In a previous article published at www.isaserver.org I demonstrated how to create a portal trunk in Forefront UAG to publish internal applications like Microsoft SharePoint. In this article I will demonstrate how to publish Outlook Web App from Microsoft Exchange Server 2010 through Forefront UAG.
To publish a Microsoft Exchange Server 2010 Outlook Web App, start the Microsoft Forefront UAG Management console, go to the HTTPS portal trunk created earlier, and click add in the applications window to start the wizard. The wizard will help you to publish different applications in Forefront UAG portal.
Select Web – Microsoft Exchange Server (all versions) to publish the internal Microsoft Exchange Server 2010 or a Client Access Server (CAS) array of Exchange servers.
Figure 1: Publish OA/EAS with Forefront UAG
Since we want to publish Exchange Server 2010 Outlook Anywhere and Exchange Active Sync, select Exchange Server 2010 as the version.
Figure 2: Select the Outlook Anywhere and Exchange Active Sync option
Next, we must specify a name for the new application. We will name the application Exchange. In Step 3 it is possible to configure endpoint policies for the application. Forefront UAG allows you to create endpoint policies at the port trunk level and at the application level to control access to the portal, and the application from external clients. If you are unfamiliar with UAG Endpoint policies leave the settings unchanged.
Figure 3: OA/EAS endpoint policies
Next click configure an application server. In Step 5 enter the FQDN of the internal Microsoft Exchange Server 2010 and the port you would like to use when Forefront UAG should access the internal Exchange Server. If you want to restrict access to a specific path you are able to do this in the UAG configuration wizard. The wizard allows access to all required paths like /Microsoft-Server-ActiveSync and for Outlook Anywhere to the /RPC directory but especially only to the RPCPROXY.DLL.
Figure 4: Specify the name of the internal Exchange Server
In Step 7 we can use different authentication mechanisms. We want to enable SSO (Single Sign On) for users who access the Forefront UAG portal to use the internal Exchange Server 2010.
Because rich clients as Microsoft Outlook and mobile phones which support Exchange Active Sync cannot be authenticated through the portal directly, we must enable basic authentication or NTLM authentication which depends on the configuration of the Exchange Server and the Outlook clients for Outlook Anywhere.
Figure 5: Enable SSO
By default Outlook Anywhere authentication uses basic authentication, but it is possible to change this to Windows authentication with KCD (Kerberos Constrained Delegation) but this requires additional configuration steps in Exchange Server and Active Directory. If you want to enable Autodiscover for Outlook Anywhere you must use an additional public DNS name for Autodiscover, and you must make sure that the certificate on the Forefront UAG Server contains the Autodiscover name as the common name (CN), or the SAN (Subject Alternate Name) must contain the name Autodiscover.
Figure 6: Authentication options for Outlook Anywhere
In Step 9 it is possible to configure the authorization settings to access the application in the portal. If you would like to grant all authenticated users access to Outlook Anywhere or EAS leave the default setting unchanged. If you want to only grant specific users and user groups access to OA and EAS, uncheck the checkbox and select the users and user groups from the previously created repository to grant or deny them access.
Figure 7: Allow all authenticated users access to Outlook Anywhere and Exchange Active Sync
We must now save the configuration to store the changes to the Forefront UAG configuration. Click the floppy symbol to save the configuration. After that we can activate the configuration so that all changes will be effective after a short amount of time. To activate the configuration click the button right to the floppy symbol.
The UAG Exchange application wizard creates three applications:
- Exchange – For Outlook Anywhere and Exchange Active Sync access
- Exchange Autodiscover – For automatic Outlook mailbox configuration
- Exchange EWS – For Exchange Web Services
Figure 8: The UAG application wizard creates different applications in the portal
After the wizard has finished publishing Outlook Anywhere and Exchange Active Sync it is possible to customize the settings created by the wizard.
Forefront UAG uses basic authentication to authenticate against the Exchange Client Access (CAS) Server. The authentication settings must match the settings on the Exchange Server.
Figure 9: Application specific requests for OA and EAS
The Authentication option uses SSO for the published application and sends a 401 request to the Client Access Server.
Figure 10: 401 request for Exchange EWS
Web Server Security
The Web Server Security tab allows you to activate the smuggling protection feature and the maximum size of the POST request. HRS can be used to block requests if the following conditions apply:
- The method is POST
- The content-type is not listed in the content-type list
- The length is greater than the specified maximum length
This option should be enabled only for servers that are vulnerable to HRS attacks. If this option is enabled when it is not required, applications may not behave as expected.
Figure 11: Web Server Security
At client side – Outlook Anywhere
After all settings have been done at the Forefront UAG Server, it is now time to configure the Outlook 2010 clients which should access the Exchange Server 2010 through Forefront UAG with Outlook Anywhere. Configure the e-mail settings in the control panel of the client to use Outlook Anywhere. Enter the public DNS name which points to the Forefront UAG Server and specify Basic Authentication as the authentication method. The authentication settings must match the authentication options in Forefront UAG and Exchange Client Access Server.
Figure 12: Outlook Anywhere configuration in Outlook 2010
Start the Outlook application and right click the Outlook icon in the task pane and from the context menu select the Outlook connection settings option. As you can see in the following screenshot, the Outlook client connects via HTTPS to the internal Exchange Server.
Figure 13: Successful Outlook Anywhere connection
At client side – Exchange Active Sync
Depending on the mobile phone used, the configuration steps for connecting the mobile phone to the Exchange Server are different. As a high level step you must provide the following information:
- Public DNS name which points to the Forefront UAG Server
- Active Directory Domain Name for users which wants to access the UAG Server
- User name and password
- Enable the checkbox that SSL should be used to connect to the Forefront UAG Server
In this article we published Microsoft Exchange Server 2010 Outlook Anywhere and Exchange Active Sync with Microsoft Forefront UAG. As you have seen, publishing a Microsoft Exchange Server 2010 with Forefront UAG provides much more capabilities and customization as to publish an Exchange Server 2010 with Microsoft Forefront TMG.