Publishing Exchange Server 2013 Outlook Web App with Forefront UAG
In a previous article published on www.isaserver.org I showed you how to create a portal trunk in Forefront UAG to publish Exchange 2010 applications like Microsoft Outlook Web Access. In this article I will demonstrate how to publish Outlook Web App from Microsoft Exchange Server 2013 through Forefront UAG.
To publish Exchange Server 2013 using the built-in wizards of Forefront UAG you must install Forefront UAG Service Pack 3 or higher.
To publish a Microsoft Exchange Server 2013 Outlook Web App you must start the Microsoft Forefront UAG Management console and go to the HTTPS portal trunk created earlier on. Then click add under the applications window to start a wizard which will help you to publish different applications in the Forefront UAG portal.
Right click the portal trunk - Select Web – Microsoft Exchange Server (all versions) to publish the internal Microsoft Exchange Server 2013 Client Access Server (CAS).
Figure 1: Publish OWA with Forefront UAG
Because we want to publish Exchange Server 2013 Outlook Web App, select Exchange Server 2013 as the version.
Figure 2: Select the OWA option
Next, we must specify a name for the new application. We will name the application OutlookWebApp. In Step 3 it is possible to configure endpoint policies for the application. Forefront UAG allows you to create endpoint policies at the port trunk level and at the application level to control access to the portal and the application from external clients. If you are unfamiliar with UAG Endpoint policies leave the settings unchanged.
Figure 3: Outlook Web App Endpoint policies
Select the checkbox configure an application server. In Step 6 enter the FQDN of the internal Microsoft Exchange Client Access Server 2013 and the port you would like to use when Forefront UAG should access the internal Exchange Server. If you want to restrict access to a specific path you are able to do this in the Forefront UAG configuration wizard. The wizard allows access to all required paths like /OWA, /Exchange, /Public, /Exchweb.
As a best practice remove the unnecessary paths like /Exchweb /iisadmpwd /Exchange.
Figure 4: Specify the name of the internal Exchange Server
In Step 7 we can use different authentication mechanisms. Because we want to enable SSO (Single Sign On) for users which access the Forefront UAG portal to use the internal Exchange Server 2013.
Figure 5: Enable SSO
We would like to add a portal and toolbar link, and if you want to open the Exchange Server 2013 OWA application in a new window it is possible to enable this checkbox.
Figure 6: Portal name and portal option
In Step 9 it is possible to configure the authorization settings to access the application in the portal. If you would like to grant all authenticated users access to the Outlook Web App application leave the default setting unchanged. If you want to only grant specific users and user groups access to the Outlook Web App application uncheck the checkbox and select the users and usergroups from the previous created repository to grant or deny them access to the Outlook Web App application.
Figure 7: Allow only specific user groups and users access to Outlook Web App
We must now save the configuration to store the changes to the Forefront UAG configuration. Click the floppy symbol to save the configuration. After that we must activate the configuration so that all changes will be effective after a short amount of time. To activate the configuration click the button right from the floppy symbol.
After the application has been created in the portal we are now able to customize the settings of the Outlook Web App application. I will only give you some high level steps for application customization.
The Web Settings tab allows you to verify URLs used or to allow WebDAV methods to the published server and many more settings.
Figure 8: Forefront UAG web settings
The Web Server Security tab allows you to activate the smuggling protection feature and the maximum size of the POST request. HRS can be used to block requests if the following conditions apply:
- The method is POST
- The content-type is not listed in the content-type list
- The length is greater than the specified maximum length
This option should be enabled only for servers that are vulnerable to HRS attacks. If this option is enabled when it is not required, applications may not behave as expected.
Figure 9: Web Server Security
At client side
After all settings has been configured you can now test the connection from an external client. Open the Forefront UAG portal website. If you visit the website the first time, a set of ActiveX controls or Java applets depending on the browser version you use will be installed. These components are called the endpoint detection components which interact with the Forefront UAG Server for applying Endpoint policies and for local interacting between the Forefront UAG Server and the client.
The user must enter the user name and the password to get access to the portal.
Figure 10: Logon to the UAG portal
After the user has been authenticated he will get access to the Forefront UAG portal and can now use the published Outlook Web App application.
Figure 11: Access OWA through the portal
The user is now able to use Outlook Web App as from the internal network.
Figure 12: Outlook Web App application
In this article we published a Microsoft Exchange Server 2013 Outlook Web App with Microsoft Forefront UAG. As you have seen, publishing a Microsoft Exchange Server 2013 with Forefront UAG provides much more capabilities and customization as to publishing an Exchange Server 2013 with Microsoft Forefront TMG.
- What’s new in Forefront UAG Service Pack 3
- Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010
- Microsoft Forefront UAG – Overview of Microsoft Forefront UAG
- Forefront UAG technical overview