How to Configure Reverse Proxy Servers for Outlook Web Access
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-20
You may want to use a reverse proxy server to manage incoming requests to a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed or to servers that provide Outlook Web Access. A reverse proxy server provides the following advantages over a direct connection to a Client Access server:
- Security The reverse proxy server provides an extra protective layer between the network and external computers. As a security best practice, use a reverse proxy server so that your Client Access server is not directly exposed to the Internet.
- SSL encryption and acceleration Instead of configuring the Client Access server to provide Secure Sockets Layer (SSL) encryption, you can offload that function to the reverse proxy server. In addition to encrypting data that is sent between the Web browser and the Client Access server, this enables the reverse proxy server to inspect the data packets and apply filters before they reach the Client Access server. If SSL encryption is offloaded to a proxy server, data that is sent between the reverse proxy server and the Client Access server will not be encrypted unless you use SSL bridging.
- SSL bridging If you must encrypt communication between the reverse proxy server and the Client Access server, you can end the SSL session between the Web browser and reverse proxy server, and then establish a new SSL session between the reverse proxy server and the Client Access server. This protects the Client Access server from direct access from the Internet, enables the reverse proxy server to filter the data packets before they reach the Client Access server, and encrypts the data along the whole path between the Web browser and the Client Access server. Only the reverse proxy server will require a certificate from a reliable certification authority. The Client Access server can use either a self-signed certificate or a certificate from an enterprise certification authority. If your reverse proxy server is connected to multiple internal servers, this may reduce certificate costs.
- SSL offloading You can also terminate the SSL connection at the reverse proxy server and continue to the Client Access server with a connection that is not encrypted. This is known as SSL offloading. If you use SSL offloading, the internal URL for Outlook Web Access must be set to use HTTP and the external URL must be set to use HTTPS. You can configure the internal URL and external URL by using the Exchange Management Console or by using the Set-OwaVirtualDirectory cmdlet with the InternalURL parameter and ExternalURL parameter in the Exchange Management Shell.
- Load balancing A reverse proxy server can distribute the traffic that is destined for a single URL to a group of servers.
You can use Microsoft Internet Security and Acceleration (ISA) Server as a reverse proxy server.
For more information about how to use ISA Server as a reverse proxy server, see the Microsoft Internet Security and Acceleration Server Web site.
To perform the following procedure on an ISA Server 2006 computer, the account you use must be delegated the ISA Server Enterprise Administrator role. To configure Outlook Web Access on the Exchange Client Access server, the account you use must be delegated the Exchange Server Administrator role and must be a member of the local Administrators group for the target server.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
In the ISA Server 2006 console, use the Publish Exchange Web Client Access wizard to publish Outlook Web Access.
Configure ISA Server to authenticate users when they connect to the Outlook Web Access virtual directories (optional).
For more information about how to configure ISA Server, see Publishing Exchange Server 2007 with ISA Server 2006.
If you have configured the ISA Server computer to authenticate users, we recommend that you configure the Outlook Web Access virtual directories to use either Integrated Windows authentication or Basic authentication, depending on which type of authentication is required by your organization. When you use Basic authentication or Integrated Windows authentication, users are prompted for their logon information only one time.
|Integrated Windows authentication prohibits access to documents on Windows file shares or in Windows SharePoint Services document libraries from Outlook Web Access. If you must access documents from Outlook Web Access, you must use Basic authentication.|
For more information about how to use ISA Server 2006 with Exchange 2007, see the following topics:
For more information about Outlook Web Access authentication methods, see the following topics:
For more information about how to use the Set-OwaVirtualDirectory cmdlet and the Exchange Management Console to manage Outlook Web Access virtual directories, see the following topics: