Setting up an OWA Redirect in Forefront TMG 2010 - the Easy Way

One of the most common requests we see is for assistance setting up a redirect in either ISA 2006 or Forefront TMG 2010. Administrators of ISA/TMG want this so they don't have to tell all of their external clients to preface the URL with https and also to append it with either /exchange or /owa. They want their users to simply type in the Fully Qualified Domain Name of their Outlook Web Access application and it just works.

In my test lab I am publishing my Exchange 2007 Outlook Web Access at owa.contoso.com. If I do not have a redirect in place and simply type owa.contoso.com in my browser and hit enter I get the error "The page cannot be displayed." This is no good! (Figure 1)

 

 

 

 

 

 

 

 

 

Figure 1.

I am assuming you already have the rule created that publishes Outlook Web Access. To create the redirect simply go into your ISA or TMG MMC and highlight the rule in your Firewall Policy. Right-click on the rule and choose Copy. Now highlight the rule again, right-click and choose Paste. It will take whatever the rule was called and create a new one appending it with (1). (Figure 2)

Figure 2.

Before applying the changes you want to edit a few properties in the rule. Under the General tab rename it something meaningful. I renamed mine simply OWA Redirect. Next click on the Action tab. Here you will choose Deny and then click the "Redirect HTTP requests to this Web page:" and you will enter the full path, in this case it would be https://owa.contoso.com/owa (Figure 3)

Figure 3.

 Next click on the Listener tab. It is important that your listener is listening on port 80 for the HTTP request. It is also important that the area that says "Always Authenticate" says No. You don't want the Listener to require authentication. (Figure 4)

Figure 4.

Next go to your Paths tab. We will need to make some changes here. The typical rule for Exchange 2007 would be publishing /public/*, /owa/*, /exchweb/*, and /exchange/*. (Figure 5)

Figure 5.

We need to remove all of these paths and add only "/" without the quotes. Do not make the mistake of adding "/*" because that says everything from the root on down. (Figure 6)

Figure 6.

Now click on the Authentication Delegation tab and choose "No delegation, but client may authenticate directly" in the dropdown box. (Figure 7)

Figure 7.

Next click on the Users tab, remove All Authenticated Users and replace it with All Users. (Figure 8)

Figure 8.

Now click Apply and you will receive a warning (Figure 9). Ignore the warning and say OK.

Figure 9.

In the ISA/TMG MMC move your new Redirect rule to just below your OWA publishing rule. It will be evaluated because the request will be to the root directory which was covered when we added "/" to the path.

Now test using an external client by simply typing in the FQDN of your OWA Rule and you should be redirected automatically and greeted with the Forms Based login page present by ISA/TMG. (Figure 10)

Figure 10.

Comments

  • Anonymous
    January 01, 2003
    Well done!

  • Anonymous
    June 15, 2011
    Great post, Keith! I posted something similar a while back. It also includes how to provide HTTP to HTTPS redirection for Forefront UAG. tmgblog.richardhicks.com/.../http-to-https-redirection-options-in-forefront-tmg-and-uag Thanks!

  • Anonymous
    April 21, 2012
    The comment has been removed

  • Anonymous
    October 10, 2012
    I keep on getting this problem when I attempt this. OWA works properly using https://<domain>/owa however when I attempt the normal http://<domain> I get this error both internally and externally: Error Code: 502 Proxy Error. The Uniform Resource Locator (URL) does not use a recognized protocol. Either the protocol is not supported or the request was not typed correctly. Confirm that a valid protocol is in use (for example, HTTP for a Web request). (12006)

  • Anonymous
    October 10, 2012
    A little more information, I have TMG deployed with a single NIC if that makes any difference.

  • Anonymous
    July 09, 2013
    Thanks a lot. We we blocked for 4 days and your solution worked great.

  • Anonymous
    June 11, 2014
    redirection is working fine for my setup. But when i enabled for user must change password in first logon. It’s ending with SSL error. when i entered http:\webmail.test.com it takes me to https:\webmail.test.comowa after entered the user name password which set as password must change it takes me to https://webmail.test.com:80/owa/auth/expiredpassword.aspx?url=/owa/auth.owa which you can see 80 port is getting added automatically and it’s ending with SSL error. If i remove manually 80 from url it’s taking me to password change screen with out any issue. I believe something i’m missing in my configuration. Any idea?
    intranet it’s working fine. it’s takes me to password change screen with out any issue. Only the issue over the internet. thanks in advance

  • Anonymous
    July 16, 2014
    That 's great. It worked with UAG 2010 also

  • Anonymous
    January 07, 2015
    We also solved this by eliminating the Deny redirect rule and added the "/" to the OWA rule.

    Although I had to find this out after verbose debugging :)

    But it make sense since the IIS on Exchange server is handling the OWA redirect. But if UAG does not let the user request go to the IIS with FQDN of the domain then there will be no redirect to /owa.