Tin Cups and String: The Convergent Microsoft UC Blog

When deploying Microsoft Unified Communications solutions we often deploy ForeFront TMG or ISA Server 2006 to provide complete external services (Outlook Web App, Communicator Web Access, Address Book Download, and Group Expansion). We’re also asked integrate with existing IIS applications and provide a seamless end user experience using Forms Based Authentication (FBA) and the Single Sign On (SSO) feature in ForeFront TMG. Recently our Unified Communications developers requested the ability to use multiple front-end authentication methods on a single listener and we investigated our options.

To sum the existing environment:

ISA Server 2006 Enterprise Edition

Single SSL Listener with FBA enabled

Single name SSL Cerificate (sso.domain.com)

And what we wanted to accomplish:

1. Use a single listener

2. Provide Single Sign On for web clients

3. Provide Custom Unified Communications Application Authentication (Basic over SSL)

It turns out this is possible and fairly simple to accomplish – provided you have access to run a few scripts against the TMG/ISA server and know which “User-Agent headers” are used by your applications and clients. A big thanks to Nik Ramlow for finding this info in the ISA Server SDK and MSDN site (http://technet.microsoft.com/en-us/library/bb794715.aspx). On the site you’ll find 3 scripts.

ListUserAgentMappings.vbs

AddUserAgentMapping.vbs

EditUserAgentMapping.vbs

After saving and running the first script on the ISA Server we see our default User-Agent header/Authentication type mappings:

This tells us which authentication method ISA will attempt to use for each user agent header (which is typically associated with a browser or application). By default Internet Explorer will use the “*Mozilla*” User agent headers and the associated HTML 4.01 forms authentication method. Requirement #2… check! (Full disclosure: this is the default behavior after enabling a Forms Based Listener)

Now we need to get our application authentication going and the first thing we need to determine is our User-Agent header. After running the ISA monitoring tool we determined the application header to be “Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927).” Now we use script #2 to tell ISA to listen for that header (we used “*MS Web Services Client Protocol*” to catch all versions). The full command is

AddUserAgentMapping.vbs “*MS Web Services Client Protocol*” basic

To see how that changed the authentication methods run the ListUserAgentMappings.vbs again (disregard the formatting of the DOS window, the long user agent string that was added was larger than the default column width of the script)

Now that the client header and authentication type is added, it’ll just work, right? Not quite, mapping No. 7 will receive the request (it matches “*Mozilla*”) so we need to adjust the order using script 3

EditUserAgentMapping.vbs up 11

EditUserAgentMapping.vbs up 10

EditUserAgentMapping.vbs up 9

EditUserAgentMapping.vbs up 8

Running ListUserAgentMappings.vbs now shows

Exactly what we need!

Finally, we need to test the application and verify with an ISA trace after authentication:

In summary, ForeFront TMG and ISA Server 2006 offer great flexibility in front end authentication within a simplified and consolidated management interface. Applications like Sharepoint, Outlook Web Access, Office Communicator 2007 R2, and even custom applications can leverage consolidated listeners without loss of functionality.

Luke