Configuring Outlook Web Access with forms-based authentication

Applies To: Forefront Threat Management Gateway (TMG)

To configure Outlook Web Access with forms-based authentication

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the Tasks pane, click the Toolbox tab.

  3. On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.

  4. Complete the New Web Listener Wizard as outlined in the following table.

    Page Field or property Setting or action

    Welcome to the New Web Listener Wizard

    Web listener name

    Type a name for the Web listener. For example, type OWA Forms-Based Listener.

    Client Connection Security

    Select Require SSL secured connections with clients.

    Web Listener IP Addresses

    Listen for incoming Web requests on these networks

    Select the External network. Click Select IP Addresses, and select Specified IP Addresses on the Forefront TMG computer in the selected network. Under Available IP Addresses, select the IP address for the Web site, click Add, and then click OK.

              </p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Listener SSL Certificates</strong>
              </p>
            </td>
            <td colspan="1">
              <p />
              <p>
    
              </p>
            </td>
            <td colspan="2">
              <p>Select <strong>Use a single certificate for this Web listener</strong>, click <strong>Select Certificate</strong>, and select a certificate for which the host name that users use to access the published Web site appears in the <strong>Issued To</strong> field.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Authentication Settings</strong>
              </p>
            </td>
            <td colspan="1">
              <p>
                <strong>Select how clients will provide credentials to Forefront TMG</strong>
              </p>
            </td>
            <td colspan="2">
              <p>In the drop-down list, select <strong>HTML Form Authentication</strong>.</p>
              <p>For instructions about using HTTP authentication (the default option) or <strong>SSL Client Certificate Authentication</strong>, see <a runat="server" href="cc441538(v=technet.10).md">Configuring access for Outlook Web Access clients</a>.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p />
            </td>
            <td colspan="1">
              <p>
                <strong>Collect additional delegation credentials in the form</strong>
              </p>
              <p>This check box appears only when <strong>HTML Form Authentication</strong> is selected.</p>
            </td>
            <td colspan="2">
              <p>Select this check box only if you intend to select <strong>RADIUS OTP</strong> or <strong>SecurID</strong>.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p />
            </td>
            <td colspan="1">
              <p>
                <strong>Select how Forefront TMG will validate client credentials</strong>
              </p>
            </td>
            <td colspan="2">
              <p>Select one of the available options. In a workgroup deployment, you can use only <strong>RADIUS</strong>, <strong>LDAP (Active Directory)</strong>, <strong>RADIUS OTP</strong>, or <strong>SecurID</strong>. </p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Single Sign On Settings</strong>
              </p>
            </td>
            <td colspan="1">
              <p>
                <strong>Enable SSO for Web sites published with this listener</strong>
              </p>
            </td>
            <td colspan="2">
              <p>If you enable single sign on, you must click <strong>Add</strong> and specify a domain within which single sign on will be applied.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Completing the New Web Listener Wizard</strong>
              </p>
            </td>
            <td colspan="1">
              <p />
            </td>
            <td colspan="2">
              <p>Review the settings and click <strong>Finish</strong>. If a message box appears, click <strong>Yes</strong> to enable the system policy rule Allow All HTTP Traffic from Forefront TMG to All Networks (for CRL downloads).  </p>
            </td>
          </tr>
        </table>
    
  5. In the Tasks pane, click the Tasks tab.

  6. On the Tasks tab, click Publish Exchange Web Client Access to open the New Exchange Publishing Rule Wizard.

  7. Complete the New Exchange Publishing Rule Wizard as outlined in the following table.

    Page Field or property Setting or action

    Welcome to the New Exchange Publishing Rule Wizard

    Exchange publishing rule name

    Type a name for the Exchange publishing rule. For example, type OWA Forms-Based.

    Select Services

    Exchange version

    Select the version of Exchange Server that is running on your Exchange servers.

    Web client mail services

    Select Outlook Web Access.

    Publishing Type

    Select Publish a single Web site or load balancer. The other options are beyond the scope of this procedure.

    Server Connection Security

    Select Use SSL to connect the published Web server or Web farm. This option requires installation on each Exchange front-end server of an SSL server certificate for which the host name that Forefront TMG uses to contact an Exchange server appears in the Issued To field.

    Internal Publishing Details

    Internal site name

    Type the host name that Forefront TMG will use in HTTP request messages sent to the published server.

    If the internal site name specified in this field is not resolvable and is not the computer name or IP address of the published server, select Use a computer name or IP address to connect to the published server, and type the resolvable computer name or IP address of the published server.

    Public Name Details

    Accept requests for

    Select This domain name (type below).

    Public name

    Type the public FQDN or IP address that external users will use to access the published Outlook Web Access site.

    Select Web Listener

    Web Listener

    In the drop-down list, select the Web listener that you created in StepĀ 4. You can then click Edit to modify properties of the Web listener selected.

    Authentication Delegation

    Select the method used by Forefront TMG to authenticate to the published Web server

    Select Basic authentication.

    User Sets

    This rule applies to requests from the following user sets

    If you are using Windows credentials validation, do not change the default All Authenticated Users. If you are using RADIUS or LDAP validation, you must use a user set that is configured for the RADIUS or LDAP namespace, respectively.

    Completing the New Exchange Publishing Rule Wizard

    Review the settings and click Finish.

  8. In the details pane, click the Apply button to save and update the configuration, and then click OK.

  9. Note

    • When publishing over SSL, an SSL server certificate that was issued to the public host name of the published Web site must be installed in the Personal store for the local computer on the Forefront TMG computer. For more information about obtaining and installing SSL server certificates, see Configuring server certificates for secure Web publishing.

    • On the Web Listener IP Addresses page of the New Web Listener Wizard, you can also select Default IP addresses for network adapters on this network. If Network Load Balancing is enabled, this option will automatically select the virtual IP address. Otherwise, the default IP address will be automatically selected for each network adapter.

    • If you require users to present an SSL client certificate, the system policy rule Allow All HTTP Traffic from Forefront TMG to All Networks (for CRL downloads) must be enabled. This system policy rule allows Forefront TMG to receive updated certificate revocation lists for validating the client certificates.

    • Forms-based authentication can be enabled on the Forefront TMG computer or on the Exchange server, but not on both. This procedure refers to forms-based authentication on the Forefront TMG computer, not on the Exchange servers.

    • With forms-based authentication, the user is directed to an HTML form. After the user provides credentials in the form and these credentials are validated, the system issues a cookie containing a ticket. On subsequent requests, the system first checks the cookie to see if the user was already authenticated, and if so, that user does not have to supply credentials again.

    • If you use RADIUS credentials validation, the Forefront TMG computer must be registered as a RADIUS client on the RADIUS server, and the RADIUS system policy rule must be enabled to allow RADIUS traffic from the Forefront TMG computer (Local Host network) to the Internal network. This rule assumes that the RADIUS server is located in the Internal network.

    • If you select RADIUS, LDAP, or RADIUS OTP credentials validation, you must edit the properties of the Web listener that you create to specify the RADIUS or LDAP servers that will be queried for authentication.

    • Users connect with Outlook Web Access by opening a URL that typically has the form https://host_name/exchange. You may need to modify the mappings between the paths specified by users and the internal paths on the Paths tab of your Web publishing rule's properties.

    • With forms-based authentication and Basic authentication, the credentials sent to the Forefront TMG computer can be delegated to the published server.

    • For more information about other settings in Web publishing rules, see Planning for publishing.

    • After you complete this task, see Blocking attachments from reaching Outlook Web Access clients.

    Concepts

    Configuring Outlook Web Access publishing