Q
Problem solve Get help with specific problems with your technologies, process and projects.

How do I grant users outside the LAN access to OWA?

Our company has users who reside outside the local area network. What's the best way to grant those users access to Outlook Web App?

The Client Access Server role was introduced in Exchange Server 2007 to provide a more scalable and secure way...

to connect internal and external clients to Exchange mailboxes. Exchange Server 2013 also leverages this server role.

The default configuration of the Client Access Server (CAS) role is to internally require secure connections to Outlook Web App (OWA). It does so by creating a self-signed certificate during installation and automatically assigning the "IIS" services to the certificate. OWA is one of the IIS services the certificate protects. Forms-Based Authentication, which depends on the SSL connection, is the default authentication method for OWA. A certificate from a trusted internal or public certificate authority can replace the self-signed certificate. For OWA access, the same level of security exists for external and remote connections, but it's necessary to configure the OWA virtual directories on the Internet-facing CAS.

For many years, a best practice was to publish Exchange services to the Internet using a reverse proxy. This was so common that Microsoft's Threat Management Gateway (TMG) was practically an additional Exchange role for publishing Exchange services such as OWA. However, most Exchange administrators are aware that Microsoft is no longer deploying TMG and it isn't possible to purchase the product for new deployments.

In the absence of the TMG, what's the best choice? What you choose will depend on your organization.

If you require that external connections terminate in the DMZ but do not require pre-authentication, you can use Application Request Routing. If you require pre-authentication for connections, use Windows Application Proxy. When deploying a highly available CAS, it may be possible to use a hardware load balancer (HLB) to provide protection for your external OWA connections.

You may be wondering if it's crazy to allow a direct connection from the Internet through your firewall or HLB to the CAS role. Not necessarily. Greg Taylor, principal program manager for the Exchange team, provides some excellent insight on this topic in his blog about life in a post-TMG world. Microsoft has made a significant investment in Exchange to make sure it's more securely coded to eliminate threats. Applying product updates in a timely fashion and a rigorous monitoring process could be far more effective than a black box perimeter option.

About the author: 
Richard Luckett is a consultant and instructor specializing in messaging and unified communications. He's been a certified professional with Microsoft since 1996 and has 20 years of experience in the public and private sectors. He's a Microsoft Certified Trainer with more than 15 years of training experience with the Microsoft product line and received the Exchange MVP award in 2006, 2007 and 2008. He's also an expert in deploying and integrating Exchange Server and Lync Server. He leads the Microsoft training and consulting practice at LITSG.

This was last published in December 2014

Dig Deeper on Microsoft Outlook

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close