There are many ways to “authenticate” Outlook Anywhere (OA) and Outlook Web Access/Application to Exchange via Forefront Unified Access Gateway (UAG).  While one size does not fit all, most have been documented by the Exchange product team,.  The goal of this document is to outline the 2 methods Greg documented and add yet another.

3 Ways to Authenticate OA to UAG:

The following 4 methods can be used to authenticate OA to UAG:

  1. Publishing Outlook Anywhere using Basic Authentication (at UAG or TMG): http://www.microsoft.com/downloads/en/details.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022
  2. Publishing Outlook Anywhere using NTLM Authentication (at UAG or TMG): http://www.microsoft.com/downloads/en/details.aspx?FamilyID=040b31a0-9a69-4278-9808-e52f08ffaee3 
  3. Publishing Outlook Anywhere using “pass-through” authentication (at Exchange): This document

Why another authentication method?

Recently I had a customer who wanted to us multiple authentication methods.  UAG only supports one authentication method at a time.  To accomplish this, the customer was considering TMG and using the “No delegation, but client may authenticate directly” feature.  While this is a fine answer, it would cause them to deploy additional TMG servers as Microsoft is pretty clear that publishing web application via TMG on a UAG server is not supported: http://technet.microsoft.com/en-us/library/ee522953.aspx.

Instead of deploying more infrastructure, we wanted to use the existing UAG deployment and save on: cost, complexity and management.

What is pass-through and is it good for me?

One of the great features of TMG and UAG is the ability to “pre authenticate”.  This allows you authenticate and verify that the account is real and valid before passing the communication on to the Exchange Servers.  This prevents Denial of Service (DoS) attacks and with both UAG and TMG, we can even protect from malformed packets, malformed URLs, incorrect HTTP verbs (GET, PUT, POST and etc.)

While publishing with “pass-through” does not pre authenticate, meaning it relies on Exchange to determine if the account + password is valid, we still get the full protection of the URL, traffic and HTTP verbs.

What does this look like?

The following diagram shows the typical network setup.  In this diagram, UAG will terminate and inspect the HTTPS traffic.  Once it verifies that the traffic is accurate, it will pass it to the Exchange Servers and they will perform the authentication step.


Setting up UAG:

Because we are authenticating to Exchange in whatever method it has setup, I am going to skip the Exchange Server and Outlook setup.

You will also notice that for simplicity sake, I setup I have created a new UAG trunk.  This trunk will not require authentication.  Also, while I am showing just Outlook Anywhere, the same process can be followed for Autodiscover.

Step 0.               Open the Microsoft Forefront Unified Access Gateway Management console, right click on HTTPS Connections and select “New Trunk”.


Step 1.               At Step 1, select Portal Trunk and select Publish Exchange applications via the portal.

Step 2.               At Step 2, name the trunk what you like, and type the public host name you used when configuring Exchange and select an unused IP address.

Step 3.               At Step 3, select an authentication server although for NTLM authentication and because we are doing passthrough, we will not use it.

Step 4.               At step 4, select a certificate that has the fully qualified domain name or a cert that includes the name as an alternative (Vista SP1 or higher only).

Step 5.               At step 5, leave the endpoint security default as Outlook Anywhere will not use this.

Step 6.               At step 6, leave the endpoint policies default as Outlook Anywhere will not use this.

Step 7.               At step 7, select Microsoft Exchange Server 2010 and select “Outlook Anywhere (RPC over HTTP)” only.

Step 8.               At step 8, name the application “Exchange” or any name you desire.

Step 9.               At step 9, leave the endpoint policies default as Outlook Anywhere will not use this.

Step 10.            At step 10, select Configure an application server.

Step 11.            At step 11, type the name full name of the exchange CAS server.  Be sure this name matches the SSL certificate loaded on the Exchange Server.

Step 12.            At step 12, unselect the single sign-on screen, as we will perform pass-through.

Step 13.            At step 13, leave the no authentication default for both services.

Step 14.            At step 14 leave the “authorize all users” selected.

Step 15.            Finish the wizard.

Step 16.            Select the advanced properties of the Trunk and unselect Require users to authenticate at session logon, as we are not pre authenticating Outlook.

Step 17.            Save and active this configuration.

Original Author:

Kevin Saye, Security Specialist – Microsoft


Greg Taylor, Senior Program Manager – Microsoft