The purpose of this technote is to provide a step by step guide on how to configure Microsoft's Threat Management Gateway 2010 (TMG) software to publish Archive Explorer and Search Archives to external users of OWA 2010 and 2007. External users should be able to archive, restore, and retrieve items so long as they can access OWA, as these functions are achieved with communications only between the CAS and Enterprise Vault servers; therefore they are not affected by the TMG. Archive Explorer and Search, however, make a direct connection to the Enterprise Vault server from the client, and therefore some configuration must be present for the Enterprise Vault server to be reachable from outside the network.
Configuring Enterprise Vault integration with Outlook Web Access and TMG requires that the Enterprise Vault web application be published through TMG on an External Web Application URL, covered in section A of this article. It also requires configuring the published External Web Application URL in the Enterprise Vault Desktop Policy, covered in section B. Finally, it requires configuring the CAS so that the OWA Extensions can recognize when to utilize the published External Web Application URL instead of the default internal one, which is covered in section C. The steps are the same for OWA 2007 and 2010.
NOTE: TMG is certified for compatibility with Enterprise Vault 9.0 and later. Earlier versions of Enterprise Vault are certified for compatibility with ISA Server 2006. See the Enterprise Vault Compatibility Guide for details.
This document assumes that any certificates installed on the CAS and/or the Enterprise Vault server are imported into TMG along with the appropriate private keys, if using authentication delegation. It also assumes that the Microsoft standard OWA Publishing Rule is already configured in TMG. The general configuration of authentication delegation and the OWA web listener is beyond the scope of this document.
1. Create a new website publishing rule using the New Web Publishing Rule Wizard. Make the rule name EnterpriseVault or something similar to describe its purpose. Click Next.
2. Set the rule action to Allow and click Next.
3. Select the Publish a single web site or load balancer option and click Next.
4. In most configurations, the Enterprise Vault server is set to listen on HTTP. If this is the case, select Use non-secured connections to connect to the published web server or server farm and click Next. If the Enterprise Vault server is configured for SSL, however, select Use SSL to connect to the published web server or web server farm.
5. In the Internal site name field, type the hostname from Enterprise Vault's default webapp URL. This is the hostname portion of the URL used by internal clients to access Enterprise Vault. In environments that have multiple sites and therefore multiple default webapp URLs, it will be necessary to create additional web publishing rules.
6. In the Path (optional) field, type /EnterpriseVault/* and click Next.
7. In the Accept requests for: field, choose This domain name (type below). For the public name, type in the external host name that outside users use to access OWA and click Next.
8. On the next screen, select the web listener used for OWA.
9. For authentication delegation:
For scenarios leveraging ISA Pre-Authentication, select one of the following: "Basic Authentication", "Negotiate (Kerberos/NTLM)", or "Kerberos Constrained Delegation". Please note that the authentication method may require additional configuration; please see your TMG documentation for more information.
For scenarios without ISA Pre-Authentication, select "No delegation, but client may authenticate directly" and click Next.
10. Leave the default setting for the User Sets screen, which should be "All Authenticated Users." Click Next and then Finish.
B. Configuring the Enterprise Vault Desktop Policy
These steps configure the policy to tell the OWA Extensions the URL at which the Enterprise Vault server can be reached from outside the network.
1. Open the Vault Admin Console.
2. Expand Policies > Exchange > Desktop.
3. Choose a policy and open its properties page.
4. Click the Advanced tab.
5. Change the drop-down list to List settings from: OWA
6. Change the External Web Application URL value to the URL published in TMG. (In the above example, this was https://mail.domain.com/EnterpriseVault.)
7. Repeat for any other policies whose users access OWA externally.
8. Synchronize the mailboxes of all users affected.
1. Via IIS Manager, use the Application Settings feature on the /owa Virtual Directory.
2. Modify directly the OWA web.config file located in the Exchange installation directory. Default location is C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa.
More details on using these methods to configure the OWA extensions are available in separate articles for OWA 2010 and OWA 2007.
There are three settings that can control when the Enterprise Vault OWA Extensions utilize the configured External Web Application URL instead of the default internal URL. They are:
This setting tells the Extensions to utilize the External Web Application URL when the OWA session is using a specific hostname. This is useful if external users access OWA via a different address than internal users. The value for this setting should be the external hostname of OWA. (In the example above, this was mail.domain.com.)
This setting tells the Extensions to utilize the External Web Application URL when the OWA session is connecting from a specific IP address. This is useful with TMG, since all external connections to OWA will come through the TMG server; therefore its internal NIC's IP address can be configured as the value for this setting to allow the Extensions to recognize such connections as external.
While the above two settings establish conditions under which the Extensions will utilize the External Web Application URL, this setting simply forces the Extensions to use the External Web Application URL all the time. This is useful when the configured External Web Application URL is resolvable internally, or when there are no internal users of OWA.
Configure one of these settings on the CAS using IIS Manager or by editing the web.config file. The change does not require a restart of IIS to take effect.
After this configuration, the Archive Explorer and Search functions should work properly when invoked via OWA.