If you want to protect your Outlook Web Access server with Access Gateway, you need to configure the following Access Manager features. The instructions assume that you have a functioning Outlook Web Access server and a functioning Access Manager system:
The following instructions assume that you have a basic setup with at least one reverse proxy and proxy service. If you don’t have this basic setup, see Section 2.6.3, Managing Reverse Proxies and Authentication and complete a basic setup before continuing.
Click Devices > Access Gateways > Edit > [Name of Reverse Proxy].
In the Proxy Service List section, click New.
Specify a name for the proxy service, then click OK.
Click the newly added proxy service.
Specify the following details:
Proxy Service Name: Specify a display name for the proxy service, which Administration Console uses for its interfaces.
Published DNS Name: Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as the listening address.
Multi-Homing Type: Select the multi-homing method that Access Gateway must use to identify this proxy service.
Web Server IP Address: Specify the IP address of the IIS web server.
Host Header: Select the Web Server Host Name option.
Web Server Host Name: Specify the DNS name of the Outlook Web Access server that Access Gateway must forward to the web server.
Click OK.
Continue with Configuring an Authentication Procedure.
Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.
Click New, then specify a display name for the resource.
(Optional) Specify a description for the protected resource. You can use it to briefly describe the purpose for protecting this resource.
Select an authentication contract. If you want to enable non-redirected login, select Name/Password - Basic as the authentication contract.
(Optional) If you want to enable non-redirected login, click the Edit Authentication Procedure icon, then click the contract that you have added to specify the following information:
Non-Redirected Login: Select the option to enable non-redirected login.
Realm: Specify the security realm configured for the IIS server running the Outlook Web Access server.
To check the security realm configured for the IIS server, open the IIS Administration Console, right-click the Outlook Web Access Server Access Gateway is protecting, then select Properties. The Directory Security tab contains the Security realm field.
Create protected resource:
In the Protected Resource List, click New, specify a name such as root, then click OK.
Specify the following values:
Authentication Procedure: Select the contract you created.
URL Path: Make sure that /* is selected. If you have configured Outlook Web Access as a path-based service, then click the URL path and add the path name of the service. For example, /owa/*, where owa is the path name.
Click OK twice.
Create a second protected resource:
In the Protected Resource List, click New, specify a unique name, then click OK.
Specify the following values:
Authentication Procedure: Do not select any authentication procedure because the URL path is a public resource.
URL Path: Specify /exchweb/* in the URL path. If you have configured Outlook Web Access as a path-based service, click the URL path and add the path name of the service. For example, /owa/exchweb/*, where owa is the path name.
Click OK twice.
Click OK.
In the Protected Resource List, ensure that the protected resource you created is enabled.
If you want to enable single sign-on, then configure Identity Injection or Form Fill policy, depending on the Outlook Web Access configuration. For more information, see Configuring Identity Injection.
Continue with Configuring a Rewriter Profile.
Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > HTML Rewriting.
Click New in the HTML Rewriter Profile List.
Configure a Word profile:
Specify a name for the profile, select Word as the search boundary, then click OK.
Click New in the Variable or Attribute Name to Search for Is section, then specify Variable or Attribute Name.
Click OK.
Select Rewrite Inbound Query String Data.
Select Rewrite Inbound Post Data.
Select Rewrite Inbound Headers.
Ensure that Enable Rewrite Actions remains selected.
(Optional) If you have configured the path-based multi-homing service, do the following:
Add the following content types for the And Document Content-Type Header Is option in the Word profile:
text/x-component
extension/htc
Configure the following options for Strings to Search for Is:
Specify Search as /exchange and Replace With as $path/exchange
Specify Search as /exchweb and Replace With as $path/exchweb
To save your changes to browser cache, click OK.
Use the up-arrow button to move your profile to the top of the HTML Rewriter Profile List.
To apply your changes, click the Access Gateways link, then click Update > OK.
You must configure an Identity Injection policy to enable single sign-on with the Outlook Web Access server that has basic authentication configured. This Identity Injection policy must be configured to inject an authentication header. For information about creating this policy, see Section 10.4.3, Configuring an Authentication Header Policy.
You can configure a Form Fill policy to prepopulate fields in the form when you log in to Outlook Web Access first time and then save the information in the completed form to the config store for subsequent logins. For information about how to create this policy, see Section 10.5, Form Fill Policies.
Enabling the Auto Submit option requires additional entries apart from the username and password fields. To enable the Auto Submit option:
Click Policies > Policies > <Policy Name>.
In the Edit Policy page, add the following details under Fill Options:
|
Input Field Name |
Input Field Type |
Input Field Value |
Data Conversion |
|---|---|---|---|
|
destination |
Hidden |
String Constant : http://<webserver DNS Name/owa> (when the web server is configured for http.) String Constant : https://<webserver DNS Name/owa> (when the web server is configured for https.) |
None |
|
flags |
Hidden |
String Constant : 0 |
None |
|
forcedownlevel |
Hidden |
String Constant : 0 |
None |
|
isUt8 |
Hidden |
String Constant : 1 |
None |
|
trusted |
Radio Button |
String Constant : 0 |
None |
Under the Submit Options section, select Enable JavaScript Handling.
Enter document.cookie="PBack=0; path=/" in Statements to Execute on Submit.
Click OK and apply the changes.