alika
02-22-2011, 01:34 PM
Publishing Exchange Outlook Web App (OWA) with Microsoft Forefront Threat Management Gateway (TMG) 2010: Part 1 – Preparing the Client Access Server (CAS)
Introduction
Forefront Threat Management Gateway (TMG) 2010 includes support for publishing Microsoft Exchange Outlook Web App (OWA) for Exchange 2010, as well as Outlook Web Access for Exchange 2007, 2003, and 2000. In the first part of this two-part series we will go through the steps required to prepare the CAS server for publishing with TMG. In part two we will focus on actually publishing OWA using TMG.
Preparing the Client Access Server (CAS)
Before we can publish OWA using TMG, we need to make some configuration changes on the Exchange CAS server. With Exchange 2010, Forms Based Authentication (FBA) is now the default authentication method. Since TMG will be presenting its own authentication form to the client and pre-authenticating the user at the edge, we’ll need to configure Exchange OWA to use NTLM authentication instead.
To change the authentication method for OWA, open the Exchange management console and highlight Client Access under the Server Configuration node in the console tree.
http://www.isaserver.org/img/upl/image0021279289747380.jpg
Figure 1
Select the Outlook Web Apptab, and then right-click OWA (Default Web Site) and choose Properties.
http://www.isaserver.org/img/upl/image0041279289747412.jpg
Figure 2
Select the Authentication tab, then choose the option to Use one or more standard authentication methods:. For demonstration purposes I will choose Basic Authentication (password is sent in clear text). Since this communication is protected using SSL encryption, clear text passwords will not be visible on the network.
http://www.isaserver.org/img/upl/image0061279289747412.jpg
Figure 3
Select the Exchange Control Paneltab and then right-click the ECP (Default Web Site) and choose Properties.
http://www.isaserver.org/img/upl/image0081279289747427.jpg
Figure 4
Select the Authetnication tab, then choose the option to Use one or more standard authentication methods: and select Basic Authentication (password is sent in clear text).
http://www.isaserver.org/img/upl/image0101279289787474.jpg
Figure 5
Once complete, open an elevated command prompt and execute the iisreset /noforce command.
http://www.isaserver.org/img/upl/image0121279289787537.jpg
Figure 6
The last step in preparing the Exchange CAS is to obtain and install an SSL certificate for use by OWA. To do this, open the IIS management console and highlight the root node in the console tree.
http://www.isaserver.org/img/upl/image0141279289787584.jpg
Figure 7
In the main window, double-click Server Certificates.
http://www.isaserver.org/img/upl/image0161279289787630.jpg
Figure 8
In the Actions pane, click the Create Certificate Request… link.
http://www.isaserver.org/img/upl/image0181279289835959.jpg
Figure 9
Complete the request form, making sure the Common Name field includes the Fully Qualified Domain Name (FQDN) of the CAS server.
http://www.isaserver.org/img/upl/image0201279289835990.jpg
Figure 10
Note:
In our example we are using split DNS, so the external public-facing FQDN is identical to the internal FQDN. If you are not using split DNS it will be necessary to make separate certificate requests for each FQDN (internal and external).
Select the appropriate Cryptographic Service Provider and Bit Length that meet your requirements. In most cases the defaults will be sufficient.
http://www.isaserver.org/img/upl/image0221279289835990.jpg
Figure 11
Specify a location to save the request file and submit the request to a Certificate Authority (CA).
http://www.isaserver.org/img/upl/image0241279289835990.jpg
Figure 12
Once the request has been processed by a CA, complete the request by clicking the Complete Certificate Request… link.
http://www.isaserver.org/img/upl/image0261279289878974.jpg
Figure 13
Specify the location of the certificate file issued by the CA and enter a descriptive name.
http://www.isaserver.org/img/upl/image0281279289878974.jpg
Figure 14
To use this certificate with TMG we’ll need to export the certificate along with its private key. Highlight the new certificate in the main window and In the Actionspane, click the Export… link.
http://www.isaserver.org/img/upl/image0301279289879005.jpg
Figure 15
Specify the location to save the file and enter a strong password.
http://www.isaserver.org/img/upl/image0321279289879005.jpg
Figure 16
To assign this new certificate to the OWA web site, highlight the root node in the console tree.
http://www.isaserver.org/img/upl/image0141279289940209.jpg
Figure 17
In the Actions pane click the Bindings… link.
http://www.isaserver.org/img/upl/image0341279289940224.jpg
Figure 18
Highlight the HTTPS protocol and choose Edit…
http://www.isaserver.org/img/upl/image0361279289940224.jpg
Figure 19
Select the new certificate from the dropdown list.
http://www.isaserver.org/img/upl/image0381279289940224.jpg
Figure 20
Introduction
Forefront Threat Management Gateway (TMG) 2010 includes support for publishing Microsoft Exchange Outlook Web App (OWA) for Exchange 2010, as well as Outlook Web Access for Exchange 2007, 2003, and 2000. In the first part of this two-part series we will go through the steps required to prepare the CAS server for publishing with TMG. In part two we will focus on actually publishing OWA using TMG.
Preparing the Client Access Server (CAS)
Before we can publish OWA using TMG, we need to make some configuration changes on the Exchange CAS server. With Exchange 2010, Forms Based Authentication (FBA) is now the default authentication method. Since TMG will be presenting its own authentication form to the client and pre-authenticating the user at the edge, we’ll need to configure Exchange OWA to use NTLM authentication instead.
To change the authentication method for OWA, open the Exchange management console and highlight Client Access under the Server Configuration node in the console tree.
http://www.isaserver.org/img/upl/image0021279289747380.jpg
Figure 1
Select the Outlook Web Apptab, and then right-click OWA (Default Web Site) and choose Properties.
http://www.isaserver.org/img/upl/image0041279289747412.jpg
Figure 2
Select the Authentication tab, then choose the option to Use one or more standard authentication methods:. For demonstration purposes I will choose Basic Authentication (password is sent in clear text). Since this communication is protected using SSL encryption, clear text passwords will not be visible on the network.
http://www.isaserver.org/img/upl/image0061279289747412.jpg
Figure 3
Select the Exchange Control Paneltab and then right-click the ECP (Default Web Site) and choose Properties.
http://www.isaserver.org/img/upl/image0081279289747427.jpg
Figure 4
Select the Authetnication tab, then choose the option to Use one or more standard authentication methods: and select Basic Authentication (password is sent in clear text).
http://www.isaserver.org/img/upl/image0101279289787474.jpg
Figure 5
Once complete, open an elevated command prompt and execute the iisreset /noforce command.
http://www.isaserver.org/img/upl/image0121279289787537.jpg
Figure 6
The last step in preparing the Exchange CAS is to obtain and install an SSL certificate for use by OWA. To do this, open the IIS management console and highlight the root node in the console tree.
http://www.isaserver.org/img/upl/image0141279289787584.jpg
Figure 7
In the main window, double-click Server Certificates.
http://www.isaserver.org/img/upl/image0161279289787630.jpg
Figure 8
In the Actions pane, click the Create Certificate Request… link.
http://www.isaserver.org/img/upl/image0181279289835959.jpg
Figure 9
Complete the request form, making sure the Common Name field includes the Fully Qualified Domain Name (FQDN) of the CAS server.
http://www.isaserver.org/img/upl/image0201279289835990.jpg
Figure 10
Note:
In our example we are using split DNS, so the external public-facing FQDN is identical to the internal FQDN. If you are not using split DNS it will be necessary to make separate certificate requests for each FQDN (internal and external).
Select the appropriate Cryptographic Service Provider and Bit Length that meet your requirements. In most cases the defaults will be sufficient.
http://www.isaserver.org/img/upl/image0221279289835990.jpg
Figure 11
Specify a location to save the request file and submit the request to a Certificate Authority (CA).
http://www.isaserver.org/img/upl/image0241279289835990.jpg
Figure 12
Once the request has been processed by a CA, complete the request by clicking the Complete Certificate Request… link.
http://www.isaserver.org/img/upl/image0261279289878974.jpg
Figure 13
Specify the location of the certificate file issued by the CA and enter a descriptive name.
http://www.isaserver.org/img/upl/image0281279289878974.jpg
Figure 14
To use this certificate with TMG we’ll need to export the certificate along with its private key. Highlight the new certificate in the main window and In the Actionspane, click the Export… link.
http://www.isaserver.org/img/upl/image0301279289879005.jpg
Figure 15
Specify the location to save the file and enter a strong password.
http://www.isaserver.org/img/upl/image0321279289879005.jpg
Figure 16
To assign this new certificate to the OWA web site, highlight the root node in the console tree.
http://www.isaserver.org/img/upl/image0141279289940209.jpg
Figure 17
In the Actions pane click the Bindings… link.
http://www.isaserver.org/img/upl/image0341279289940224.jpg
Figure 18
Highlight the HTTPS protocol and choose Edit…
http://www.isaserver.org/img/upl/image0361279289940224.jpg
Figure 19
Select the new certificate from the dropdown list.
http://www.isaserver.org/img/upl/image0381279289940224.jpg
Figure 20
