Publishing Outlook Anywhere with Unified Access Gateway (UAG)


The Microsoft web site provides several articles about Exchange publishing with UAG.

None of the articles describes the full end-to-end configuration. The intension of this post is to cover the UAG, Exchange and Outlook configuration.

Configuring Outlook Anywhere on the Exchange CAS

This section describes how to set up the Exchange CAS for Outlook anywhere.

  1. Open the Exchange Management console.
  2. In the left pane, expand the Server Configuration container and then select Client Access.
  3. In the middle pane, select an Exchange CAS server. Right click it and click Properties.
  4. Click the Outlook Anywhere tab.
  5. Type the External host name for the Exchange CAS, for example and select the client authentication method and click OK.
  6. On the Exchange CAS, open the Internet Information Services (IIS) Manager MMC.
  7. In the left pane, expand the Web Sites and then the Default Web Site container and select RPC.
  8. From the Action menu select Properties.
  9. Select the Directory Security tab and click the Edit button in the Authentication and access control area.
  10. Verify that the Authentication method is set to Basic authentication and click OK.

Installing a SSL server certificate on the Exchange CAS

General step-by-step instructions to create a SSL server certificate is found in the How to create a web server SSL certificate manually blog post.

When you take the sample INF file from the blog post, set the SUBJECT to the name that was configured as the external host name for the CAS server. In this sample configuration, I used “”.

It is important to note that this INF file is prepared for a Windows certification authority (CA) running on Windows Server 2008 or a newer version of Windows Server. A Windows Server 2003 CA does not support the parameters in the Strings and Extensions section.

Signature="$Windows NT$"

Subject = ""  
Exportable = FALSE                  ; Private key is not exportable
KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1                         ; AT_KEYEXCHANGE
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
MachineKeySet = True                ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC


%szOID_SUBJECT_ALT_NAME2% = "{text}"

CertificateTemplate= WebServer

After enrolling for the certificate, assign the certificate on the Exchange CAS with the Default Web Site.

  1. On the Exchange CAS, open the Internet Information Services (IIS) Manager MMC.
  2. In the left pane, expand the Web Sites and select the Default Web Site.
  3. From the Action menu select Properties.
  4. Click the Directory Security tab.
  5. Click the Server Certificate button and assign the newly enrolled certificate with the IIS Certificate Wizard.

Configuring Outlook anywhere on the UAG

UAG offers two ways to set up Outlook anywhere. You can either create a new portal trunk and check the option Publish Exchange application via the portal or you can add Exchange to an existing portal trunk. The following steps are describing how to add the Outlook anywhere configuration is added to a new portal trunk.

  1. On the computer running UAG, open the Microsoft Forefront Unified Access Gateway Management console.
  2. Right click HTTPS Connections in the left pane and click New Trunk from the context menu.
  3. Click Next to confirm the welcome message.
  4. Select the option Portal trunk and select Publish Exchange applications via the portal and click Next.
  5. Type the Trunk name such as OutlookAnywhere and type the public host name for the portal. Note that the portal name is not similar to the published Outlook Anywhere application. I used in this example.
  6. In step 4 add the server used for session authentication and click Next.
  7. Select a certificate that matches the public hostname defined in step #5. Optionally, you can use a wildcard certificate. Click Next to continue.
  8. Select the type of Endpoint Security and click Next.
  9. Select the Endpoint Policies and click Next.
  10. Select the Exchange version. In this example, I used Exchange 2007. For Outlook Anywhere, check Outlook Anywhere (RPC over HTTP) and click Next.
  11. Type the application name such as OutlookAnywhere and click Next.
  12. Configure the Endpoint Security and click Next.
  13. Select Publish a web site and click Next.
  14. In step #12 enter the network name of the

Configuring name resolution for the Outlook internet client computer

When the Outlook client computer is connected to the Internet but has no direct connectivity to the internal Exchange resources, it must be able to resolve the name of the Exchange trunk application. The public name for Exchange is configured in the Web Servers tab of the trunk application. See step #3 above.

For testing purposes you can add the fully qualified name of the Exchange application into the local computer’s %WINDIR%\system32\drivers\etc\hosts file. For production use, the name must be resolvable from Internet DNS.

In this sample configuration, add the following information to the name resolution system:

You may verify the connection from the Internet client computer to the Exchange application with telnet at a command-line. It may be required to install the telnet client explicitly on the client computer since it was removed from the Windows default installation from Windows Vista and on.

telnet 443

Creating the Outlook Profile

On the client computer, you have to create a new Outlook Profile.

  1. Open the Control Panel and then click Mail.
  2. In the Mail control applet, click the Add button to create a new profile.
  3. Type a name for the new profile and click OK.
  4. Select Add a new email account and click Next.
  5. Select Microsoft Exchange Server and click Next.
  6. As Microsoft Exchange Server type the name of the Exchange mailbox server and enter the User Name as illustrated in the following picture. If the Exchange CAS role is running on a different computer than the mailbox server, you must specify the mailbox server name and not the CAS server!
  7. Click the More Settings … button.
  8. If a warning about the unavailability of the Exchange server appears, click OK.
  9. In the Exchange Server settings, click the Connection tab.
  10. Check Connect to my Exchange mailbox using HTTP and then click the Exchange Proxy Settings … button.
  11. In the Connection settings type the public name of the Exchange application which was configured in the Web Servers tab of the trunk application and change the Proxy authentication settings to Basic Authentication and click OK twice.
    Note: The authentication setting must match with the authentication method that was configured in the Exchange CAS Outlook Anywhere properties above.
  12. Back in the eMail Accounts window click Next and then Finish.
  13. Click OK to close the Mail applet.

Configuring NTLM authentication

The previous sections described how to authenticate Outlook Anywhere with Basic Authentication. NTLM/Kerberos authentication provides a more seamless integration because the user is not explicitly prompted for credentials when connecting to the Exchange infrastructure. A Windows client computer will perform an automated logon with the current user credentials to Exchange if the Outlook Anywhere URL is part of the local intranet sites in the Internet Explorer configuration.

NTLM authentication requires configuration in the UAG portal and application properties, in Active Directory, in Exchange and finally in Outlook. The following steps explain the configuration changes in detail.

  1. On the computer running UAG, open the Microsoft Forefront Unified Access Gateway Management console.
  2. Navigate to the portal trunk that is used for Outlook Anywhere publication
  3. In the portal properties, click Configure… in the Trunk Configuration section.
  4. Click on the Authentication tab
  5. Select the radio button Use Integrated Windows Authentication and click OK.
  6. From the list of applications, select the one publishing Outlook Anywhere and click Edit.
  7. Click on the Authentication tab
  8. Select the Use Kerberos Constrained Delegation radio button in the Outlook Anywhere section and click OK. Note: The Service Type http covers HTTP and HTTPS traffic from the Unified Access Gateway to the Exchange CAS server.
  9. Activate the UAG configuration.
  10. On a computer with the Active Directory Users and Computers MMC snap-in installed, navigate to the computer object of the UAG computer in Active directory.
  11. Make sure that the Advanced Features are enabled in the View menu of the snap-in.
  12. Open the computer properties.
  13. Click on the Delegation tab.
  14. Select Trust this computer for delegation to specified services only and select Use any authentication protocol.
  15. Click Add…
  16. In the Add Services dialog, click on Users or Computers…
  17. Type the name of the Exchange CAS computer and click OK.
  18. From the list of available services select the http from the Service Type column and click OK.
  19. Click OK to close the computer properties.
  20. On the computer with the Exchange Management Console installed, open the console.
  21. In the left pane in the Server Configuration container, click on Client Access.
  22. In the middle pane select the Exchange CAS from the list of Exchange Servers.
  23. From the Action menu chose the CAS server and then click Properties.
  24. Select the Outlook Anywhere tab.
  25. Select NTLM authentication and click OK.
  26. On the Exchange CAS computer, open the Internet Information Services (IIS) Manager.
  27. Expand the Web Sites and Default Web Site container in the left pane.
  28. Click on owa.
  29. From the Action menu select Properties.
  30. Click on the Directory Security tab.
  31. Click the Edit button in the Authentication and access control section.
  32. Enable Integrated Windows authentication and clear the Basic authentication. Click OK.
  33. On the Windows client computer, you have to change the proxy authentication settings. To do so, open the Mail applet from the Control Panel.
  34. Click E-mail Accounts and then click Next.
  35. Click Change to modify the Microsoft Exchange Server settings.
  36. On the Exchange Server Settings click More Settings…
  37. Click the Connection tab and then click Exchange Proxy Settings …
  38. In the Proxy authentication settings section, change the authentication method to NTLM Authentication and click OK.
  39. Click Next, then Finish and then Close.

Port requirements

The communication between the network entities is well defined. The following drawing let’s you understand the network traffic flow:

From UAG to the domain controller

From UAG to the Exchange CAS

  • 443 (TCP)

From CAS

  • to UAG 443
  • to DC 88, 445, 123 (NTP), 389, 3268
  • to DNS 53
  • to Exchange Mailbox 6001, 6002, 6004

This entry was posted in Exchange. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s