Exchange Server 2007 SP1 on ISA Server 2006 architecture

Hi there, I would like to share my experience on setting up Exchange Server 2007 with the existing servers below:

  • ISA Server 2006 SP1
  • Edge Transport Server – Exchange Server 2007 SP1
  • Hub Transport, Mailbox, and Client Access Server – Exchange Server 2007 SP1
  • Active Directory
  • DNS Server

hoping the diagram looks like below:



Figure 1: Exchange 2007 & ISA Server 2006

Figure 2: DNS flow


Figure 1 and Figure 2 explained on which ports should be allowed to make the email is received and sent.

Ony my set up:

  • ISA Server is a member of a domain (joined domain)
  • Edge Server is NOT a domain member  – In Windows Server 2003, I used ADAM to connect to the LDAP. That’s why in figure 1, I open a port to allow the port 50636 and 50389 to connect Secure LDAPS.
  • DNS server integrated with Active Directory
  • Public DNS using the domain hosting providers – Creating MX Records and resolve domain for example,
  • Publishing a Firewall Policy – SMTP port 25 between DMZ and Internal should be allowed where in figure it is between hub transport server (netoverme-exc) and edge server (netoverme-edge). Also, this port should be allowed from edge server to external network for outbound (by creating a a firewall rule) and from external to edge server for inbound the tcp 25 port smtp traffic (this is done by publishing SMTP server).

enabling VPN client

In ISA Server 2004 and 2006, it provides the VPN (Virtual Private Network) connection. I love using the VPN when I tried to remote and connected to my LAN at home. Of course, you might have to have Internet access. In ISA server, enabling VPN client is simply simple and easy.

Before a client can connect through VPN, you have to enable the VPN on the ISA Server. Also, You configure the ISA firewall’s VPN, such as how many client you need to connect the VPN. You need to consider the AD’s Group if it is in the Domain, and configure the DHCP pool.

I will continue this topic later.

Using Enterprise Policy in ISA Server 2006

I would like to continue the previous topic “installing configuration Storage Server”. As you installed the Configuration Storage Server, there will be an enterprise array and you may create the enterprise policy for the internal network.

How to Create Enterprise Policy?

1. right-click Enterprise tree

2.  choose New and Create Enterprise Policy

3. on New Enterprise Policy wizard, type a name of policy.Click Next

4. Then, Click Finish.

Create Access rule in the Enterprise Policy

1.Right Click On the Entprise policy you created

2.Name the rule. For example, “Allow all outbound protocol”.Next

3. Choose Allow

4. On protocol wizard, Click All outbound protocol.(This is for practise only)

5. On Access source rule, select add and on Network Sets, select All protected Network

6. On Destination rule, click Enterprise Network , click External.

7. On user sets, click Next and Finish.

How can I use this Enterprise Policy in my ISA Array?

This Enterprise Policy can be used in your ISA Server services

You must have the array first and then change the policy setting on the array.

1.Right-click the array that have been created.

2.Click Properties.

3.On Policy Setting, you select the enterprise policy you created.

After you use the enterprise policy, the access rules in the policy are used for that ISA array.

For example below, there are two policy which can be published. you can create firewall policy in the array if you click. if you notice, on the enterprise policy, it only allow to create the “Access Rule”.But when go to the ISA array, on the firewall policy, there are multiple publishing rules that have been provided.

Installing Configuration Storage Server

Back to ISA Server 2006, I would like to show some configuration which focusing the Configuration Storage Server(CSS) and ISA Server 2006.

As you all know, you can install ISA server and Configuration storage Server within a same machine. but this section will be different. I try to implement ISA Server 2006 Enterprise Edition. It means that the configuration and firewall services are installed separately.


if you see figure above. the explanation of this simple network is described below:

NETOVERME-ISA is an ISA Server 2006 is installed but no configuration storage server.  There are two network interfaces are installed for private and public network. private network is set to /24 whereas public network is set to

NETOVERME-DC – is a domain controller for Netoverme Organization. A DNS server is also installed in the server. the IP address is

NETOVERME-CSS – is a Configuration Storage Server where the array of the ISA server is stored. CSS server is really related to ISA server which is Netoverme-ISA.

What have I done to the organization?

If you can see, the CSS server is totally separated with the ISA server (Netoverme-ISA). Firstly, I installed and configured Active Directory and the Domain (at the Netoverme-DC) and secondly create a server for Netoverme-CSS and join the domain. On Netoverme-CSS, I installed ONLY the Configuration Storage Server.

Before I proceed with the ISA server 2006 in Netoverme-ISA server, I create account EntAdmin to administer the CSS. I add assign role to the EntAdmin as ISA Server Enterprise Administrator so that he can administer such as Create Array,Create Rule,etc

In Netoverme-CSS, you can create array for the Netoverme-ISA or create later as you install along the ISA server at Netoverme-ISA.

After finishing configuring the CSS server (Netoverme-CSS), you can proceed with the ISA server installed on Netoverme-ISA. you can join domain the server or make as a workgroup. In this case, I just join domain and proceeding the Installation of ISA server. in Netoverme-ISA, you only install ISA Server Component and also ISA server Management. on the Next step, it will the FQDN of  Configuration Storage Server. you just typed hostname of CSS server which is netoverme-CSS and simply click Next. You will be asked later on which array should you used. In Configuration Storage Server, the array can be multiple. In this case, the CSS hasn’t create any array yet. Therefore, in the proceeding installation, you can choose to create array. The array is important so that you can create access rule, deny or allow the policy. the credential will be asked for communicating with the CSS server. in my case, I created the EntAdmin which the user is assigned as ISA server Enterprise Administrator on CSS server. I type the entadmin as a credential and also proceed to complete the installation.

The good thing using Configuration Storage Server on different server, you can backup and restore all the configuration in that server whenever your frontend ISA server crash. Also, you may disconnect / connect the enterprise network from the ISA server.

Organizing Array Levels in TMG 2010 / ISA SERVER 2006

Previously, I have assigned role of user to manage the ISA Server / TMG server.In ISA Server environment, one has to know the define role. In Array role, there are three roles of array administrators:

  • ISA Server Array Monitoring Auditor – Users and groups assigned this role will have authority to monitor the ISA Server and network connectivity but limited to configure the functionality.


  • ISA Server Array Auditor – Users and groups can perform all monitoring task, such alerts, log configuration, and all the monitoring functionality that are available.


  • ISA Server Administrator. – This can perform any ISA Server task, including rule configuration, network template and so on.


It is important to give least administrative rights to users with their skill. It’s better to set the good security especially the ISA Server became the edge or Tri-home template ISA Server.

  • ISA Server Array Auditor

Overview of Publishing OWA 2003 in ISA Server 2006 SP1

Publishing OWA 2003 in ISA server 2006 SP1 is simply easy and straightforward. However, what do the beginner need to publish OWA 2003. Of course, the one thing we need to do is, to import the certificate of Outlook Web Access into the ISA server. Most mistake they did was to renew the certificate of OWA. actually, we don’t need to renew the certificate. The only thing is to export the current certificate in to a .pfx file.How do you do that?

On Exchange Server:

  • you go to your frontend exchange server or your single exchange server where you set OWA FBA.
  • Open your Internet Information Services, and right click your exchange default website.
  • right-click properties and go to Directory Security.
  • Click Server certificate button, click next to start the wizard.
  • Choose “Export the current Certificate to a .pfx file”. Click Next.
  • Enter Path and filename you want to save. Let say, C:\owacertificate.pfx
  • set the password and confirm the password and click next until finish.

After that, import the “owacertificate.pfx” into your ISA Server. Remember, you import the certificate into “Personal”. Otherwise, once you try to publish the Exchange Client Access rule, the ISA server will not seeing your owacertificate. Please make sure you import the certificate in Personal folder.

Then, create your OWA publishing. To create the OWA publishing rule, DNS server in your internal DNS take the role as well as your public DNS. For example, if the public domain is “” , you need to resolve the domain to certain IP address and also your internal dns should work fine in order FQDN works properly so that it points to the correct internal domain which accordance to your OWA publishing. have a read on Split DNS. This link should solve your problems.

see you next time on this similar to topic later on.

Test Rule Available in ISA Server 2006 SP1

Hi all,

I like to attach an image of my Exchange Access Client Publishing Rule. when you create Exchange access client publishing for the client to access OWA, or using RPC, the ISA server 2006 Service Pack 1 provides the test rule button to check whether the access rule we create is valid and reachable to destination. The Test Rule will not available at ISA Server 2006, it’s only in Services Pack1.