Link to home
Start Free TrialLog in
Avatar of Antonio02
Antonio02Flag for United States of America

asked on

OWA for external users

Hello folks,
I have been tasked to provide OWA access for external users. Currently there is no external email access besides mobile phone through Goodlink tech. Outlook / OWA is accessible only internally and now there is a requirement to make this available to sales people who are on the road and need to check their mail. I am trying to get the most practical solution which does not require a lot of work. Someone has suggested we need to install a Edge transport server but I was wondering if there is some other way. Right now our email are sent / received through a smtp-relay server. Thanks in advance for you time and suggestions.

Kind regards,
Avatar of it_saige
it_saige
Flag of United States of America image

How many Exchange servers do you have?

-saige-
What version of Exchange server(s) you have?

There is no easy way to setup setup OWA securely (very much needed and important)

Basic Needs are:
1. Public DNS entry with public IP address to publish your OWA URL (https://owa.companyname.com)
2. You should have one of the below servers in your DMZ
      a. MS Exchange 2010/2013 Edge server.
      b. MS Forefront UAG/TMG server
3. Firewall rules has to be setup for TCP 443/80, 53, 3268/389
4. You need a SSL certificate from a publicly trusted CA (VeriSign, GoDady, etc)

Since you wanted to have simple way - (Highly not recommended)
In case of Exchange 2010/2013, you should have a CAS array.
  1. You need Public DNS entry with public IP address to publish your OWA URL
  2. SSL certificated from a publicly trusted CA (VeriSign, GoDady, etc)
  3. Create a NAT on your firewall between Public IP and CAS array IP, allow TCP port 443/80
  4. Install the public certificate on you CAS servers.
  5. You need configure the External OWA URL on all CAS servers.

Thanks,
Veera.
Hi,

Simply configure Internet Public IP address with your CAS role (Server) and open port 443,80, 53, 3268,389 in firewall.

And simply access either Public IP address from WAN like https://121.232.211.123/owa or if you have DNS published then access owa using DNS i.e. https://owa.xyz.com/owa.

I hope this will help you.

Regards,
Arjun
Im a little confused by some of the responses here, esp for opening stuff like LDAP (TCP 389) and security.

Here are the steps at a high level overview, I can dive deep into any of them if you have questions...

Add the proper ExternalURL and InternalURL to the OWA and ECP virtual directory (this will be something like mail.company.com/owa and mail.company.com/ecp)
Make sure a valid public SSL certificate is applied to the IIS service on the CAS (you can view the SSL certificates by doing Get-ExchangeCertificate | FL). This certificate *must* have the OWA ExternalURL in there or users will get hit with an invalid SSL certificate error when going to OWA.
Open TCP 443 on your firewall to allow connections from outside users to be NAT / Port Forwarded to the CAS or CAS Array (if you have one)
Put a DNS A record in Public DNS for your OWA namespace (as I stated above its usually mail.company.com)
Test - it should work


As for security, Microsoft has even said themselves that you do not need a third party reverse proxy (or IIS AAR) unless its a compliance requirement. This is from Greg Taylor, Principle Program Manager Lead in the Exchange group.

As for the ports that the person above me posted, he isnt talking about TMG / UAG or ISA... so can you explain to me why those ports are required? Exchange will encapsulate over HTTPS the authentication packet so TCP 389 does not need to be open unless there is a reverse proxy, and the same goes with TCP 3265 (LDAP-S). TCP 80 should NOT be open unless he is doing a URL redirection from HTTP to HTTPS, as the server would need to be open.
Of all of the responses, I agree mostly with Adam.

First, you don't need TMG or an Edge Server.  In a single-server environment, you most likely wouldn't have TMG and definately would not have an Edge Server.  It is what Microsoft has been doing for years with Small Business Server and now Essentials.

Second, the only port you need to open is 443.  OWA does not need 80, although, for ease of use, having users type in mail.yourdomain.com and then IIS redirects the request to HTTPS is sometimes very sought after.

The other ports, 53 - Domain Name System (DNS), 389 - Lightweight Directory Access Protocol (LDAP) and 3268 - msft-gc, Microsoft Global Catalog (LDAP service which contains data from Active Directory forests); are definately not needed.  As a matter of fact, not a single Exchange service requires these ports open.

Third, while it is recommended it is not necessary to use a commercial public certificate, you can use a self-signed certificate if you are only doing OWA.  If, however, you start using ActiveSync, then you will want to get a commercial public certificate (you can still use ActiveSync with self-signed certificates, but I don't want to be the one to install the self-signed certificate on supported devices).

-saige-
Avatar of Antonio02

ASKER

Thank you so much for your responses. I will give these suggestions a try and let you know how it goes. Unfortunately we are currently under a change freeze so it will have to be done after the holidays.

Thanks again.
Noo problem. It should be really simple, it gets more complex if you are honestly worried about "attack surface area" (over TCP 443.. *sigh*) and implement a reverse proxy.

Also completely ignore the "Edge" server comment from the other expert. He was most likely referring to a reverse proxy which is *not* required, as the EDGE role in Exchange 2007+ is a SMTP role (Exchange's built in smarthost, which normally goes into the DMZ)
Thanks Adam,

I presented this solution to management and they seem to be reluctant with opening the Exchange server to the outside world. They feel we should deploy a edge server in the DMZ and have the Edge server communicate with the HT servers. Any thoughts on pros/cons with using the Edge transport.

I also want to know if there will be any affect on the existing configuration (outgoing /incoming emails from the internet) if we install a edge server. I understand new connectors are created when a edge server is installed.

Thanks so much for your time.
SOLUTION
Avatar of Adam Farage
Adam Farage
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Guys for all your help. Much Appreciated!