One way to make Exchange Server 2010 Outlook Web App (OWA) available for remote users is to publish it using ISA Server 2006.  There are several parts of this solution that make it work.

This diagram provides an overview of how Outlook Web App is published using ISA Server 2006.  The remote user makes a connection over HTTPS (SSL) to the ISA firewall, which then reverse proxies the traffic over SSL to the Client Access server.  The Client Access server is then responsible for proxying the requests for the user’s mailbox to the appropriate Mailbox server using RPC connections.

How to Publish Outlook Web App with ISA Server 2006

Configuring the Exchange 2010 Client Access Server

In this example the /OWA virtual directory on the Client Access server is configured for both Basic and Integrated authentication.  This combination allows internal, domain-joined computers to seamlessly log on to Outlook Web App while also permitting the ISA server to use Basic delegation to authenticate the remote user.

How to Publish Outlook Web App with ISA Server 2006

For more details see this article on how to configure Outlook Web App authentication.

The Client Access server /OWA virtual directory has also been configured with the external URL to match the public DNS name.

How to Publish Outlook Web App with ISA Server 2006

The Client Access server also needs to be configured with an SSL certificate.  Preferably this SSL certificate is from a public certificate authority but it can also be a private CA, as long as it is one that the ISA server trusts so that ISA considers the certificate to be valid.  You can of course import root certificates to make just about any certificate trusted by ISA but it is less effort and a better overall solution to use a public CA.

Configuring the ISA Server SSL Certificate

The ISA server needs to be configured with an SSL certificate to accept the secure remote access connections.  Although you can issue the server with its own certificate for this purpose you could also export the SSL certificate from the Client Access server and import it to the ISA server, provided that the license terms your issuing CA allow for that.  Digicert is an example of a CA that allows certificates to be installed on multiple servers.

For more details see this article on exporting an SSL certificate from Exchange 2010 (note that it refers to importing it for Exchange 2003 but the steps are the same for importing to an ISA Server 2006 firewall running on Windows Server 2003).

Configuring the ISA Server Publishing Rule for Outlook Web App

In the ISA Server Management console right-click the Firewall Policy and choose New -> Exchange Web Client Access Publishing Rule.

How to Publish Outlook Web App with ISA Server 2006

Give the new rule a name and click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Set the Exchange version to Exchange Server 2007 (yes this is correct for Exchange 2010 publishing) and tick the box for Outlook Web Access, then click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

In this case a single server is being published. Click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Enter the internal site name for OWA (in this case mail.exchangeserverpro.net), and optionally enter a computer name or IP address for ISA to connect to if the internal site name does not resolve in the internal DNS zone.  Click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Configure the public names that this rule should accept connections for and click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

 

Now we need to configure a web listener to accept the remote user connections.  Click on the New button.

How to Publish Outlook Web App with ISA Server 2006

Give the new web listener a name and click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Leave the default choice to require SSL and click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Select the External interface for the web listener to listen on.  If your External interface has multiple IP addresses you can configure the web listener to listen on all, some, or just one of those IP addresses.  Click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Click on the Select Certificates button.

How to Publish Outlook Web App with ISA Server 2006

A list of valid certificates will appear, which should include the one you imported to the server earlier.  Choose that certificate and click the Select button, then click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Leave the authentication set to HTML Form Authentication and Windows (Active Directory).  Note this assumes your ISA server is joined to the domain, otherwise you can configure LDAP authentication.  Click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Single Sign-On is useful but optional.  Click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Click Finish to complete the new web listener wizard.  If there are no warnings or errors displayed click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Leave the authentication delegation set to Basic Authentication and click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Leave the users set to All Authenticated Users and click Next to continue.

How to Publish Outlook Web App with ISA Server 2006

Before you click Finish to create the new rule first click on the Test Rule button to validate the settings you chose.

How to Publish Outlook Web App with ISA Server 2006

If the tests are all successful click on Close and then Finish to create the rule.

How to Publish Outlook Web App with ISA Server 2006

Before applying the changes to the Firewall Policy double-click the new rule to open its properties.  Select the Paths tab and then click Add.

How to Publish Outlook Web App with ISA Server 2006

Add the Exchange Control Panel virtual directory path of /ecp/* and then click OK and OK again.

How to Publish Outlook Web App with ISA Server 2006

Now click Apply to commit the changes to the Firewall Policy.

How to Publish Outlook Web App with ISA Server 2006

Testing the ISA Server 2006 Publishing Rule for Outlook Web App

Now that the rule has been configured we can test it from outside of the firewall using a web browser.  When the remote user first connects to the Outlook Web App URL they will see the Exchange 2007 style log on form that ISA 2006 renders.

How to Publish Outlook Web App with ISA Server 2006

However after logging in the Exchange Server 2010 Outlook Web App interface will be available to the remote user.

How to Publish Outlook Web App with ISA Server 2006

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Rabia

    Hi,

    after setting up isa server 2006 how to make it a proxy server ?
    and is the ip of the proxy server is the same as the server ip itself ?

    Thanks.

  2. Luis Olias

    Thanks a lot !

    If I place a Edge Transport Server between two ISA Servers, in a DMZ, … Does the public ISA Server have to publish the OWA pointing to the Edge Transport Server or to the internal ISA Server ?

  3. Frank Albert

    Hi Paul,

    Excellent article by you as usual….!!!

    I have want to ask that I have a firewall before my ISA Server 2006 .

    On the firewall I have NATed the public interface with the private IP of my
    ISA Server 2006.

    Do I need to change some settings on my firewall also….???

  4. Matin

    Hi Paul,

    I have a issue i have exchange 2007 and isa 2006 everything was working fine suddenly when i try to login through browser to exchange in internal lan i cannot go through where as when i try it i get the login screen and i can login and browse mails.

    can you give me any solution.

    I hav already created roles in isa for owa and web listener.

    Thanks.

  5. Imran

    Hi Paul,

    I am process of migration rom exchange 2007 to 2010. We had also two exchange servers 2010, main exchange server (exchange server 1) had role (CAS, HT and mailbox) with sp1 and other exchange 2010 (exchange server 2 with no Sp1) who had only mailbox role.
    I will like to remove mailbox (exchange server 2 with no Sp1) exchange server. Yesterday I had unmounted databases at exchange server (exchange server 2 with no Sp1) and stop the exchange services include exchange AD topology service, www publishing service and Net. Tcp port sharing/adapter services. When I had stopped these services I got warning at our main exchange server (exchange server 1 with sp1) (Microsoft exchange mailbox replication and still getting warning until I had started services at (exchange server 2 with no Sp1).
    Here is following warning.
    The Mailbox Replication service was unable to determine the set of active mailbox databases on a mailbox server.
    Mailbox server: mailbox.exchangeserver.com
    Error: MapiExceptionNetworkError: Unable to make admin interface connection to server. (hr=0x80040115, ec=-2147221227)
    Diagnostic context:
    ……
    Lid: 10648 dwParam: 0x6D9 Msg: EEInfo: Generating component: 2
    Lid: 14744 dwParam: 0x6D9 Msg: EEInfo: Status: 1753
    Lid: 9624 dwParam: 0x6D9 Msg: EEInfo: Detection location: 501
    Lid: 13720 dwParam: 0x6D9 Msg: EEInfo: Flags: 0
    Lid: 11672 dwParam: 0x6D9 Msg: EEInfo: NumberOfParameters: 4
    Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[0]: Unicode string: ncacn_ip_tcp
    Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[1]: Unicode string: mailbox.exchangeserver.com
    Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[2]: Long val: -1988875570
    Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[3]: Long val: 382312662
    Lid: 24060 StoreEc: 0x80040115
    Lid: 23746
    Lid: 31938 StoreEc: 0x80040115
    Lid: 19650
    Lid: 27842 StoreEc: 0x80040115
    Lid: 20866
    Lid: 29058 StoreEc: 0x80040115

    Next day I had just started all above mentioned services at (exchange server 2 with no Sp1).
    exchange server. At (exchange server 2 with no Sp1) did not initialized the exchange management console because (exchange server 1 ) is installed sp1 of exchange server, but (exchange server 2 with no Sp1) is has no exchange SP1. Its give me following error at exchange management console. (connecting to the remote server failed. Cannot contact to this server because incompatible, current version 14.1.218.15. for more information see information about_remoe_troubleshooting).
    Can you let me know if there is no problem I can uninstall or remove from control panel (exchange server 2 with no Sp1) exchange server from exchange environment (exchange server 2 with no Sp1 has no mailbox at its databases), and will it not effect to main exchange server 2010 sp1 (HT,CAS, mailbox).
    Thanks in advanced.
    Best regards,
    Imran

    1. Avatar photo
      Paul Cunningham

      It’s been a while since I set up an ISA or TMG for Exchange publishing and I don’t even have one in a lab I can check against, sorry.

      From memory I published all of the various paths when setting up TMG.

  6. Carol Ostos

    Hey Paul, got a question regarding OWA Publishing Rule using ISA or TMG

    A user reported issues with webmail and I started doing checks, when testing the OWA rule I was getting the following for 3 paths

    Exchange, Exchweb and public

    Time reported by the Microsoft Forefront TMG Firewall Service: 0.009 seconds
    Testing https://outlookwebmail.company.com:443/Exchange/
    Category: General error
    Error details: An unexpected response was received from the server. HTTP response: 500 Internal Server Error
    Action: Verify that the intended server is published and that virtual directories exist. Ensure that you can browse the published site directly from an internal client computer.

    Note:
    The virtual directories exists but when checking

    Authentication on the virtual directory I get “There was an error while performing this operation” error in line 37 of the web.config file. Error: Configuration section not allowed to be set below application

    HTTP Redirect was not enabled or configured so I enabled it with Redirect requests to this destination /owa

    Now, the rule seems to be fine

    Time reported by the Microsoft Forefront TMG Firewall Service: 0.005 seconds
    HTTP response: 302 Moved Temporarily
    The test successfully completed for this URL.

    I’m not 100% sure about the correct setting for these 3 directories so I wanted to double check with you guys!

    Thanks so much!!!!

  7. imran

    Hi Paul,
    Our comany had two exchange servers ( exchange 2007 and exchange 2010). We would like to use both exchange server work as client access and able to access the OWA with different public IP address (different external URL at OWA virtual directory).
    Is it possible and how ?, we are using TMG firewall.
    Best regards,
    Imran

  8. gentleman

    Great work

  9. Henning Svane

    Dear Paul,
    I have also a problem with two two authentication screens.
    My setup is like this.

    I Use Form authentication
    mail.abc-as.dk ISA 2006 Exchange 2010 (mail.abcas.dk)
    As you can se the domain are not the same for the external and the internal

    The explanation you gave earlyer I do not understand.Can you give a littel more help.:-)

    Thanks
    Henning

  10. Sinuhe69

    Dear Paul,
    Publishing Outlook Web App with ISA 2006 is a quite strait forward and easier because you can test it directly. But how about publishing Outlook Anywhere (RPC over HTTP)? Here is also auto-discovery and other nasty bits to consider. We for example already set-up and configured Outlook Anywhere access to our CAS servers. However because they face the internet directly (over a not very stable network link), we want to reduce the attack surface and do load balancing using an ISA server in front. I think it should be easy to achieve, but it is not! In fact, Outlook Web App works fine but not Outlook Anywhere! Looking forward for your tutor on this stuff and thanks in advance.
    BTW, your tutors are great, well written and clearly introduced! Well done.

  11. Shanawaz

    Hi Paul, 1. I too get similar two auth like Jorge, Is there a simple way other than creating second owa directory ? 2. How do i direct my site https://mail.abcde.com to https://mail.abcde.com/owa automatically when hey click ! Thanks mate.

  12. Jorge E. Sanint

    Hi, I have issue in this setup where I want internal network and external network to be presented with form authentication… however, when logging in user gets two authentication screens, first ISA’s then Exchange 2010’s is there anyway to have only a single authentication screen? Thank you

  13. Essam Fouad

    I don`t know how to thank you!!

  14. Dinesh Silva

    Excellently Done….! Thanks

Leave a Reply