Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010 Part 2 – Configuring TMG

by [Published on 4 Aug. 2010 / Last Updated on 20 May 2013]

Forefront Threat Management Gateway (TMG) 2010 includes support for publishing Microsoft Exchange Outlook Web App (OWA) for Exchange 2010, as well as Outlook Web Access for Exchange 2007, 2003, and 2000. In the first part of this two-part series we looked at how to prepare the CAS server for publishing. In the second part we will walk through the steps required to publish Exchange OWA 2010 using TMG.

If you would like to read the first part of this article series please go to Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010: Part 1 – Preparing the Client Access Server (CAS).

Introduction

Forefront Threat Management Gateway (TMG) 2010 includes support for publishing Microsoft Exchange Outlook Web App (OWA) for Exchange 2010, as well as Outlook Web Access for Exchange 2007, 2003, and 2000. In this second part of the article series we will walk through the steps required to publish Exchange OWA 2010 using TMG.

Importing the Certificate

Before we can publish OWA, we first need to import the SSL certificate for the site on the TMG firewall. To accomplish this, click Start / Run and then type mmc.exe. From the drop down menu choose File / Add/Remove Snap-in. Select Certificates, then click Add >.


Figure 1

Select the Computer Account option.


Figure 2

Select the option to manage the Local computer.


Figure 3

In the console tree, expand the Certificates node. Expand the Personal folder, then right-click the Certificates folder and choose Import…


Figure 4

Enter the location of the certificate file you exported previously.


Figure 5

Enter the password and optionally mark the private key exportable.


Figure 6

Accept the default option to Place all certificates in the following store.


Figure 7

Creating the OWA Publishing Rule

In the TMG management console, right-click the Firewall Policy node in the console tree and choose New, then Exchange Web Client Access Publishing Rule…

Figure 8

Give the publishing rule a descriptive name.


Figure 9

Select Exchange Server 2010 from the drop down list, and then select the option to publish Outlook Web Access.


Figure 10

For demonstration purposes we are publishing a single CAS server, so we’ll choose the option to Publish a single web site or load balancer.


Figure 11

Select the option to Use SSL to connect to the published web server or server farm.


Figure 12

Enter the name of the internal web site.


Figure 13

Select the option to accept requests for a specific domain, and then enter the public name of the web site.


Figure 14

Create a web listener for the site by selecting New…, and then enter a descriptive name for the listener.


Figure 15

Select the option to Require SSL secure connection with clients.


Figure 16

Select the network to listen for incoming web requests.


Figure 17

Choose Select Certificate… and select the certificate you imported previously.


Figure 18

Select the option to use HTML Form Authentication and Windows (Active Directory) to validate credentials.


Figure 19

If required, enable SSO.


Figure 20

The authentication method used by TMG must match the authentication method configured on the web site. Since we enabled basic authentication on the web site, we’ll choose Basic Authentication here.


Figure 21

If you wish to grant access to OWA only to specific users and/or groups, add them here. Otherwise accept the default All Authenticated Users group.


Figure 22

To confirm operation, click the Test Rule button.


Figure 23

TMG will test the rule and report the success or failure accordingly.


Figure 24

Summary

After preparing the Exchange Client Access Server (CAS) in part one of this series, in part two we configured Forefront Threat Management Gateway (TMG) to securely publish Exchange Outlook Web App 2010. We imported the SSL certificate and walked through the Exchange Web Client Access Publishing Rule wizard, and used the diagnostic features in TMG to make certain the publishing rule was configured correctly.

If you would like to be notified of when Richard Hicks releases the next part in this article series please sign up to our ISAserver.org Real Time Article Update newsletter.

If you would like to read the first part of this article series please go to Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010: Part 1 – Preparing the Client Access Server (CAS).

The Author — Richard Hicks

Richard Hicks avatar

Richard Hicks (MCP, MCSE, MCTS, MCITP:EA, Enterprise Security MVP) is a network and information security expert specializing in Microsoft technologies. As a five-time Microsoft Most Valuable Professional (MVP), he has traveled around the world speaking to network engineers, security administrators, and IT professionals about Microsoft edge security and remote access solutions.

Latest Contributions

Advertisement

Featured Links