locked
Exchange 2013 URL publishing through WAP RRS feed

  • Question

  • Hi,

    Just wanted to reconfirm to clarify my doubt that

    If we are publishing Exchange 2013 URL through Web Application Proxy (WAP) then we don't need to have Public IP Natted to Exchange Server or OWA URL pointing to Exchange Server...instead  OWA external URL has to be pointed to Public IP of WAP Server.

    Here Public IP is required only for WAP Server....

    Hope my understanding is right and appreciate if any one can confirm or correct me if I am wrong anywhere..


    Regards:Mahesh

    Thursday, August 25, 2016 5:45 PM

Answers

  • Hi All,

    I tested this recently and below are the details

    1. Public IP NAT is not required for Exchange Servers

    2. SSL Certificate to be installed on Exchange Servers where CAS URL is published as a standard process.

    3. Create DNS A record in internal DNS pointing to Exchange Server's CAS URL/Webmail URL

    4. Configure the WAP with Public IP or NAT to Public IP

    5. Create DNS A record in public DNS for CAS URL/Webmail and point to WAP Server Public IP.

      This is the main step and security concerns taken are this stage which is benefit of reverse proxy/WAP.

    6. Configure the WAP as Pass-through for CAS/Webmail URL. Here External URL will be Public URL which is pointing to A record in Public DNS and internal URL will be internal CAS URL which is pointing A record in internal DNS.

    7. Ensure WAP server is able to reach Exchange CAS/Webmail through internal IP.

    8. Configure/point the Webmail Certificate in WAP which is used for Webmail

    Now any users accessing the webmail from internet will hit the WAP Server and then WAP will redirect the session to CAS URL on internal IP.

    Thanks to all for sharing your views and answers.


    Regards:Mahesh

    Tuesday, September 13, 2016 4:57 PM

All replies

  • Hi Mahesh, I am assuming few things 

    #1 

    Client ---> Firewall <--> ADFS WAP <--firewall--> Exchange OWA 

    #2

    When publishing the OWA in WAP Publishing Wizard you choose "Active Directory Federation (AD FS)" in the "Preauthentication"

    You will enter the public url under the "External URL:" option in the publishing settings, which would something like owa.yourdomain.com which will (need) be mapped to a public IP in your domain DNS server. 

    Hope this answers your question 

    Regards 

    Sakthis 

    Friday, August 26, 2016 3:18 AM
  • Hi Sakthis,

    I am not able find the answer in your revert.

    My query is do we need to have public IP for Exchange OWA? In my understanding we don't need since OWA URL Public IP to be mapped to WAP Server.

    Client connection will hit the OWA URL which will be external URL for WAP and then pass through to Exchange for authentication if WAP is in Pass through mode.

     If WAP is configured with claim based pre authentication then WAP will get the authentication done and provide the access to Exchange.


    Regards:Mahesh

    Friday, August 26, 2016 4:06 AM
  • Hi Mahesh, the not what you mean by this, 

    In my understanding we don't need since OWA URL Public IP to be mapped to WAP Server.

    does this mean you actually have a NAT for OWA in place? Any network schematic on how WAP and OWA is placed would be helpful to understand more....

    To your question, if the OWA URL need Public or not is actually based your firewall config, say if the WAP is on your DMZ and the OWA in your internal, you possible want to have a NAT done in your firewall.

    I believe we are talking about whether the WAP communication to OWA should be on private IP or public IP and that too is based on your network and DNS layer configuration. 

    Regards 

    Sakthis 

    Friday, August 26, 2016 7:32 AM
  • Any update here?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, September 13, 2016 4:02 PM
  • Hi All,

    I tested this recently and below are the details

    1. Public IP NAT is not required for Exchange Servers

    2. SSL Certificate to be installed on Exchange Servers where CAS URL is published as a standard process.

    3. Create DNS A record in internal DNS pointing to Exchange Server's CAS URL/Webmail URL

    4. Configure the WAP with Public IP or NAT to Public IP

    5. Create DNS A record in public DNS for CAS URL/Webmail and point to WAP Server Public IP.

      This is the main step and security concerns taken are this stage which is benefit of reverse proxy/WAP.

    6. Configure the WAP as Pass-through for CAS/Webmail URL. Here External URL will be Public URL which is pointing to A record in Public DNS and internal URL will be internal CAS URL which is pointing A record in internal DNS.

    7. Ensure WAP server is able to reach Exchange CAS/Webmail through internal IP.

    8. Configure/point the Webmail Certificate in WAP which is used for Webmail

    Now any users accessing the webmail from internet will hit the WAP Server and then WAP will redirect the session to CAS URL on internal IP.

    Thanks to all for sharing your views and answers.


    Regards:Mahesh

    Tuesday, September 13, 2016 4:57 PM
  • How do you do step number 6 without having an ADFS Server?
    Thursday, September 26, 2019 2:19 PM
  • Hi,

    In absence of ADFS Servers, your environment should have some other Reverse Proxy which provides the similar solution.

    Some of the Hardware Load Balancer and Firewall provides Reverse Proxy service which can be used here to publish Webmail URL.


    Regards:Mahesh

    Thursday, September 26, 2019 2:36 PM