none
Publish Exchange 2013 through Web Application Proxy (WAP) RRS feed

  • Question

  • Hello,

    We have a single Exchange server (no DAG) all roles installed; currently we forward HTTP/HTTPS and SMTP directly to the server.

    It works fine, but I want to take a few steps to secure it.

    Since I have a Windows Server 2016 WAP deployed in the DMZ (not domain joined), I want to leverage this to publish all the Exchange HTTPS services through it.

    I know that OWA/ECP we can be configured to leverage AD FS authentication and it can also be published through WAP so that the WAP server performs the AD FS authentication. The other protocols such as ActiveSync need to be published in "pass-through" on the WAP.

    What I wanted to do is publish OWA/ECP along with the rest of the Exchange protocols through WAP in a "pass-through" mode only, so no changes required at application end or ADFS end.

    Is this a supported configuration? Can I still leverage virtual directories to block access to admin ECP externally? I read somewhere that if you are using WAP to do ADFS pre-auth, you cannot use Vdirs to prevent admin access to ECP externally.

    I don't currently have a lab environment to play with so this will be changed on live server; so my question is:

    - Can I publish OWA/ECP along with the rest of the directories in a "pass-through" mode only in WAP and is this supported?

    - This should still give us some level of protection in that the WAP is in DMZ and some of the WAP specific features that protect against DoS and account lockouts

    - Can we still leverage virtual directories to protect the administrative EAC?

    - What are you doing to protect SMTP protocol since this cannot be published via WAP; are you running an Exchange Edge Transport role in DMZ?

    My sources:

    https://allaboutcloud.info/disable-external-access-to-exchange-admin-centre-on-a-single-exchange-server-20136

    https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx

    Tuesday, May 2, 2017 10:08 PM

Answers

  • Hi

    Yes you can do pass-through but then your DNS would point to the WAP. ADFS will give you more security but you do need a cert for that.

    Best to publish OWA through WAP, are you sure you want to access the ECP externally without security?

    Wednesday, May 3, 2017 4:14 AM
    Moderator

All replies

  • Hi

    Yes you can do pass-through but then your DNS would point to the WAP. ADFS will give you more security but you do need a cert for that.

    Best to publish OWA through WAP, are you sure you want to access the ECP externally without security?

    Wednesday, May 3, 2017 4:14 AM
    Moderator
  • I wanted to do pass-through for now, maybe ADFS later as I am not entirely conmfortable with ADFS yet.

    For ECP external access, I was going to look at leveraging virtual directories and making ecp accessible internally only for administrative access by setting AdminEnabled to false on the default web site.

    Part of my lack of understanding is, can I still use vdirs with ADFS in pass-through? I don't see why not, but has anyone actually done this?

    Wednesday, May 3, 2017 4:52 AM
  • Yes you can use pass-through
    Wednesday, June 28, 2017 8:48 AM
    Moderator