Powered By Blogger

Friday, August 20, 2010

Publish Exchange in UAG

Outlook Web Access

In the Forefront UAG management console, right-click HTTPS connections and select New Trunk

Click Next at the first page of the Create Trunk Wizard
Select Portal Trunk as the trunk type and check the box stating that you will be publishing Exchange applications via the portal. The wording for this check box suggests we will be using a portal to access Exchange. However, configuring Forefront UAG using this wizard will result in an Outlook Web App user directly accessing Outlook Web App without first logging in to a portal.

Enter a name for your trunk. You cannot use spaces or any non-alphanumeric characters. Enter the public host name of the portal, mail.fabrikam.com in our example, and make sure that the IP address the trunk will listen to requests on is correct, that is, the external network interface of Forefront UAG.



Click Next, and on Step 3 – Authentication, click Add and select the entry that you created earlier.



On Step 4 – Certificate, make sure the certificate that you installed earlier is selected, and then click Next.



On Step 5 – Endpoint Security, if you have already deployed Network Access Protection (NAP) policies on your network, you may select them here or else leave the default of Use Forefront UAG access policies, and then click Next. Be aware that Endpoint Security policies only apply to Web browser clients and not to clients like Outlook Anywhere or Exchange ActiveSync.
On Step 6 – Endpoint Policies, leave the defaults for now and then click Next
On Step 7 – Select Exchange Services, select Exchange Server 2010, and check the box next to Outlook Web Access only. It's recommended that you do not select all the check boxes to select all the Exchange services. The load-balancing method configured when publishing a farm in this manner is not optimal for Exchange. Therefore, it's recommended that you publish Outlook Web App first and return to the wizard for Outlook Anywhere and Exchange ActiveSync following that.
On Step 8 – Configure Application, enter an Application name–Exchange 2010 OWA in our example.
On Step 9 – Select Endpoint Policies, leave the default options, and then click Next.
On Step 10 – Deploying an Application, click Configure a Farm of application servers, and then click Next.
On Step 11 – Load-Balanced Web Servers, enter the FQDNs of the Client Access servers you will be publishing, and then change the Balance request by setting by clicking Cookie-based affinity. (When you run the wizard for Outlook Anywhere and Exchange ActiveSync, click IP-based affinity.). In the Paths field, you should review and remove paths you do not require.
On Step 12 – Configure Connectivity Verifiers, select Establish a TCP Connection. The default selection is to send an HTTP/HTTPS GET request to the Client Access server to check whether IIS is responding. The issue when publishing Exchange is that IIS on Client Access server won’t respond to HTTP requests, and the FQDN of the Client Access server itself is not usually in the SSL certificate installed on the Client Access server. So an HTTPS request to the server FQDN, which Forefront UAG will try, will fail also. For these reasons, it is easy to tell Forefront UAG to establish a TCP connection to port 443 on the Client Access server, which, if successful, is sufficient to tell Forefront UAG that IIS is up and responding to requests.

Click Next, and on
Step 13 – Authentication, click Add to add the authorization servers that you previously configured to the list. The lower option buttons determine how Forefront UAG will authenticate to the Client Access server. The default 401 request means Forefront UAG will use Basic authentication to the Client Access server. Therefore the Client Access server must have Basic enabled on the /owa virtual directory. If you click HTML form, you can leave FBA enabled on the Client Access server. This capability is unique to Forefront UAG and enables both internal and external Outlook Web App users to easily access Outlook Web App using forms-based authentication.

On Step 14 – Portal Link, the default settings will create icons in the portal for Outlook Web App access, if a portal is used. Also, if the lower check box is selected, the portal will open Outlook Web app in a new window when it is accessed. Click Next.

On Step 15 – Exchange Application Authorization, you can leave the default, which enables all authenticated users to access Exchange. This only means that they can try to access Outlook Web App. Any Outlook Web App policies you created in Exchange still apply, including OWAEnabled set to false. Or, you can restrict who can access Outlook Web App at Forefront UAG by selecting from a list of groups or even restrict access down to the user level by adding individual users to this list.

Click Finish on the final page of the wizard to return to the management console.

Click the Save icon to save the configuration. Click the Activate icon to back-up the existing configuration and activate this new configuration.

If you chose 401 request on Step 13, use the EMC to open the properties of the owa and ECP virtual directories for each Client Access server being published, set the authentication to Basic, and then run iisreset on each Client Access server you have changed.


Active Sync and RPC over HTTP


Open the Forefront UAG management console, and navigate to the properties of the trunk you previously created.

In the Application section of the page, click Add to open the Welcome to the Add Application Wizard dialog box, and then click Next. In Web list, click Microsoft Exchange Server (all versions).

On Step 2 – Select Exchange Services, in the Exchange versions list, click Microsoft Exchange Server 2010, and then select the Outlook Anywhere (RPC over HTTP) and Exchange ActiveSync check boxes. If you view the configuration later and decide you want more control over individual settings for Outlook Anywhere and Exchange ActiveSync, you can run this wizard once for each protocol. We keep them together in this walkthrough because, most of the time, when Outlook Anywhere and Exchange ActiveSync use the same authentication scheme, the settings for both are compatible.

On Step 3 – Configure Application, select a descriptive name for the application

On Step 4 – Select Endpoint Policies, leave the defaults for now, and then click Next.

On Step 5 – Deploying an Application, select Configure a farm of application servers.

On Step 6 – Load-Balanced Web Servers, enter the FQDNs of the servers in the Client Access server array you are publishing.

On Step 7 – Configure Connectivity Verifiers, click Establish a TCP connection for the reasons described earlier.

On Step 8 – Authentication, select the Authorization source you have previously configured.

Accept the warning message, which effectively states that Outlook Anywhere and Exchange ActiveSync clients cannot use forms-based authentication or the portal and so will use Basic or NTLM authentication.

On Step 9 – Outlook Anywhere, notice that the default Public Host Name values have been completed. Click Use Basic authentication to change the default Outlook Anywhere Authentication option for both services so that Forefront UAG can delegate credentials to the Client Access server correctly.

On the Authorization page of the wizard, either leave the default of allowing all users to connect or click to restrict the service to specific groups or users. Again, as with Outlook Web App, any options set within Exchange by using the Set-CASMailbox cmdlet will still apply.

Click Finish on the wizard completion page.

Viewing the management console, you will now see the additional application entries the wizard has created. Autodiscover and EWS have been put into rules separate from Outlook Anywhere and EAS.

When you have activated the configuration, the next step is to configure Exchange to correctly allow Basic authentication to be used against the different virtual directories required for Outlook Anywhere and Exchange ActiveSync.

Enable Outlook Anywhere on each published Client Access server, clicking Basic authentication as the Client authentication method. After all changes are made, iisreset has been run, and event ID 3006 is logged showing that the appropriate registry keys have been set.

If this is the first time Outlook Anywhere has been enabled, several more steps are required to ensure users outside Forefront UAG can fully use Outlook. Also, one more step is required so that Exchange ActiveSync can use the Autodiscover service. You should run these on each server in the Active Directory site you are publishing, replacing the server host name as appropriate.

Set the external URL for the offline address book (OAB) virtual directory. It is assumed that the OAB is already enabled for Web-publishing. If it's not, see Configure Offline Address Book Distribution Properties.

Set-OABVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.fabrikam.com/OAB

Set the external URL for the Exchange Web Services (EWS) virtual directory to https://mail.fabrikam.com/EWS/Exchange.asmx.

Set-WebServicesVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.fabrikam.com/EWS/Exchange.asmx

Set the external URL for the Exchange ActiveSync virtual directory to allow the Autodiscover service to provide devices with the correct value.

Set-ActivesyncVirtualDirectory red-cas-1\* -externalurl https://mail.fabrikam.com/Microsoft-Server-Activesync

Set the authentication property for the OAB and EWS virtual directories to include Basic as an option if you are using Basic authentication.

Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true

Set-WebServicesVirtualDirectory RED-CAS-1\* -BasicAuthentication:$true

At this point that you should test this configuration to make sure it works as expected. From an Outlook 2007 or Outlook 2010 client on the external network, first make sure that an A record for autodiscover.fabrikam.com exists in DNS, then make sure that Outlook Anywhere is enabled on the Client Access server in the site you are publishing and that all relevant URLs are correct, and then try to create a new Outlook profile. It's very important to ensure that the Autodiscover service works correctly for an Outlook client because the Autodiscover service provides Outlook with the location of the different Web services it requires for usual operation, such as Out of Office settings and offline address book downloads.

If Outlook Anywhere works, try to connect by using a mobile device, either with the Autodiscover service configuring the profile or manually, by entering the server name (mail.fabrikam.com in this example).

No comments:

Post a Comment