One of the most common requests we see is for assistance setting up a redirect in either ISA 2006 or Forefront TMG 2010. Administrators of ISA/TMG want this so they don't have to tell all of their external clients to preface the URL with https and also to append it with either /exchange or /owa. They want their users to simply type in the Fully Qualified Domain Name of their Outlook Web Access application and it just works.
In my test lab I am publishing my Exchange 2007 Outlook Web Access at owa.contoso.com. If I do not have a redirect in place and simply type owa.contoso.com in my browser and hit enter I get the error "The page cannot be displayed." This is no good! (Figure 1)
I am assuming you already have the rule created that publishes Outlook Web Access. To create the redirect simply go into your ISA or TMG MMC and highlight the rule in your Firewall Policy. Right-click on the rule and choose Copy. Now highlight the rule again, right-click and choose Paste. It will take whatever the rule was called and create a new one appending it with (1). (Figure 2)
Before applying the changes you want to edit a few properties in the rule. Under the General tab rename it something meaningful. I renamed mine simply OWA Redirect. Next click on the Action tab. Here you will choose Deny and then click the "Redirect HTTP requests to this Web page:" and you will enter the full path, in this case it would be https://owa.contoso.com/owa (Figure 3)
Next click on the Listener tab. It is important that your listener is listening on port 80 for the HTTP request. It is also important that the area that says "Always Authenticate" says No. You don't want the Listener to require authentication. (Figure 4)
Next go to your Paths tab. We will need to make some changes here. The typical rule for Exchange 2007 would be publishing /public/*, /owa/*, /exchweb/*, and /exchange/*. (Figure 5)
We need to remove all of these paths and add only "/" without the quotes. Do not make the mistake of adding "/*" because that says everything from the root on down. (Figure 6)
Now click on the Authentication Delegation tab and choose "No delegation, but client may authenticate directly" in the dropdown box. (Figure 7)
Next click on the Users tab, remove All Authenticated Users and replace it with All Users. (Figure 8)
Now click Apply and you will receive a warning (Figure 9). Ignore the warning and say OK.
In the ISA/TMG MMC move your new Redirect rule to just below your OWA publishing rule. It will be evaluated because the request will be to the root directory which was covered when we added "/" to the path.
Now test using an external client by simply typing in the FQDN of your OWA Rule and you should be redirected automatically and greeted with the Forms Based login page present by ISA/TMG. (Figure 10)
Great post, Keith! I posted something similar a while back. It also includes how to provide HTTP to HTTPS redirection for Forefront UAG.
I would update the recommendation for the authentication. Currently, the article states "Now click on the Authentication Delegation tab and choose "No delegation, but client may authenticate directly" in the dropdown box. (Figure 7)". However, I've run into authentication popups prior to the OWA FBA when ISA is configured to allow clients to authenticate. Since it is a redirect, authentication should not be allowed. Instead, the authentication will be handled AFTER the redirect when users arrive at the OWA FBA. This is assuming no ISA pre-authentication. Of course, YMMV.
I keep on getting this problem when I attempt this. OWA works properly using https://<domain>/owa however when I attempt the normal http://<domain> I get this error both internally and externally:
Error Code: 502 Proxy Error. The Uniform Resource Locator (URL) does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). (12006)
A little more information, I have TMG deployed with a single NIC if that makes any difference.
Thanks a lot. We we blocked for 4 days and your solution worked great.
redirection is working fine for my setup. But when i enabled for user must change password in first logon. It’s ending with SSL error. when i entered http:\\webmail.test.com it takes me to https:\\webmail.test.com\owa after entered the user name password
which set as password must change it takes me to
https://webmail.test.com:80/owa/auth/expiredpassword.aspx?url=/owa/auth.owa which you can see 80 port is getting added automatically and it’s ending with SSL error. If i remove manually 80 from url it’s taking me to password change screen with out any issue.
I believe something i’m missing in my configuration. Any idea?
intranet it’s working fine. it’s takes me to password change screen with out any issue. Only the issue over the internet. thanks in advance
That 's great. It worked with UAG 2010 also
We also solved this by eliminating the Deny redirect rule and added the "/" to the OWA rule.
Although I had to find this out after verbose debugging :)
But it make sense since the IIS on Exchange server is handling the OWA redirect. But if UAG does not let the user request go to the IIS with FQDN of the domain then there will be no redirect to /owa.