Authors:
Ramesh Nerella
B Ajesh

Contents:

Introduction

When the OutLook Web Access (OWA) server is protected by the Linux Access Gateway, you could face problems if the default rewriter configuration is used. The document outlines a proposed deployment scenario, steps to configure Linux Access Gateway, test setup used for this document and Known issues.

Deployment Scenario

Fig 1: Setup of OWA server accelerated by using LAG

Click to view.

  1. The user requests access to a resource protected by the Access Gateway.
  2. The Access Gateway redirects the user to the Identity Server, which prompts the user for a username and password.
  3. The Identity Server verifies the username and password against an LDAP directory (eDirectory™, Active Directory, or Sun ONE).
  4. The Identity Server returns an authentication success to the browser and the browser forwards the resource request to the Access Gateway.
  5. The Access Gateway verifies that the user is authenticated and retrieves the user’s credentials from the Identity Server.
  6. The Access Gateway uses an Identity Injection policy to insert the basic authentication credentials in the HTTP header of the request and sends it to the Web server.
  7. The Web server grants access and sends the requested page to the user.

Configuring Linux Access Gateway

Host or Domain-based Configuration

To accelerate the OWA server configured with basic/form-based authentication as a Host-based and Domain-based service, configure the following rewriter profile:

  1. Login to the Administration Console with the administrator credentials
  2. Select Access Manager > Access Gateways > Edit.
  3. Click the Reverse Proxy that you have configured.
  4. Select the HTML Rewriting tab and create a word profile as follows:
    1. Make sure the default profile is enabled.
    2. Create a new word profile as follows:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter word profile.
      2. Click the newly added word profile.
      3. Add the following values to the Variable or Attribute Name to Search for Is section:
        formvalue
        value 
        

        Fig 2: Word Profile Configuration

        Click to view.

      4. Select Rewrite Inbound Query String Data.
      5. Select Rewrite Inbound Post Data.
      6. Select Rewrite Inbound Headers.
      7. Click OK.

        Fig 3: Word Profile Configuration

        Click to view.

  5. Ensure that the configured profile is ordered at the top of the list.

Path-Based Configuration

To accelerate the OWA server configured with basic/form-based authentication as a Path-based service configure the rewriter profile as follows:

  1. Login to the Administration Console with the administrator credentials.
  2. Select Access Manager > Access Gateways > Edit.
  3. Click the Reverse Proxy that you have configured.
  4. Select the HTML Rewriting tab and create a word profile as follows:
    1. Create a new word profile as follows:
      1. Select New from HTML Rewriter Profile List, and then create a new HTML Rewriter word profile.
      2. Click the newly added word profile.
      3. Add the following content type to the And Document Content-Type Header Is section:
        • text/x-component
        • extension/htc

        Fig 4: Word Profile Configuration

        Click to view.

      4. Add the following values to the Variable or Attribute Name to Search for Is section:
        formvalue
        value

        Fig 5: Word Profile Configuration

        Click to view.

      5. Add the following search and replace entries to the String to Search for Is section:

        SEARCH STRING REPLACE STRING
        /exchange $path/exchange
        /exchweb $path/exchweb

        Fig 6: Word Profile Configuration

        Click to view.

      6. Select Rewrite Inbound Query String Data.
      7. Select Rewrite Inbound Post Data.
      8. Select Rewrite Inbound Headers.
      9. Make sure that Enable Rewrite Actions remains selected.
      10. Click OK.

        Fig 7: Word Profile Configuration

        Click to view.

  5. Ensure that the configured profile ordered at the top of the list.

Configuring a Protected Resource

  1. Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.
  2. Either click the name of an existing resource or click New, then specify a display name for the resource.

    Fig 8: Protected Resource Configuration

    Click to view.

  3. (Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.
  4. Select an authentication contract. If you want to enable non-redirected login, select Name/Password – Basic as the authentication contract.
  5. (Optional) If you want to enable non-redirected login, click the Edit Authentication Procedure icon, then click the contract that you have added to specify the following information:
    • Non-Redirected Login: Select the option to enable non-redirected login.
    • Realm: Specify the security realm configured for the IIS server running the Outlook Web Access server.

      To check the security realm configured for the IIS server, open the IIS Administration Console, right-click the Outlook Web Access Server the Access Gateway is protecting, then select Properties. The Directory Security tab contains the Security realm field.

  6. To create protected resource as follows:
    • In the Protected Resource List, click New, specify a name such as root, then click OK.
    • Specify the following values:
      • Authentication Procedure: Select the contract you created.
      • URL Path: Make sure that /* is selected. If you have configured Outlook Web Access as a path-based service, then click the URL path and add the path name of the service. For example, /owa/*, where owa is the path name.
      • Click OK twice.
  7. To create protected resource as follows:
    • In the Protected Resource List, click New, specify a unique name, then click OK
    • Specify the following values:
      • Authentication Procedure: Do not select any authentication procedure as the URL path is a public resource.
      • URL Path: Specify /exchweb/*as the URL path. If you have configured Outlook Web Access as a path-based service, then click the URL path and add the path name of the service. For example, /owa/exchweb/*, where owa is the path name.
      • Click OK twice
  8. In the Protected Resource List, ensure that the protected resource you created is enabled.
  9. If you want to enable single sign-on, then configure Identity Injection or Form Fill policy, depending on the Outlook Web Access configuration.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...
Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: nramesh
Jul 31, 2009
11:15 am
Reads:
2,162
Score:
Unrated