Microsoft Forefront UAG - Publishing Microsoft Exchange Server 2010 Outlook Web App

by [Published on 14 Aug. 2012 / Last Updated on 20 May 2013]

In this article the author will show you how to publish Microsoft Exchange Server 2010 Outlook Web App using Forefront UAG.

Let's begin

In a previous article published at www.isaserver.org I demonstrated how to create a portal trunk in Forefront UAG to publish internal applications like Microsoft SharePoint. In this article I will demonstrate how to publish Outlook Web App from Microsoft Exchange Server 2010 through Forefront UAG.

To publish a Microsoft Exchange Server 2010 Outlook Web App, start the Microsoft Forefront UAG Management console, then go to the HTTPS portal trunk created in advance and click add in the applications window. The wizard will help you publish different applications through the Forefront UAG portal.

Select Web – Microsoft Exchange Server (all versions) to publish the internal Microsoft Exchange Server 2010 or a Client Access Server (CAS) array of Exchange servers.


Figure 1: Publish OWA with Forefront UAG

Since we want to publish Exchange Server 2010 Outlook Web App select Exchange Server 2010 as the version.


Figure 2: Select the OWA option

Next, we must specify a name for the new application. We will name the application OWA. In Step 3, it is possible to configure endpoint policies for the application. Forefront UAG allows you to create endpoint policies at the port trunk and application levels to control access to both from external clients. If you are unfamiliar with UAG Endpoint policies leave the settings unchanged.


Figure 3: OWA Endpoint policies

Next click configure an application server. In Step 5, enter the FQDN of the internal Microsoft Exchange Server 2010 and the port you would like to use when Forefront UAG should access the internal Exchange Server. If you want to restrict access to a specific path you are able to do this in the UAG configuration wizard. The wizard allows access to all required paths like /OWA, /Exchange, /Public, /Exchweb.


Figure 4: Specify the name of the internal Exchange Server

In Step 7 we can use different authentication mechanisms. Because we want to enable SSO (Single Sign On) for users who access the Forefront UAG portal and use the internal Exchange Server 2010.


Figure 5: Enable SSO

We would like to add a portal and toolbar link, and if you want to open the Exchange Server 2010 application in a new window it is possible by enabling this checkbox.


Figure 6: Portal name and portal option

In Step 9, it is possible to configure the authorization settings to access the application in the portal. If you would like to grant all authenticated users access to the Outlook Web App application, leave the default setting unchanged. If you want to only grant specific users and user groups access to the Outlook Web App application uncheck the checkbox. Then select users and usergroups from the already created repository to grant or deny them access to the Outlook Web App application.


Figure 7: Allow only specific user groups and users access to Outlook Web App

Click Finish.

We must now save the configuration, click the floppy symbol to save the configuration. After that we can activate the configuration so that all changes will be effective after a short period of time. To activate the configuration, click the button on the right side of the floppy symbol.

After the application has been created in the portal we are now able to customize the settings of the Outlook Web App application. I will only give you some high level steps for application customization.

The Web Settings tab allows you to verify URLs used or to allow WebDAV methods to the published server and many more settings.


Figure 8: Forefront UAG web settings

The Web Server Security tab allows you to activate the smuggling protection feature and the maximum size of the POST request. HRS can be used to block requests if the following conditions apply:

  • The method is POST
  • The content-type is not listed in the content-type list
  • The length is greater than the specified maximum length

This option should be enabled only for servers that are vulnerable to HRS attacks. If this option is enabled when it is not required, applications may not behave as expected.


Figure 9: Web Server Security

At the client side

After all settings have been configured, you can now test the connection from an external client by opening the portal website. When you visit the website for the first time a set of ActiveX controls or Java applets depending on the browser version you use will be installed. These components are called the endpoint detection components which interacts with the Forefront UAG Server for applying Endpoint policies and for local interaction between the Forefront UAG Server and the client.

The user must enter the user name and the password.


Figure 10: Logon to the portal

After the user has been authenticated he will get access to the Forefront UAG portal and can now use the published Outlook Web App application.


Figure 11: Access OWA through the portal

Conclusion

In this article we published a Microsoft Exchange Server 2010 Outlook Web App using Microsoft Forefront UAG. As you have seen, publishing a Microsoft Exchange Server 2010 with Forefront UAG provides much more capabilities and customization as to publish an Exchange Server 2010 with Microsoft Forefront TMG.

Related links

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in TMG/UAG Server, Exchange, System Center, Security for Windows Server 2012 and Windows Server 2012 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004.

Latest Contributions

Featured Links