How to: Publish Exchange 2010 – Outlook Web Access (OWA) – with TMG

Publishing Outlook Web Access (OWA) using Microsoft’s Threat Management Gateway (TMG)

Publishing Outlook Web Access (OWA) is a usual step in the enterprise. You want to be able to provide access to your corporate emails via a web interface users can access anywhere with an Internet Connection. Below are some steps and recommendations for making OWA available to your users. First we will start with some basic pre-requisites and best practices, proceed to prepare the Exchange server and finalize with publishing through TMG (previously known as ISA server). Noteworthy is the fact that if you are using Microsoft’s Small Business Server OWA tends to come pre-configured so you can skip that step (just make sure in the Exchange console it appears as active and that the configuration meets your needs).


Here are some pre-requisites to keep in mind :

  1. Ideally you want at least 2 External IPs. You can deal with one for Basic authentication (OA, EWS, EAS) but if you get another one then you can do forms based (OWAECP).
  2. A multi-name trusted Certificate with all applicable names. I would recommend using your own CA to issue certificates as getting this right might be tricky. Once you got a handle on this then you can use a third party that is more accepted globally.
  3. TGM can authenticate with AD already (either domain joined or authentication configured)


Preparing the exchange server

  1. Configure Exchange 2010 for basic authentication (Not needed for SBS)
    1. Run the following on the CASserver that will be published
      • Set-OwaVirtualDirectory -id <CasServer>* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
      • set-WebServicesVirtualDirectory -id <CasServer>* -WindowsAuthentication $true -BasicAuthentication $true
      • set-EcpVirtualdirectory -id <CasServer>* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
      • set-OabVirtualDirectory -id <CasServer>* -WindowsAuthentication $true -BasicAuthentication $true
      • set-ActiveSyncVirtualDirectory -id <CasServer>* -BasicAuthentication $true
  2. Copy the 3rd party certificate to the TMG server. (Not needed for SBS)
    1. Click Start –> Run –> Type MMC
    2. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
    3. Click Personal –> certificates
    4. Right Click on 3rd party certificate and click all tasks –> export
    5. Click Next –> Yes, Export Private Key –> Base-64 –> next –> Browse for file location.
    6. Next-> finish
    7. Copy certificate file to the TMG server
    8. Click Start –> Run –> Type MMC
    9. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
    10. Click Personal –> Right Click certificates –> all task –> import –> next –> select file –> next –> next finish
  3. Configure OWA Rule on TMG
    1. Open Forefront TMG
    2. Click on Firewall Policy
    3. In the Action Pane under Task launch the wizard “Publish Exchange Web Client Access”
    4. Give the rule a Name based on your enterprise standards.
    5. Select Exchange 2010 from the DropDown and enable Outlook Web Access
    6. Make the appropriate selections on the next screen, defaults are acceptable.
    7. The Internal Site Name should be your CAS server FQDN (needs to be on the certificate of the site hosting exchange)
    8. The external name is what you use to access OWA (Needs to be on the certificate as well and on the listener used by TMG)
    9. Select your listener. Remember you can use one with forms or one that delegates authentication depending on your needs.
    10. You´re done!
Enhanced by Zemanta

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.