OWA access from Internet

We are using Exchange 2013 and Exchange 2007 in a mix mode. Exchange will be upgraded to Exchange 2013. We use OWA on our internal network but now we have been asked to make it available from Internet so users can connect to email from anywhere. How do I do it? I know Microsoft had TMG/ISA server to use as a reverse proxy but it is not longer available. I want to configure Reverse proxy on DMZ so client can connect to it and authenticate.

Any suggestion or good configuration document would be nice?

T

August 7th, 2015 12:40pm

Besides the expected "for security reasons" answer, why do you feel the need for reverse proxy?  If you open 443 in your firewall and point it to your Exchange 2013 CAS server, your users will have to authenticate anyway.
Free Windows Admin Tool Kit Click here and download it now
August 7th, 2015 12:45pm

Hi,

You can publish Exchange 2013 Web services. Actually, it works pretty similar to Exchange 2010.
Here's an article about "Configure Reverse Proxy Servers for Outlook Web App": https://support.microsoft.com/en-us/kb/290113

This blog post from the Exchange Team might be of interest to you:  http://blogs.technet.com/b/exchange/archive/2013/07/17/life-in-a-post-tmg-world-is-it-as-scary-as-you-think.aspx

Thanks

August 11th, 2015 9:28pm

Hi Sahil,

Its already there in the post from Allen. Just to highlight IIS ARR (Application Request Routing ) is a supported alternative from Microsoft and works great as a reverse proxy for Exchange.

These articles below should give you a hang of it.

Reverse Proxy with URL Rewrite v2 and Application Request Routing :

http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

4 Part article with step-by-step guide -

Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR:

http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

Free Windows Admin Tool Kit Click here and download it now
August 12th, 2015 1:10am

Thanks to all of you. I came across an article about using WAP(windows application proxy ) in the DMZ and use of ADFS on the main network. It looks like complex solution but may be more secure.

 

https://technet.microsoft.com/en-us/library/dn383650.aspx

 

What is your view with this two solution? Is the one suggested in your reply secure? IIS ARR is supported on Win2012R2?

August 12th, 2015 11:30am

IIS  ARR does support 2012 R2 & exchange 2013  I recently Deployed but, Out look connectivity fluctuate for Legacy mailbox.
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2015 11:42am

IIS  ARR does support 2012 R2 & exchange 2013  I recently Deployed but, Out look connectivity fluctuate for Legacy mailbox.
August 12th, 2015 3:40pm

IIS  ARR does support 2012 R2 & exchange 2013  I recently Deployed but, Out look connectivity fluctuate for Legacy mailbox.
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2015 3:40pm

Hi Sahil,

There are several options for Exchange 2013. TMG\ISA was discontinued in favor of UAG which actual replacement for TMG. You might go for 3rd party options and hardware loadbalancers as well.

IIS ARR is secure, but has less features compared to TMG. Its is like a cost effective alternative of UAG for organizations not willing to invest more.

Reverse Proxy for Microsoft Exchange

As a reverse proxy, TMG also implemented features such as session logging, Kerberos authentication, content caching, compression and application layer protection. While ARR offers a way to implement the load balancing component of TMG, it does not offer the depth of features that TMG provided.

WAP is also similar to ARR and might provide a different feature set.

Setting up Windows Application Proxy for Exchange 2013:

http://blogs.technet.com/b/jrosen/archive/2013/12/28/setting-up-windows-application-proxy-for-exchange-2013.aspx

If you get what you are looking for within ARR, go for it no need to invest in anything else, make sure you size the server correctly using the TMG sizing guidance to avoid hickups.

August 13th, 2015 1:36am

Thanks. I followed documentation and used ARR 3.0. However, it did not create " Rewrite Rules" and i can not see " Routing Rules" on the server farm.

I am also unable to see URL Rewrite on IIS server.

Did you install with ARR3.0. Do you have documentation that you can share? I need some help with the requirements on the external DNS name, certificate requirement etc.

For example, my external DNS in may be like :   mytest.net

When i test URL: it will be https://mytest.net/OWA

Is that correct? External Certificate is needed? if so, shall i just get it for mytest.net (just example, this will not be a name)

Free Windows Admin Tool Kit Click here and download it now
August 13th, 2015 10:35am

Hi,

Here's an article about ARR and URL rewrite: http://blogs.msdn.com/b/chiranth/archive/2014/07/21/application-request-routing-and-url-rewrite-part-1-server-farms.aspx

Moreover, refer to Configuring ARR with Client Certificate: http://blogs.msdn.com/b/asiatech/archive/2014/01/28/configuring-arr-with-client-certificate.aspx

August 13th, 2015 9:27pm

Hi Sahil,

Q.Did you install with ARR3.0. Do you have documentation that you can share?

IIS URL Rewrite 2.0 module is separate available here.

https://www.microsoft.com/en-in/download/details.aspx?id=7435

http://www.iis.net/downloads/microsoft/url-rewrite

Personally I had refered to this excellent guide:

Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR:

http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

Q.Is that correct? External Certificate is needed? if so, shall i just get it for mytest.net (just example, this will not be a name)

For testing a self-signed certificate should be enough. Yes, but for production use and long term, you need a certificate with the SAN names, certificate request should be generated from the EAC console only.

Exchange 2013 SSL Certificates CSR Creation Help:

https://www.digicert.com/csr-creation-microsoft-exchange-2013.h

August 16th, 2015 11:55pm

All, I have set up ARR and other component and getting login name and password prompt. ,however, after typing login name and password nothing happens. It just go back to e same page . Any help?
August 19th, 2015 10:09am

Hi,

Please use ExRCA to test the connection for Exchange server. Also, check the relevant log in IIS or use Failed Request Tracing Rules to Troubleshoot ARR.

By the way, please ensure the configuration of Reverse Proxy for Exchange Server 2013 using IIS ARR:
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

Free Windows Admin Tool Kit Click here and download it now
August 19th, 2015 9:43pm

Hi Sahil,

Have you made correct DNS entry or are you using Host file. Try it from the ARR server

August 20th, 2015 5:57am

On the ARR server, I have two NIC. I used our Internal DNS server for both NICs. DNS traffic is allowed on the firewall.  When I try to browse from ARR server, I get the same result. it just prompts for login name and password. On my work PC, I tried and it redirect to my internal server. For example, External OWA is https://owa.xyx.com and Internal OWA is:  https://xx.domain.com.

Where do I  need to configure DNS for owa.xyz.com??? On ARR, when I ping owa.xyz.com, I get a reply and it is IP of my external NIC.

Thanks to all for your help.

Free Windows Admin Tool Kit Click here and download it now
August 20th, 2015 10:35am

Hi Sahil,

Check these.

1.On External PC owa.xyz.com should resolve to ARR server IP
2.On ARR server owa.xyz.com should resolve to ARR server IP
3.ON ARR server CASservername.domain.com should resolve to CAS server IP.
4.Internal and External URLs for Outlook Anywhere, OWA is updated correctly on CAS

When you access https://CASservername.domain.com/owa from ARR server is it allowing you to login.

When you access https://CASservername.domain.com/owa from CAS server is it allowing you to login.

Can you access When https://CASservername.domain.com/owa from External PC is it allowing you to login.

Are you sure you don't want splitDNS and use different internal and external

August 21st, 2015 3:08am

Thanks for your suggestions. Please fine my findings...

1.On External PC owa.xyz.com should resolve to ARR server IP..  It resolves to external Public IP address.
2.On ARR server owa.xyz.com should resolve to ARR server IP-- Yes, it does .
3.ON ARR server CASservername.domain.com should resolve to CAS server IP.  Yes, it does.
4.Internal and External URLs for Outlook Anywhere, OWA is updated correctly on CAS.   -- I have configured both internal and external URL the same:  ie https:\\owa.xyz.com/owa.  I had different but before. As we use Exchange 2013, I have not configured Outlook Anywhere. Do I have to??

When you access https://CASservername.domain.com/owa from ARR server is it allowing you to login. -- No

When you access https://CASservername.domain.com/owa from CAS server is it allowing you to login. -- Yes

Can you access When https://CASservername.domain.com/owa from External PC is it allowing you to login.---No

Are you sure you don't want splitDNS and use different internal and external URLs.- I like to and I tried but it did not work for me.  On External PC, I got main page and after login, it redirects to Internal server, hence fails. ie I try to browse, https://owa.xyz.com and typing login name and password. then for Exchange 2007 mailbox, it tries to redirect to https://CASservername.internaldomain.com..

Thanks and looking forward to get your prompt reply..

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 6:00am

Hi Sahil,

Exchange 2007 will be a redirect, you need to configure Legacy.domain.com in the urls and that url needs to be accessible via ARR, using separate setup.

Normal url is not suppose to be redirected. this means you have not setup ARR corrrectly.

When you access https://CASservername.domain.com/owa from ARR server is it allowing you to login. -- No

This needs to work, this needs to work even when you don't have ARR or IIS installed on the server. Check if network configuration is correctly setup, firewall exception etc.

Do telnet on IP of CAS server

Also try  https://CASserverIP/owa from ARR server. If it works try putting HOSTS file entry for CAS server dns details.

August 21st, 2015 6:12am

Thank you very much for guidance. I am now getting closer to fix the issue. It was ARR server, local windows firewall blocking access.

Now, I can login to OWA using both CAS server address and OWA.XYZ.COM from the ARR server. However, I am still having the same issue from External PC.

I created XYZ.COM zone on out internal DNS server and created A record for OWA and auto discover. I am able to login on my main networking with OWA.XYZ.COM..

What else do I need to do to make it working from External PC???

Thanks for you valuable time and help.

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 8:06am

Hi Sahil,

Good to know you have setup ARR correctly now only DNS part is pending.

This is how you setup Split DNS.

EXternal PC , External DNS server or Public DNS server :- OWA.XYZ.COM ->Points to external IP towards ARR external NIC or directly to external NIC of ARR server, if you don't have any networking NAT device inbetween

Internal DNS ->OWA.XYZ.COM->Internet NIC of ARR server.

So when users in internal or external DNS access it will flow through ARR.

August 21st, 2015 8:47am

Thanks again and sorry to bother you once more.

Public DNS for OWA.XYZ.COM is 212.X.X.X and not the ARR external IP. It is nated from Firewall to external NIC of ARR server, I can resolved OWA.XYZ.COM to External NIC. I have changed the DNS address on the external NIC to external NIC, 192.168.X.X.

On Internal DNS: I have created  XYZ.COM zone and A record for OWA. IP is for CAS servers. If I change to Internet NIC of ARR, OWA on out main network stops working. With CAS address, it works.

What shall I do ?

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 10:44am

Hi Sahil,

You had earlier said that you are using NATTING on the external nic to reach from outside. When you are saying "If I change to Internet NIC of ARR" what do you mean, is it the external IP for ARR server or public IP for ARR server. In any case you need to make sure the NAtting is also updated.

The IPs are suppose to be static, once changed make sure you repeat\recheck the ARR configuration steps, as there are NIC related settings which might need to be reset.

September 1st, 2015 8:22am

Thanks.

I am referring to DNS.  Yes, we are using NATTING.  Our external public IP is 212.X.X.X that is nated to external NIC of ARR server (192.X.X.X). DNS on external NIC is pubic DNS (194.X.X.X)..

On ARR server, Internal NIC, I have used DNS of our internal DNS server. Our Internal DNS has a  new zone, XYZ.COM and A record for OWA is our CAS server.

With the above setting, i can browse and login to owa.xyz.com from both ARR server and internal PC. Trying the same on external PC, i can get a login page but when i type password, it does nothing and prompt for the login/password again. If i type wrong password, it knows and give error that password is incorrect.

What is wrong with the setup??

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2015 3:14pm

Hi Sahil,

On ARR server can you access using External NIC.

https://192.X.X.X/owa

#On cmd.exe

Route Print

Check you have routes available for ARR server External to Internal NIC. (Don't exactly recall if this is it)

DNS on external NIC need not point to internet, its not looking for anyone outside, but outsiders are looking for inside.

Which NIC has the gateway defined. It shound not be on both only one should ha

September 3rd, 2015 7:33am

I have finally resolved it. It was an issue with the certificate. I imported certificate from only one  CAS server compare to all three CAS servers on ARR server.

I am very grateful to you for all your help and using your valuable time.

thanks to all

Free Windows Admin Tool Kit Click here and download it now
September 4th, 2015 11:07am

Hi Sahil,

Glad to hear this finally. Certificate is one of the key component, it went completely out of my mind to check that with you.

September 7th, 2015 2:57am

Very helpful. Thanks.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 10:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics