Thursday, 12 July 2012 05:56

Publish Exchange 2010 OWA Using Forefront TMG 2010 & Configure OWA Redirection – Part 1

Written by

Many of us are now publishing OWA using the Microsoft Forefront Threat Management Gateway, to ensure maximum protection. In these couple of articles I tried to cover how you can do the following,

  • Publish Outlook Web App using TMG 2010
  • Configure OWA redirection (implementing URL simplification for users)
  • How HTTP to HTTP redirection can be achieved using TMG 2010 rule
My Lab consist of,
Exchange Server 2010 Server (all 3 roles combined together) - 1
Forefront Threat Management Gateway(TMG) - 1, with single NIC card.
When you use TMG with 2 NIC card, the publishing rules will be created on the External Listener

Publish Exchange 2010 OWA on TMG 2010

Before you start creating the publishing rule in TMG, there are some authentication changes needs to be completed on the Exchange Server 2010 which will be used as the internal CAS server in TMG configuration.

Set-OwaVirtualDirectory -id <CASServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
set-EcpVirtualdirectory -id <CASServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false

Note - It is always recomended to take the existing cofiguration using "Get-" command before changing the authentication settings, so that you can always set it back to the previous authentication settings in case if you encounter an issue during the publishing rule creations.For e.g. for OWA Virtual directory, run "Get-OwaVirtualDirectory |fl name,*auth*" to get the current authentication settings. Likewise other as well.Also if you have more than one virtual directories in each, ensure that you give the correct identity details instead of "*" symbol that I used in my LAB.

You also need to import the certificate to TMG server certificate store. You need to generate the certificate from an Exchange server, I will not be covering the details here.

  • Open Forefront TMG and Locate Firewall Policy in the left pane
  • In the action pane on the right side, click on Publish Exchange Web Client Access
  • Name it as Exchange 2010 OWA and click Next
  • On Exchange version: select Exchange Server 2010 and web client mail services select Outlook Web Access and click Next


  • Select appropriate Publishing Type ( I selected single website or load balancer option) and go next


  • Select User SSL on Server Connectivity Security


  • On Internal Site Name, enter the CAS server name to which the TMG should forward the request.


  • On Accept Request for, select “This domain name (type below)” option and then type the external OWA URL as shown below.


  • Now time to create listener, Click on New and type a Name (I given as OWA FBA, i.e. form based authentication) and click Next.
  • On Client Connectivity Security, Select Require SSL Secured connections with client and click Next
  • On Web Listener IP Address, select Internal (I only have single NIC on the server), and select the IP as by clicking the button Select IP Addresses…


  • On Listener SSL Certificate, select the installed certificate



  • On Authentication Settings, select HTML Form Authentication and then Windows (Active Directory) option


You may ignore SSO settings, because you can configure Basic Authentication on Exchange OWA and the double authentication can be bypassed. Continue wizard click on Finish. The Listener is created, now select it.


  • Set the Authentication mechanism to Basic Authentication and Click Next
  • On next page ensure that the rule applies to “All Authenticated Users” and then continue the wizard and Finish it.

Now you have finished the publishing of OWA on TMG. The publishing rules can be now tested as shown below,


All Looks fine Laughing

It is time to create the OWA redirection rules in TMG, Part 2 of this article will cover the OWA redirection rule creation.

Read - Publish OWA in TMG 2010 and Configure OWA Redirection – Part 2


theme by reviewshub