Enabling Forms-based Authentication for External and Internal OWA 2010 Users in Exchange 2010 published using Forefront TMG 2010 (Part 5)

If you would like to read the other parts in this article series please go to:


In part 4 of this multi-part article, where I walk you through how to enable forms-based authentication for external and internal Outlook Web App 2010 (OWA 2010) users where Exchange 2010 is published using Forefront TMG 2010, we had a looking at the configuration we performed for internal OWA/ECP users. In addition, I described the Forefront TMG 2010 solution deployed in this specific lab environment. Moreover, we imported the Exchange 2010 SAN/UC certificate on the four Forefront TMG 2010 servers. Lastly, I talked about why it usually is a better idea to publish the Exchange 2010 servers rather than the load balancers via Forefront TMG 2010.

In this part 5 which is the last in this multi-part article, we’ll continue where we left of in part 4. We’ll create the Forefront TMG 2010 web publishing rules required to make OWA and ECP accessible from an external network. Then we’ll very that OWA and ECP access works as expected from an external client. 

Creating the Web Farm Pulishing Rule for OWA/ECP

So in order to create the web farm publishing rules, log on to one of the servers in the Forefront TMG 2010 stand-alone array in the primary datacenter, and then launch the Forefront TMG console. Expand the Server nodeand then right-click on “Firewall Policy”. In the context menu select “New” > “Exchange Web Client Publishing Rule” as shown in Figure 1.

Figure 1: Creating a new Exchange Web Client Access Publishing Rule

Give the new web publishing rule a meaningful name such as Exchange 2010 OWA/ECP (Web Farm) and then click “Next” (Figure 2).

Figure 2: Naming the New Exchange Publishing Rule

On the “Select Services” page, select “Exchange Server 2010” in the drop-down box and then check “Outlook Web Access”. Now click “Next”.

Figure 3: Selecting Exchange version and web client mail services

On the “Publishing Type” page, select “Publish a server farm of load balanced Web servers” and click “Next”.

Figure 4: Selecting publishing type

On the “Server Connection Security” page, select “Use SSL to connect to the published Web server or server farm” and click “Next”.

Figure 5: Selecting Server Connection Security

On the “Internal Publishing Details” page, type the internal FQDN in the “Internal site name” box and then click “Next”. In this lab environment, we use split-DNS so the internal FQDN is identical to the external which is “mail.exchangeonline.dk”.

Figure 6: Entering the Internal FQDN

On the “Specify Server Farm” page, we need to create a new Exchange server farm. So click “New”.

Figure 7: Cicking New to create a new Exchange server farm

On the “Welcome to the New Server Farm Wizard” page, enter a meaningful name for the new Exchange Server farm (such as Exchange 2010 CAS Farm).

Figure 8: Enter name for the new Exchange Server farm

On the “Servers” page, we need to add the Exchange servers that should be part of the Exchange Server Web farm (Figure 9). To do so click “Add”.

Figure 9: Adding Exchange Servers to the Exchange CAS Farm

The Exchange 2010 CAS Farm in the primary datacenter should consist of “EX01” and “EX03” so we’ll add those.

Figure 10: adding EX03 to the Exchange CAS Farm

When both Exchange servers has been added click “Next”.

Figure 11: Exchange servers in primary datacenter added to the Exchange CAS Farm

On the “Server Farm Connectivity Monitoring” page, select the defaults (which should be “Send an HTTP/HTTPS GET request”), and then click “Next”.

Figure 12: Selecting Server Farm Connectivity Monitoring method

On the “Completing the New Server Farm Wizard” page, click “Finish” to exit the wizard.

Figure 13: Completing the New Server Farm Wizard

You will now be presented with the dialog box shown in Figure 14. Click “Yes”.

Figure 14: Enabling HTTP Connectivity Verification

We’re now back in the “New Exchange Publishing Rule Wizard”. Make sure the new Exchange server farm is selected and click “Next”.

Figure 15: Specifying the Exchange server farm to use with the Exchange Publishing Rule Wizard

On the “Public Name Details” page, make sure “This domain name (type below) is selected in the “Accept requests for” drop-down menu. Then enter the FQDN used by external clients to access OWA/ECP (in this case “mail.exchangeonline.dk”).

Figure 16: Entering the external FQDN on the Public Name Details page

Now we need to create a new web listener to be user with the Exchange Web farm publishing rule. Click “New”.

Figure 17: Clicking New in order to create new Web listener

Enter a meaningful name for the new Web Listener then click “Next”.

Figure 18: Entering a name for the new Web Listener

On the “Client Connection Security” page, make sure “Require SSL secured connections with clients” is selected and click “Next”.

Figure 19: Specifying the right Client Connection Security method

On the “Web Listener IP Addresses” page, check the extenal network or if you have multiple IP addresses associated with this network, select one of those.

Click “Next”.

Figure 20: Selecting the external network

Now we need to specify the certificate that should be used for the Web Listener. We imported this certificate back in part 4 of this multi-part article.

Click “Select Certificate”.

Figure 21: Listener SSL Certificates

Select the respective certificate and make sure it’s installed on both TMG 2010 servers as shown in the bottom of Figure 22 then click “Select”.

Figure 22: Selecting the respective certificate

Click “Next”.

Figure 23: Respective Certificate Selected

On the “Authentication Settings” page, make sure “HTML For Authentication” is sleected and there’s a bullet in “Windows (Active Directory)”. If the TMG servers are not domain-joined, you should select “LDAP (Active Directory).
Click “Next”.

Figure 24: Selecting the proper Authentication Settings

Since we want to enable single sign on for all published Exchange services and web servers using this web listener, check “enable SSO for Web sites published with this Web listener” then enter the domain name in the “SSO domain name” textbox.

Click “Next”.

Figure 25: Enabling SSO for all Exchange services and Web sites using the Web Listener

Click “Finish”.

Figure 26: Completing the New Web Listener Wizard

Back on the “Select Web Listener” page, click “Next”.

Figure 27: Back Select on Web Listener page

Select “Basic authentication” and click “Next”.

The authentication delegation you select here depends on the configuration on the OWA and ECP vdirs on the published Web Site and what authentication method you want to offer to your external OWA and ECP clients.

Figure 28: Selecting the Authentication Delegation method

Click “Next” on the “User Sets” page.

Figure 29: Applying rule to request from all users using this Web Listener

Click “Finish” to complete the “Exchange Publishing Rule wizard”.

Figure 30: Completing the New Exchange Publishing Rule Wizard

With the new Web Publishing rule created, open the property page for this new rule and click the “Paths” tab. Remove “/Public/*” and “/Exchange/*” and then click “Apply”.

Figure 31: Paths tab for the new Web Publishing Rule

Now click on the “Test Rule” button to verify that the new Web Publishing rule works as expected.

Figure 32: Testing the Web Publishing Rule works as expected

Things look good.

Now repeat the above steps on one of the servers in the Forefront TMG 2010 stand-alone array located in the failover datacenter. Here you should just use the “Failover.exchangeonline.dk” FQDN instead of “Mail.exchangeonline.dk”.

If you’re doing the load balancing using a TMG 2010 web farm publishing rule and your environment is running in Hyper-V, you need to enable MAC Spoofing on the TMG 2010 virtual machines. Otherwise the load balancing won’t work.

Verifying We Can Access OWA and ECP from an External Client

Now let’s try to logon to OWA from an external client. We should be presented with the OWA 2010 FBA Logon page and we will also be able to see that this is the FBA page from Forefront TMG 2010 as it will say “Connected to Microsoft Exchange Secured by Microsoft Forefront Threat Management Gateway” unlike the OWA 2010 FBA logon page on an Exchange 2010 CAS server which just says “Connected to Microsoft Exchange”.

Figure 33: Opening OWA FBA Logon Page from External Client

Let’s enter a username and password to see if we can logon to a mailbox using OWA. This too works as expected.

Figure 34: Accessing OWA 2010 through Forefront TMG 2010

Let’s also see if we can open the ECP. To do so, click “Options” > “See All Options” as shown in Figure 35.

Figure 35: Accessing ECP through Forefront TMG 2010

And there we go accessing the ECP was also a success.

Figure 36: Accessing ECP through Forefront TMG 2010

This concludes this multi-part article. Hope you learned something new along the way.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top