Exchange 2016 — Use Web Application Proxy with Outlook on the web (OWA)

In one of my previous articles, I briefly talked about load balancers as a front-end option instead of exposing your Exchange servers to the internet. In this article, I’ll discuss another option you can use: a web application proxy. I’ve used Web Application Proxy (WAP) in Server 2012 R2, Server 2016 and Server 2019 and see it applies to Server 2022. (Disclaimer: I haven’t tested it yet on this version with Exchange 2016 or Exchange 2019).

What is Web Application Proxy (WAP)? It gives you reverse proxy functionality for web applications like Outlook on the web (OWA). A Web Application Proxy works with Active Directory Federation Services (ADFS). I won’t go into detail about configuring Active Directory Federation Services (ADFS) as that is beyond the scope of this discussion. Instead, I’ll talk about placing your Web Application Proxy and provide you with a walkthrough. You can learn more about Active Directory Federation Services (ADFS) by following this link.

Every environment is different. If your environment has a demilitarized zone (DMZ) where servers are located, or has a set of firewalls, please read the second “Plan the location of the network” from this link. This applies to Server 2012 R2 for those still using older versions and should also apply to newer versions for placement.

After DNS, certificates, and Active Directory Federation Services (ADFS) configuration is complete and you are now ready to publish your application in this case, it will be Outlook on the web.

When you open WAP (Web Application Proxy), you can use “publish new application wizard” to publish OWA. On the wizard page called “Publish New App Wizard” you will see a welcome screen. Click the Next > button. On the next page, you will have the following two options under Pre-authentication:

  • Active Directory Federation Services (ADFS)
  • To cross

With the first option, Active Directory Federation Services (ADFS), you will be redirected to the ADFS login page. Once you have successfully logged in, your request will be forwarded to the main Exchange server. You will then be able to log in to OWA. I had a customer who wanted to use this option and he told me that ADFS was set up a while ago and should work. In this case, an expired certificate caused problems accessing Exchange. This was resolved once the certificate was renewed.

With option 2, Intercom, click Next and you will be prompted for the following information:

  • Name (use whatever you want, e.g. “OWA rule”)
  • External URL
  • External certificate
  • main server url

Once you have filled everything out, you can then click on the Next button. On the confirmation page, check that you’re happy with everything, then click Publish. When done, you can now launch a web browser and enter the external URL you specified in the previous step. The Exchange OWA page should appear and it should also use the correct certificate.

This is a high-level overview of using a web proxy with Exchange OWA. WAP can be in internal network or DMZ. There has been a lot of discussion about where it should be placed. It depends on your specific business needs.

If the complexity of getting Active Directory Federation Services (ADFS) and WAP is just too much and you’d rather consider something else, consider a load balancer. Keep in mind that setting them up can also seem complex if you’ve never done it before.

I used both scenarios, configuring Active Directory Federation (ADFS) and a Web Application Proxy (WAP). It was a fun exercise that took some time to get the certificates purchased. But in the end the customer was happy with the setup as budgets were tight and load balancers can be expensive depending on the desired modules.

Here are some links to configure an F5 or configure Active Directory Federation Services and Web Application Proxy (WAP):

The penultimate link has lots of information about new features in Windows Server 2016 and Web Application Proxy (WAP).

The last link gives you a step by step guide on how to configure Web Application Proxy on Windows Server 2016.

Comments are closed.