Publishing Exchange 2013 Outlook Web App with Forefront Threat Management Gateway (TMG) 2010
In a web publishing scenario, the Forefront Threat Management Gateway (TMG) 2010 firewall serves as a reverse proxy for public requests for the internal published application. In this scenario, Forefront TMG provides essential protection for the published resource, such as denial of service (DoS) protection, pre-authentication, multi-factor authentication, protection from application-layer attacks, and much more. One of the more commonly published web applications is Microsoft’s Outlook Web App (OWA). Forefront TMG 2010 supports the (wizard based) publishing of Exchange OWA going all the way back to Exchange 2000. Today it does not support native wizard-based publishing of Exchange 2013 OWA. It can, however, be configured to do so with just a few small changes. If you’re one of those organizations who has not yet moved to Exchange online and is still supporting an on-premises deployment of Exchange 2013, Forefront TMG 2010 can be configured to securely publish Outlook Web App.
Preparing Exchange 2013 for TMG Publishing
In order to support publishing Exchange 2013 OWA with Forefront TMG 2010, there are a few changes that must be made on the Exchange 2013 server. By default, Exchange 2013 OWA is configured to use Forms-based Authentication (FBA), to which Forefront TMG cannot perform authentication delegation to. If left in this state you would receive two authentication prompts, which is not only confusing, it is needless. With Forefront TMG performing authentication of external users on behalf of the Exchange server, it will be necessary to change the default authentication settings in Exchange from FBA to basic authentication. To begin, open the Exchange admin center, highlight servers in the navigation tree, select virtual directories and then double-click owa (Default Web Site). Click authentication in the navigation tree, choose the option to Use one or more standard authentication methods and select Basic authentication. Click Save to continue.
You’ll receive a warning indicating that you need to also change the authentication settings on the ECP virtual directory. To do this, double-click ecp (Default Web Site) and repeat the previous steps. Once complete, close the Exchange admin center, open an elevated command prompt on the mail server, and issue an iisreset /noforce command to commit the changes.
Publishing Exchange 2013 OWA with Forefront TMG
Although there is no native Exchange 2013 OWA web publishing wizard in Forefront TMG 2010 at the time of this writing, we can leverage the existing Exchange 2010 OWA web publishing wizard as a starting point for publishing Exchange 2013 OWA. In the Forefront TMG 2010 management console, right-click Firewall Policy in the navigation tree and choose New and Exchange Web Client Access Publishing Rule.
Give the new web publishing rule a descriptive name and then select Exchange Server 2010 for the Exchange version and choose Outlook Web Access for the Web client mail services.
Next, choose whether you want to publish a single web site or load balancer or a server farm of load balanced web servers. Even if you are publishing a single web server, it can still be useful to select the option to publish a farm of servers. Doing this will allow you to more easily expand capacity in the future, if required. For demonstration purposes I will choose to publish a single web site.
Choose the option to Use SSL to connect to the published web server or server farm. This is the best and recommend configuration for secure web publishing. Be advised that by default, Exchange will use a self-signed certificate for the OWA web site, which will not work with Forefront TMG. Before proceeding you should make sure that you have a valid certificate configured in Exchange that is issued by a certificate authority that is trusted by the TMG firewall.
Provide the Internal site name and optionally select to Use a computer name or IP address to connect to the published server.
Specify the public name to accept requests for. In cases where split DNS is configured, this will be the same name specified earlier. In cases where split DNS is not configured, enter the public hostname that will be used by clients to connect to the published web site.
Click New to create a new web listener for this published web site. Give the new web listener a descriptive name and choose the option to Require SSL secured connections with clients. This is vital to the security of the published Exchange 2013 web site as we’re using basic authentication which is unencrypted.
Select the appropriate TMG networks and IP addresses for this published application. The public name specified earlier should resolve to an IP address assigned to this network.
Assign the correct SSL certificate to the newly created web listener. Make certain that the public name for the published site matches the subject name (or one of the subject alternative names) on the SSL certificate.
Select HTML Form Authentication from the drop-down list and Select how Forefront TMG will validate client credentials.
Optionally select to Enable SSO for web sites published with this web listener and specify an SSO domain.
Select Basic authentication as the authentication delegation method.
By default, the web publishing rule will apply to All authenticated users. Optionally you can specify individual users or groups to access the published web site.
Before you save and apply the changes, double-click the newly created rule and select the Application Settings tab. Change the default value of Published server logoff URL from ?Cmd=logoff to /owa/logoff.owa.
Next, select the Public Name tab, click Add, and enter your autodiscover public hostname.
Finally, select the Paths tab and add /autodiscover/* as an external path, using the Same as published folder option.
Once complete, save and apply the changes, wait for the configuration to synchronize, and then begin testing. One thing you will of course notice is that the logon and logoff pages still resemble the Exchange OWA 2010 look and feel. Forefront TMG’s FBA pages are fully customizable, so if you’re like me and you don’t like the fact that the logon/logoff pages don’t match Exchange 2013’s new look and feel, you can always invest the time and effort in to resolving that if you wish. Details on how to customize FBA pages in Forefront TMG can be found here.
Published SSL Web Site Security
In its default configuration, Forefront TMG 2010 leaves a lot to be desired in terms of its default SSL security posture. To provide the highest level of protection for your Exchange 2013 OWA published web site, please refer to the article Improving SSL Security for Forefront Threat Management Gateway (TMG) 2010 Published Web Sites.
In the absence of native support for publishing Exchange 2013 Outlook Web App in Forefront TMG 2010, it is possible, with a few mall adjustments to the default setting used by Exchange 2010 OWA, to configure Forefront TMG to securely publish Exchange 2013 OWA. By publishing Exchange 2013 OWA with Forefront TMG, we can effectively leverage the added security features provided by the TMG firewall to provide the highest level of protection for our on-premises Exchange 2013 OWA infrastructure.