Forms Based authentication on a 2003 server and set authentication to basic (we are still using 2003 for now but would like to use ISA 2006)

Answer: Yes. If you don't then the ISA Server will not be able to respond to the form that Exchange 2003 will present to the ISA Server.


Question: Hi harold, we do have a exchange 203 environment with fe/ba solution, we have to buildings with where are backend servers reside and in each of the buildings we have one of the fe (NLB) servers. Now here comes the trick, In my building I want to move over to 2007. As far as I know the best practice would be to replace the fe nlb for a CAS nlb, could you think of reasons why this could potentially have any risk for people in the other building who still want to stay on 2003 in the backend ?

Answer: The Exchange 2007 Client Access server will "proxy" to Exchange 2003 backend servers just fine.


Question: Yes, we use IPSsec for VPN connections and I do no find a doc about this on the web. I couldn' assit to other Webcast (it's the first time), I undertsand english but I don't speak it well, sorry.

Answer: From an ISA 2006 and IPSec for VPN perspective, that is supported.