ra2 studio - Fotolia
How do I grant users outside the LAN access to OWA?
Our company has users who reside outside the local area network. What's the best way to grant those users access to Outlook Web App?
The Client Access Server role was introduced in Exchange Server 2007 to provide a more scalable and secure way to connect internal and external clients to Exchange mailboxes. Exchange Server 2013 also leverages this server role.
The default configuration of the Client Access Server (CAS) role is to internally require secure connections to Outlook Web App (OWA). It does so by creating a self-signed certificate during installation and automatically assigning the "IIS" services to the certificate. OWA is one of the IIS services the certificate protects. Forms-Based Authentication, which depends on the SSL connection, is the default authentication method for OWA. A certificate from a trusted internal or public certificate authority can replace the self-signed certificate. For OWA access, the same level of security exists for external and remote connections, but it's necessary to configure the OWA virtual directories on the Internet-facing CAS.
For many years, a best practice was to publish Exchange services to the Internet using a reverse proxy. This was so common that Microsoft's Threat Management Gateway (TMG) was practically an additional Exchange role for publishing Exchange services such as OWA. However, most Exchange administrators are aware that Microsoft is no longer deploying TMG and it isn't possible to purchase the product for new deployments.
In the absence of the TMG, what's the best choice? What you choose will depend on your organization.
If you require that external connections terminate in the DMZ but do not require pre-authentication, you can use Application Request Routing. If you require pre-authentication for connections, use Windows Application Proxy. When deploying a highly available CAS, it may be possible to use a hardware load balancer (HLB) to provide protection for your external OWA connections.
You may be wondering if it's crazy to allow a direct connection from the Internet through your firewall or HLB to the CAS role. Not necessarily. Greg Taylor, principal program manager for the Exchange team, provides some excellent insight on this topic in his blog about life in a post-TMG world. Microsoft has made a significant investment in Exchange to make sure it's more securely coded to eliminate threats. Applying product updates in a timely fashion and a rigorous monitoring process could be far more effective than a black box perimeter option.
About the author:
Richard Luckett is a consultant and instructor specializing in messaging and unified communications. He's been a certified professional with Microsoft since 1996 and has 20 years of experience in the public and private sectors. He's a Microsoft Certified Trainer with more than 15 years of training experience with the Microsoft product line and received the Exchange MVP award in 2006, 2007 and 2008. He's also an expert in deploying and integrating Exchange Server and Lync Server. He leads the Microsoft training and consulting practice at LITSG.