Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2008-05-20

This topic describes how to configure firewalls for use with a server that is running Microsoft Exchange Server 2007 that has the Client Access server role installed. You can use software and hardware solutions as a firewall to help secure your messaging environment. We recommend that you use an advanced firewall server such as Microsoft Internet Acceleration and Security (ISA) Server 2006 or Intelligent Application Gateway (IAG) 2007 with Exchange 2007. ISA Server 2006 and IAG 2007 were designed to help secure and enhance the Exchange 2007 client access experience.

Note:
For more information about IAG 2007, see Microsoft Forefront Edge Security and Access.

ISA Server 2006 and Exchange 2007

ISA Server 2006 and Exchange 2007 were developed to coexist and provide an increased level of security for your messaging environment. When you use the New Exchange Publishing Rule Wizard to configure your ISA Server computer to allow client access, you automatically configure ISA Server settings that are required for the new features in both Exchange 2007 and ISA Server 2006 to work correctly.

For more information about how to configure ISA Server 2006 for Exchange 2007, see Configuring ISA Server 2006 for Exchange Client Access.

Earlier Versions of ISA Server and Exchange 2007

When you deploy Exchange 2007, we recommend that you upgrade any earlier versions of ISA Server that you are using. Deploying Exchange 2007 in an environment that has been configured to use an earlier version of ISA Server, such as ISA Server 2004, will require changes to your ISA Server rules that you might have configured for client access.

When you configure ISA Server 2004 or ISA Server 2000, you will have to create new server or Web publishing rules for the new Client Access servers that you want your users to access. Table 1 describes the virtual directories to use as paths for the Web and server publishing rules that you must create for client access to Exchange when you use an earlier version of ISA Server than ISA Server 2006. Make sure that you use only the paths for the client applications that you plan to use. For example, if you do not plan to use Microsoft Exchange ActiveSync, you do not have to publish the Microsoft-Server-ActiveSync virtual directory.

Table 1   Exchange 2007 virtual directories that are used as paths in ISA Server publishing rules

Path Name Description

/owa

This virtual directory is used by the Microsoft Office Outlook Web Access application to access mailboxes on Exchange 2007 computers that have the Mailbox server role installed.

/public

This virtual directory is used by the Outlook Web Access application to access public folders for mailboxes that are located on computers that are running Exchange 2007, Microsoft Exchange Server 2003, or Microsoft Exchange 2000 Server.

/exchweb

This virtual directory is used by the Outlook Web Access application for mailboxes on computers that are running Exchange 2003 or Exchange 2000.

/exchange

This virtual directory is used by Outlook Web Access to access mailboxes on computers that are running Exchange 2003 or Exchange 2000.

/UnifiedMessaging

This virtual directory is used for Unified Message access.

/Microsoft-Server-ActiveSync

This virtual directory is used by the Exchange 2007 ActiveSync application.

/EWS

This virtual directory is used for Exchange Web Services.

/Autodiscover

This virtual directory is used by the Autodiscover service for the Exchange ActiveSync and Outlook clients.

/rpc

This virtual directory is used by the Outlook Anywhere feature in Outlook 2007.

For More Information

For more information about how to configure client access to Exchange, see the following topics: