Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

When you deploy ISA Server 2006 for Outlook Web App, you use the New Exchange Publishing Rule wizard on the firewall policy tasks. This wizard shows you the specific settings that you must configure to enable access to Exchange.

If you have multiple versions of Exchange in your organization, you must create an Exchange publishing rule for each version that you support.


Here are the basic steps for deploying ISA Server 2006 for Outlook Web App:

Step 1: Create a new Exchange publishing rule

Step 2: Configure additional options

Step 3: Install a server certificate for ISA Server 2006

See the following sections for information about each step.

Step 1: Create a new Exchange publishing rule

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "ISA Server 2006" entry in the Client Access Permissions topic.

During this process, you must provide the following information:

  • Exchange publishing rule name   Provide a friendly name for your publishing rule, such as "Exchange E-mail Access".

  • Supported client access services   On the Select Services page, select the version of Exchange that you're deploying and the client access services that you want to support for your users. By default, when you select Exchange 2010, Outlook Web App is selected.

  • Publishing type   On the Publishing Type page, select an option to use depending on whether you plan to publish a single site or an external load balancer, a Web server farm, or multiple Web sites.

  • Server connection security   This page lets you select whether to use SSL or non-secured connections from the ISA Server computer to Exchange.

  • Internal publishing details   On the Internal Publishing Details page, enter the internal site name of Outlook Web App or select the option to use a computer name or IP address to connect to Exchange.

  • Public name details   The Public name details page lets you select which domains you will accept requests from. You must also provide a public name, for example,

  • Select web listener   The Select web listener page lets you specify the listener for the Exchange server to which you're connecting. A listener is used to specify the authentication type that will be used when the client first contacts the ISA Server computer. The listener contains information about how the ISA Server computer accepts requests from clients, such as the encryption, compression, and authentication that's used on the external connection. You can use this page to create a new listener or edit existing listeners.

  • Authentication delegation   The Authentication delegation page lets you specify the type of authentication mechanism that the Client Access server should expect from ISA Server. Select from the following:

    • No delegation, but client may authenticate directly

    • Basic authentication

    • NTLM authentication

    • Negotiate (Kerberos/NTLM)

    • Kerberos constrained delegation

  • User sets   The User sets page lets you select which users can use this rule to connect to Exchange.

If you have configured the ISA Server computer to authenticate users, you should configure the Outlook Web App virtual directories to use either Integrated Windows authentication or Basic authentication, depending on which type of authentication is required by your organization. When you use Basic authentication or Integrated Windows authentication on the Outlook Web App virtual directories together with ISA Server 2006 authentication, users are prompted for their sign in information only one time.

If you select forms-based authentication for the ISA Server listener, the user will be prompted to reenter authentication credentials if the Outlook Web App session times out.

However, Integrated Windows authentication disallows access from Outlook Web App to documents on Windows file shares or in Windows SharePoint Services document libraries. If you must access documents from Outlook Web App, you must use Basic authentication on the Outlook Web App virtual directory.

After you complete the wizard, the wizard creates the Exchange publishing rule. The rule you create appears in the Firewall Policy Rules list on the Firewall Policy tab.

After you finish creating your publishing rule, you must wait for the settings to take effect. You can monitor ISA Server 2006 publishing rule progress by using the Monitoring node in the ISA Server 2006 Management console.

Step 2: Configure additional options (optional)

You can configure additional features, such as link translation and HTTP compression, for the new rule that you created in the ISA Server 2006 Management console. Additional settings for link translation and HTTP compression are managed under the General node on the ISA Server 2006 Management console.

  • Configure Link Translation   To configure link translation, you must select the Exchange publishing rule that you created, and then click Edit Selected Rule under Policy Editing Tasks. On the Link Translation tab, you can configure link translation based on the needs of your users.

  • Configure HTTP Compression   The HTTP compression option can be configured in the General node under Configuration in the ISA Server 2006 Management console. Click Define HTTP compression preferences, and then select the options that you want to support for your users.

After you finish configuring these options, the ISA Server configuration for Exchange is complete.

Step 3: Install a server certificate for ISA Server 2006

To enable an encrypted channel by using SSL between the client computer and the ISA Server computer, you must install a server certificate on the ISA Server computer. This certificate should be issued by a public certification authority (CA) because it will be accessed by users on the Internet. If a private CA is used, the root CA certificate from the private CA must be installed on any computer that has to create an encrypted channel (HTTPS) to the ISA Server computer. Otherwise, users will receive a warning that the certificate isn't trusted.

For more information about how to install a server certificate on ISA Server 2006, see Publishing Exchange Server 2007 with ISA Server 2006.

Other Tasks

After you deploy ISA Server, you may also want to Configure Reverse Proxy Servers for Outlook Web App.

For More Information