Geeks With Blogs
Cajun MCSE MS technology down on the bayou

This week, I had a pretty strange request.  An organization wanted to host multiple Email domains in their Exchange environment while keeping it hidden from external mail users and outside parties.  Same organization was ok, same AD and Exchange servers were not.


The mail flow portion was pretty simple.  Added a new accepted domain to Exchange 2007, to the spam filter appliance, configure LDAP for this new SMTP domain, and change the primary email address for certain users.   I used an email policy that assigned the primary SMTP address based an AD attribute.  This requires the attribute to be populated during user creation. I also changed the default email policy to not affect these users.   Created separate GALs in exchange so there was no crossover between the 2 user bases.


Publishing the OWA URLs however and login process was not quite so easy. 


My first step was to get my UC certificate reissued with the new subject alternative names for the new email domain. Since same organization was ok, it was ok for me to use the same certificate with the original SANs listed on it. You have to create a new certificate request on your Exchange 2007 server and resubmit to your CA.   Once this is done, import and enable this new certificate on all exchange servers.  Then export the certificate and bring it over to the ISA 2006 server. 


I created a new OWA publishing rule for my new domain and a redirect rule below it.  This however didn’t work straight off.  It seems unless the traffic between ISA and your Exchange CAS uses the same FQDN as the common name of the certificate, the CAS will not respond.  I got around this by using a different internal name on the second domain rule with the true public FQDN for the first domain name.  ie..


First Domain Rule:
Second Domain Rule:

My ISA server has host file resolution that resolves both real FQDNs to the internal IP address of the CAS server.  Since I have it configured that Request appear to come from the ISA server computer, the CAS server doesn’t know which rule its responding to and answers to the same URL in both instances.  However the users sees the Public URL of either or depending on which they used to get there.


This solved ISA and OWA answering to different public URLs.  Now I had to change the login process so that users no longer had to type Domain\Username.  Email address was the obvious choice as the suffix is different for the 2 domains and wouldn’t appear to have any crossover.


blanksetTo accomplish this first I had to create 2 new Alternate UPNs in the Active Directory.  I added each email domain suffix.  I then changed my LDAP authentication login expressions in ISA and remove the domain\* entry and put in both *
and *


No change was needed on the Exchange CAS as it was already set to Basic Authentication and not Forms Based.  This change forced users to login using only their email address (newly created UPN) as their username.


Now the OWA Forms Based Authentication in ISA needed to be changed to ask for email address instead of domain\username. This is accomplished by editing the strings.txt file located at:

 C:\Program Files\Microsoft ISA Server\CookieAuthTemplates\Exchange\HTML\nls\en

I replaced the domain\username with email address then restarted the Microsoft Firewall service.  The result:


















As you can see, no more evidence.

Posted on Friday, November 13, 2009 11:17 PM MS Exchange 2007 | Back to top

Comments on this post: Publishing Multiple URLs to Outlook Web Access in ISA 2006 while keeping it hidden they exist on the same server

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Ryan Roussel | Powered by: