Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010: Part 1 – Preparing the Client Access Server (CAS)

by [Published on 20 July 2010 / Last Updated on 20 May 2013]

Preparing the CAS in order to publish Exchange OWA with Micrsoft TMG 2010.

If you would like to read the next part in this article series please go to Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010 Part 2 – Configuring TMG.

Introduction

Forefront Threat Management Gateway (TMG) 2010 includes support for publishing Microsoft Exchange Outlook Web App (OWA) for Exchange 2010, as well as Outlook Web Access for Exchange 2007, 2003, and 2000. In the first part of this two-part series we will go through the steps required to prepare the CAS server for publishing with TMG. In part two we will focus on actually publishing OWA using TMG.

Preparing the Client Access Server (CAS)

Before we can publish OWA using TMG, we need to make some configuration changes on the Exchange CAS server. With Exchange 2010, Forms Based Authentication (FBA) is now the default authentication method. Since TMG will be presenting its own authentication form to the client and pre-authenticating the user at the edge, we’ll need to configure Exchange OWA to use NTLM authentication instead.

To change the authentication method for OWA, open the Exchange management console and highlight Client Access under the Server Configuration node in the console tree.


Figure 1

Select the Outlook Web Apptab, and then right-click OWA (Default Web Site) and choose Properties.


Figure 2

Select the Authentication tab, then choose the option to Use one or more standard authentication methods:. For demonstration purposes I will choose Basic Authentication (password is sent in clear text). Since this communication is protected using SSL encryption, clear text passwords will not be visible on the network.


Figure 3

Select the Exchange Control Paneltab and then right-click the ECP (Default Web Site) and choose Properties.


Figure 4

Select the Authetnication tab, then choose the option to Use one or more standard authentication methods: and select Basic Authentication (password is sent in clear text).


Figure 5

Once complete, open an elevated command prompt and execute the iisreset /noforce command.


Figure 6

The last step in preparing the Exchange CAS is to obtain and install an SSL certificate for use by OWA. To do this, open the IIS management console and highlight the root node in the console tree.


Figure 7

In the main window, double-click Server Certificates.


Figure 8

In the Actions pane, click the Create Certificate Request… link.


Figure 9

Complete the request form, making sure the Common Name field includes the Fully Qualified Domain Name (FQDN) of the CAS server.


Figure 10

Note:
In our example we are using split DNS, so the external public-facing FQDN is identical to the internal FQDN. If you are not using split DNS it will be necessary to make separate certificate requests for each FQDN (internal and external).

Select the appropriate Cryptographic Service Provider and Bit Length that meet your requirements. In most cases the defaults will be sufficient.


Figure 11

Specify a location to save the request file and submit the request to a Certificate Authority (CA).


Figure 12

Once the request has been processed by a CA, complete the request by clicking the Complete Certificate Request… link.


Figure 13

Specify the location of the certificate file issued by the CA and enter a descriptive name.


Figure 14

To use this certificate with TMG we’ll need to export the certificate along with its private key. Highlight the new certificate in the main window and In the Actionspane, click the Export… link.


Figure 15

Specify the location to save the file and enter a strong password.


Figure 16

To assign this new certificate to the OWA web site, highlight the root node in the console tree.


Figure 17

In the Actions pane click the Bindings… link.


Figure 18

Highlight the HTTPS protocol and choose Edit…


Figure 19

Select the new certificate from the dropdown list.


Figure 20

Summary

In part one of this two-part series we prepared the Exchange 2010 CAS server for publishing with TMG by changing the default authentication method from Forms Based Authentication to Integrated Windows authentication. We also requested and installed a certificate on the CAS server and exported it along with the private key for use on the TMG firewall later. Be sure to read part-two when we walk through the steps required to publish Exchange Outlook Web App 2010 on Forefront Threat Management Gateway (TMG).

If you would like to read the next part in this article series please go to Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010 Part 2 – Configuring TMG.

The Author — Richard Hicks

Richard Hicks avatar

Richard Hicks (MCP, MCSE, MCTS, MCITP:EA, Enterprise Security MVP) is a network and information security expert specializing in Microsoft technologies. As a five-time Microsoft Most Valuable Professional (MVP), he has traveled around the world speaking to network engineers, security administrators, and IT professionals about Microsoft edge security and remote access solutions.

Latest Contributions

Advertisement

Featured Links