Recently I have seen a fair number of cases where ISA Administrators were trying to redirect connections made to the root OWA Web site to the /owa folder when publishing Exchange 2007 through ISA Server 2004/2006. In these particular cases they were using a documented trick for Exchange 2003 that involves entering a path on the OWA rule that looks like this /exchange\ . The trick is documented here and works quite well for Exchange 2003. The problem is that people believe it should also work for Exchange 2007. When they try this method they end up with a garbled inbox with a lot of red Xs showing up as shown in Figure 1:
Figure 1 – Problem that appears when using this approach with Exchange 2007.
I was curious about this and quickly discovered that putting the path /owa\ in the publishing rule was causing the issue as shown in Figure 2:
Figure 2 – OWA 2007 Publishing rule
So why would this work for Exchange 2003 but not Exchange 2007? It was time to break out the traces. I set Network Monitor up on the internal NIC of the ISA Server and in order to see what was going on I had to bridge to HTTP from ISA to Exchange. The first trace shows only the HTTP traffic between ISA and the OWA Server when using the /exchange\ path in the rule for Exchange 2003.
Figure 3 – Netmon trace taken from the internal NIC of ISA Server
We can see in Frame 1 that ISA Sends a GET request to /exchange%5c where %5c is the URL Escape character for \. In Frame 2 OWA apparently converts this and sends a 302 redirect to /exchange/ and then it continues on normally at this point.
In the trace for OWA 2007 where /owa\ was used we see the initial part of the conversation is similar but then we never receive a redirect as shown in Figure 4:
Figure 4 – Trace from Exchange Server
To view what was happening on the client I used HTTP Watch. After the initial GET request we receive a bunch of 403 Forbidden errors. There is no redirection sent from Exchange , the style sheet is not returned and this is why the Inbox is garbled, see Figure 5:
Figure 5 – Access forbidden error
So how can we accomplish this redirection?
In ISA 2004 we can accomplish this by making a change to the IIS server that hosts OWA 2007 (usually the Exchange CAS Server). On the Default Web Site right-click on properties and go to the Home Directory tab. Click the radio button for “A redirection to a URL” and enter /owa in the “Redirect to:” box. Also check the “A directory below URL entered”, as shown in Figure 6:
Figure 6 – IIS Default Website on Exchange
Next simply go into your OWA rule on ISA 2004 rule and add / as the internal path as shown in Figure 7:
Figure 7 – Paths tab from the OWA Publishing rule on ISA.
Now when external clients enter https://owa.fabrikam.com and successfully authenticate they will be redirected to https://owa.fabrikam.com/owa
The good news is that ISA Server 2006 makes this even easier to accomplish because it includes a feature on the Action tab that allows for a redirection. ISA Server actually sends a HTTP 302 (Redirect) to the client when the request matches the rule. I found that the easiest way to accomplish this is to copy your existing OWA rule and paste it above the original and call it something like “OWA Redirect”. In the Action tab on the new Redirect rule select Deny and check the box “Redirect HTTP requests to this Web page.” Put in the path to your OWA directory so in my case it would have been https://owa.fabrikam.com/owa as shown in Figure 8:
Figure 8 – ISA Server 2006 redirect option
Now in the same rule go to the Paths tab, remove what is in there, and add only / as the path as shown in Figure 9:
Figure 9 – Paths tab on the redirect publishing rule.
Note: In ISA 2004 your external clients still have to remember to use HTTPS. In ISA 2006 as long as your OWA rule is using a listener that listens for both HTTP and HTTPS they will not have to remember this.
In this article I showed you how a trick that was used to redirect OWA 2003 clients from the root folder to the /exchange folder doesn’t work with OWA 2007 and redirection to the /owa folder. I also showed you how you can still accomplish this in both ISA 2004 and ISA 2006. ISA 2006 has the additional flexibility of a redirect feature and is a compelling reason to upgrade if you are still on ISA 2004. Threat Management Gateway which is the next generation of ISA Server will also include this functionality.
Security Support Engineer – Forefront Edge Team
Microsoft – Charlotte
Technical ReviewerYuri DiogenesSr Security Support Escalation Engineer – Forefront Edge Team
Microsoft – Texas
I can't get OWA publishing rule to redirect on forefront tmg 2010 to owa Exchange 2007.
http to https is working fine set in the listener, but can't get /owa to work. I have tried the deny, redirect with the / in the path but Exchange 2007 doesn't like it.
I know that this post is old by now, but I'm hoping that somebody is still able to answer my question. I have tried the solution shown above to redirect OWA, but when we're since we are using Radius OTP it doesn't work because it has the side effect that the radius authentication attempt first will be accepted by the deny rule and then denied by the accept rule. Is there any other ways to do a redirect of OWA?