One way to make Exchange Server 2010 Outlook Web App (OWA) available for remote users is to publish it using ISA Server 2006. There are several parts of this solution that make it work.
- A public DNS name for Outlook Web App (in this example mail.exchangeserverpro.net is used)
- An ISA Server 2006 (with Service Pack 1) firewall configured with an external interface and IP address corresponding to the above DNS record
- An SSL certificate for Exchange Server 2010
- Exchange 2010 Client Access and Mailbox servers deployed in the organization
This diagram provides an overview of how Outlook Web App is published using ISA Server 2006. The remote user makes a connection over HTTPS (SSL) to the ISA firewall, which then reverse proxies the traffic over SSL to the Client Access server. The Client Access server is then responsible for proxying the requests for the user’s mailbox to the appropriate Mailbox server using RPC connections.
Configuring the Exchange 2010 Client Access Server
In this example the /OWA virtual directory on the Client Access server is configured for both Basic and Integrated authentication. This combination allows internal, domain-joined computers to seamlessly log on to Outlook Web App while also permitting the ISA server to use Basic delegation to authenticate the remote user.
For more details see this article on how to configure Outlook Web App authentication.
The Client Access server /OWA virtual directory has also been configured with the external URL to match the public DNS name.
The Client Access server also needs to be configured with an SSL certificate. Preferably this SSL certificate is from a public certificate authority but it can also be a private CA, as long as it is one that the ISA server trusts so that ISA considers the certificate to be valid. You can of course import root certificates to make just about any certificate trusted by ISA but it is less effort and a better overall solution to use a public CA.
Configuring the ISA Server SSL Certificate
The ISA server needs to be configured with an SSL certificate to accept the secure remote access connections. Although you can issue the server with its own certificate for this purpose you could also export the SSL certificate from the Client Access server and import it to the ISA server, provided that the license terms your issuing CA allow for that. Digicert is an example of a CA that allows certificates to be installed on multiple servers.
For more details see this article on exporting an SSL certificate from Exchange 2010 (note that it refers to importing it for Exchange 2003 but the steps are the same for importing to an ISA Server 2006 firewall running on Windows Server 2003).
Configuring the ISA Server Publishing Rule for Outlook Web App
In the ISA Server Management console right-click the Firewall Policy and choose New -> Exchange Web Client Access Publishing Rule.
Give the new rule a name and click Next to continue.
Set the Exchange version to Exchange Server 2007 (yes this is correct for Exchange 2010 publishing) and tick the box for Outlook Web Access, then click Next to continue.
In this case a single server is being published. Click Next to continue.
Enter the internal site name for OWA (in this case mail.exchangeserverpro.net), and optionally enter a computer name or IP address for ISA to connect to if the internal site name does not resolve in the internal DNS zone. Click Next to continue.
Configure the public names that this rule should accept connections for and click Next to continue.
Now we need to configure a web listener to accept the remote user connections. Click on the New button.
Give the new web listener a name and click Next to continue.
Leave the default choice to require SSL and click Next to continue.
Select the External interface for the web listener to listen on. If your External interface has multiple IP addresses you can configure the web listener to listen on all, some, or just one of those IP addresses. Click Next to continue.
Click on the Select Certificates button.
A list of valid certificates will appear, which should include the one you imported to the server earlier. Choose that certificate and click the Select button, then click Next to continue.
Leave the authentication set to HTML Form Authentication and Windows (Active Directory). Note this assumes your ISA server is joined to the domain, otherwise you can configure LDAP authentication. Click Next to continue.
Single Sign-On is useful but optional. Click Next to continue.
Click Finish to complete the new web listener wizard. If there are no warnings or errors displayed click Next to continue.
Leave the authentication delegation set to Basic Authentication and click Next to continue.
Leave the users set to All Authenticated Users and click Next to continue.
Before you click Finish to create the new rule first click on the Test Rule button to validate the settings you chose.
If the tests are all successful click on Close and then Finish to create the rule.
Before applying the changes to the Firewall Policy double-click the new rule to open its properties. Select the Paths tab and then click Add.
Add the Exchange Control Panel virtual directory path of /ecp/* and then click OK and OK again.
Now click Apply to commit the changes to the Firewall Policy.
Testing the ISA Server 2006 Publishing Rule for Outlook Web App
Now that the rule has been configured we can test it from outside of the firewall using a web browser. When the remote user first connects to the Outlook Web App URL they will see the Exchange 2007 style log on form that ISA 2006 renders.
However after logging in the Exchange Server 2010 Outlook Web App interface will be available to the remote user.
About Paul Cunningham
Excellently Done….! Thanks
I don`t know how to thank you!!
Hi, I have issue in this setup where I want internal network and external network to be presented with form authentication… however, when logging in user gets two authentication screens, first ISA’s then Exchange 2010′s is there anyway to have only a single authentication screen? Thank you
Hi Jorge, create a second OWA virtual directory (http://technet.microsoft.com/en-us/library/bb123752.aspx) on a second IIS website running on a different IP. Configure that one for Basic/NTML auth and publish it using ISA, and configure the other one for forms-based auth and use internal DNS to direct internal clients to that one.
Hi Paul, 1. I too get similar two auth like Jorge, Is there a simple way other than creating second owa directory ? 2. How do i direct my site https://mail.abcde.com to https://mail.abcde.com/owa automatically when hey click ! Thanks mate.
Hi there,
1) No, that is how it is done.
2) You can simplify the OWA URL for your users following this advice on TechNet:
http://technet.microsoft.com/en-us/library/aa998359.aspx
Dear Paul,
Publishing Outlook Web App with ISA 2006 is a quite strait forward and easier because you can test it directly. But how about publishing Outlook Anywhere (RPC over HTTP)? Here is also auto-discovery and other nasty bits to consider. We for example already set-up and configured Outlook Anywhere access to our CAS servers. However because they face the internet directly (over a not very stable network link), we want to reduce the attack surface and do load balancing using an ISA server in front. I think it should be easy to achieve, but it is not! In fact, Outlook Web App works fine but not Outlook Anywhere! Looking forward for your tutor on this stuff and thanks in advance.
BTW, your tutors are great, well written and clearly introduced! Well done.
Dear Paul,
I have also a problem with two two authentication screens.
My setup is like this.
I Use Form authentication
mail.abc-as.dk ISA 2006 Exchange 2010 (mail.abcas.dk)
As you can se the domain are not the same for the external and the internal
The explanation you gave earlyer I do not understand.Can you give a littel more help.:-)
Thanks
Henning