Solved

OWA for external users

Posted on 2014-12-23
11
138 Views
Last Modified: 2015-01-14
Hello folks,
I have been tasked to provide OWA access for external users. Currently there is no external email access besides mobile phone through Goodlink tech. Outlook / OWA is accessible only internally and now there is a requirement to make this available to sales people who are on the road and need to check their mail. I am trying to get the most practical solution which does not require a lot of work. Someone has suggested we need to install a Edge transport server but I was wondering if there is some other way. Right now our email are sent / received through a smtp-relay server. Thanks in advance for you time and suggestions.

Kind regards,
0
Comment
Question by:Antonio02
  • 3
  • 3
  • 3
  • +2
11 Comments
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
How many Exchange servers do you have?

-saige-
0
 
LVL 9

Expert Comment

by:Veerappan Sundaram
Comment Utility
What version of Exchange server(s) you have?

There is no easy way to setup setup OWA securely (very much needed and important)

Basic Needs are:
1. Public DNS entry with public IP address to publish your OWA URL (https://owa.companyname.com)
2. You should have one of the below servers in your DMZ
      a. MS Exchange 2010/2013 Edge server.
      b. MS Forefront UAG/TMG server
3. Firewall rules has to be setup for TCP 443/80, 53, 3268/389
4. You need a SSL certificate from a publicly trusted CA (VeriSign, GoDady, etc)

Since you wanted to have simple way - (Highly not recommended)
In case of Exchange 2010/2013, you should have a CAS array.
  1. You need Public DNS entry with public IP address to publish your OWA URL
  2. SSL certificated from a publicly trusted CA (VeriSign, GoDady, etc)
  3. Create a NAT on your firewall between Public IP and CAS array IP, allow TCP port 443/80
  4. Install the public certificate on you CAS servers.
  5. You need configure the External OWA URL on all CAS servers.

Thanks,
Veera.
0
 
LVL 5

Expert Comment

by:arjunvyavahare
Comment Utility
Hi,

Simply configure Internet Public IP address with your CAS role (Server) and open port 443,80, 53, 3268,389 in firewall.

And simply access either Public IP address from WAN like https://121.232.211.123/owa or if you have DNS published then access owa using DNS i.e. https://owa.xyz.com/owa.

I hope this will help you.

Regards,
Arjun
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Im a little confused by some of the responses here, esp for opening stuff like LDAP (TCP 389) and security.

Here are the steps at a high level overview, I can dive deep into any of them if you have questions...

Add the proper ExternalURL and InternalURL to the OWA and ECP virtual directory (this will be something like mail.company.com/owa and mail.company.com/ecp)
Make sure a valid public SSL certificate is applied to the IIS service on the CAS (you can view the SSL certificates by doing Get-ExchangeCertificate | FL). This certificate *must* have the OWA ExternalURL in there or users will get hit with an invalid SSL certificate error when going to OWA.
Open TCP 443 on your firewall to allow connections from outside users to be NAT / Port Forwarded to the CAS or CAS Array (if you have one)
Put a DNS A record in Public DNS for your OWA namespace (as I stated above its usually mail.company.com)
Test - it should work


As for security, Microsoft has even said themselves that you do not need a third party reverse proxy (or IIS AAR) unless its a compliance requirement. This is from Greg Taylor, Principle Program Manager Lead in the Exchange group.

As for the ports that the person above me posted, he isnt talking about TMG / UAG or ISA... so can you explain to me why those ports are required? Exchange will encapsulate over HTTPS the authentication packet so TCP 389 does not need to be open unless there is a reverse proxy, and the same goes with TCP 3265 (LDAP-S). TCP 80 should NOT be open unless he is doing a URL redirection from HTTP to HTTPS, as the server would need to be open.
0
 
LVL 32

Expert Comment

by:it_saige
Comment Utility
Of all of the responses, I agree mostly with Adam.

First, you don't need TMG or an Edge Server.  In a single-server environment, you most likely wouldn't have TMG and definately would not have an Edge Server.  It is what Microsoft has been doing for years with Small Business Server and now Essentials.

Second, the only port you need to open is 443.  OWA does not need 80, although, for ease of use, having users type in mail.yourdomain.com and then IIS redirects the request to HTTPS is sometimes very sought after.

The other ports, 53 - Domain Name System (DNS), 389 - Lightweight Directory Access Protocol (LDAP) and 3268 - msft-gc, Microsoft Global Catalog (LDAP service which contains data from Active Directory forests); are definately not needed.  As a matter of fact, not a single Exchange service requires these ports open.

Third, while it is recommended it is not necessary to use a commercial public certificate, you can use a self-signed certificate if you are only doing OWA.  If, however, you start using ActiveSync, then you will want to get a commercial public certificate (you can still use ActiveSync with self-signed certificates, but I don't want to be the one to install the self-signed certificate on supported devices).

-saige-
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 

Author Comment

by:Antonio02
Comment Utility
Thank you so much for your responses. I will give these suggestions a try and let you know how it goes. Unfortunately we are currently under a change freeze so it will have to be done after the holidays.

Thanks again.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Noo problem. It should be really simple, it gets more complex if you are honestly worried about "attack surface area" (over TCP 443.. *sigh*) and implement a reverse proxy.

Also completely ignore the "Edge" server comment from the other expert. He was most likely referring to a reverse proxy which is *not* required, as the EDGE role in Exchange 2007+ is a SMTP role (Exchange's built in smarthost, which normally goes into the DMZ)
0
 

Author Comment

by:Antonio02
Comment Utility
Thanks Adam,

I presented this solution to management and they seem to be reluctant with opening the Exchange server to the outside world. They feel we should deploy a edge server in the DMZ and have the Edge server communicate with the HT servers. Any thoughts on pros/cons with using the Edge transport.

I also want to know if there will be any affect on the existing configuration (outgoing /incoming emails from the internet) if we install a edge server. I understand new connectors are created when a edge server is installed.

Thanks so much for your time.
0
 
LVL 19

Assisted Solution

by:Adam Farage
Adam Farage earned 400 total points
Comment Utility
Hey Antonio,

I think you are getting this a tad bit mixed up. I will explain both solutions, and provide a bit of reference.

So as for the EDGE transport role, that can be deployed internally or externally (e.g: DMZ). This is solely for TCP 25 (SMTP) traffic and does a few different things:

1) if placed into the DMZ (which is what occurs 9/10th of the times) it will reduce the exposed space of Exchange to the internet
2) if configured you can also do simple virus scanning / anti-malware and spam scanning on the device (although its a little finicky from what I have seen in the past)

Here is a good article on setting this up: http://exchangeserverpro.com/exchange-2010-install-edge-transport-server/

As for your other inquiry which was opening OWA, there was an excellent blog about this in the past from Principle Program Manager Lead Greg Taylor at Microsoft: http://blogs.technet.com/b/exchange/archive/2013/07/17/life-in-a-post-tmg-world-is-it-as-scary-as-you-think.aspx

Companies (including Microsoft) expose OWA (over TCP 443) all the time without a reverse proxy. If management though is still concerned even after reading this article from the Microsoft Exchange Product Group, you have third party options to act as a "reverse proxy" (TMG / ISA / UAG are EOL sooner than later, and I am not 100% sure if you can still buy UAG), or you can use IIS AAR through Server 2012 R2. This would also be deployed in the DMZ.

http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx

The concept in setting it up would be the same for Exchange 2007 / 2013 as it would be for Exchange 2013.
0
 
LVL 32

Accepted Solution

by:
it_saige earned 100 total points
Comment Utility
What Adam has stated is spot on.  You have to realize that you are not opening the Exchange server up to the outside world.  All you are doing is providing the outside world access to services provided by the Exchange server.  And, when configured correctly, this access is audited, secured and restricted.

The success' (and failure's) of configuring Exchange for public employee access are well documented and tested.

-saige-
0
 

Author Closing Comment

by:Antonio02
Comment Utility
Thanks Guys for all your help. Much Appreciated!
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Easy CSR creation in Exchange 2007,2010 and 2013
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now