locked
owa trhough web app proxy RRS feed

  • Question

  • hi guys,

    please i need your help with the below.

    the customer has exchange server 2016 dag deployed on windwos server 2016.

    he is requesting to publish owa trhough web application proxy without adfs.

    can you help me with that? i have never done it

    best regards

    Thursday, March 12, 2020 1:52 PM

All replies

  • hi andy,

    the blogs posted are on arr not on wap.

    iis is just installed, not the web app proxy role. this is different guys.

    can anyone help with that? can anyone advise if this can work withou adfs too? publishing owa?

    much appreciated

    Friday, March 13, 2020 6:49 AM
  • moreover, does this work with exchange server 2016?

    Friday, March 13, 2020 6:56 AM
  • hi andy,

    the blogs posted are on arr not on wap.

    iis is just installed, not the web app proxy role. this is different guys.

    can anyone help with that? can anyone advise if this can work withou adfs too? publishing owa?

    much appreciated

    WAP requires ADFS unless its configured to simply pass through. In other words, 

    I would use ARR instead myself and follow those articles.

    Friday, March 13, 2020 10:02 AM
  •    

    Hi,

    If you want to deploy WAP without ADFS, please refer to the steps in this link: Publishing Exchange 2013 OWA Through WAP using Pass-through Authentication

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    But it’s recommended to install ADFS for the WAP.

    Regards,

    Vera Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, March 13, 2020 10:15 AM
  • hi vera,

    thank you for replying.

    If you want to deploy WAP without ADFS, please refer to the steps in this link: Publishing Exchange 2013 OWA Through WAP using Pass-through Authentication

    i checked the above, but there is one concern that when you deploy wap, in the post configuration you have to use adfs server. That means i will need to confgiure adfs right??

    another question: on my exchange server, i have a public ca certificate that contains: mail.x.com, autodiscover.x.com.

    will i need new certificates for adfs and wap? or can i use the same one and import it on the servers?

    your response is highly appreciated

    best regards,

    Friday, March 13, 2020 11:35 AM
  • hi andy,

    thank you for the resonse;

    WAP requires ADFS unless its configured to simply pass through. 

    but even in the pass through, in the post configuration of the wap i should choose a adfs server right?

    that means that i need to install adfs server in any case right?

    thank you in advance

    Friday, March 13, 2020 11:36 AM
  • hi andy,

    thank you for the resonse;

    WAP requires ADFS unless its configured to simply pass through. 

    but even in the pass through, in the post configuration of the wap i should choose a adfs server right?

    that means that i need to install adfs server in any case right?

    thank you in advance

    Yes.
    Friday, March 13, 2020 11:55 AM
  • thanks andy

    what about the certificates: on my exchange server, i have a public ca certificate that contains: mail.x.com, autodiscover.x.com.

    is this the same one that i have to import on adfs and wap?

    can you advise on the certificates part

    Friday, March 13, 2020 2:32 PM
  • any updates guys
    Sunday, March 15, 2020 9:16 AM
  • any updates guys

    Yes. You would need to import the client cert ( your public cert that covers mail / autodiscover)

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn383639(v%3Dws.11)

    Sunday, March 15, 2020 11:41 AM
  • Hi,

    Agree with Andy, you can select the public certificate whose subject covers the external URL like the official article referred above.

    Regards,

    Vera Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, March 17, 2020 6:21 AM
  • hi all,

    the is the whole scenario advise please

    dears,
    i have 2 2016 exchange servers configured in dag mode. external urls are not published. users can connect just internally.
    the client recently asked to publish it externally using web app proxy.
    i have seen that this needs an adfs server to be installed and maybe adcs server( not sure)
    for the moment, we are not planning to have our root ca as for the exchange server we are using public certificates from go daddy.
    my question is, as adfs and web app proxy needs certificates when installing and configuring can i use the same one of the exchange server??


    second thing, the customer wants to deploy the wap in his dmz. does the wap needs to have a public ip?
    can you advise on the procesure please
    as i cant seen many details about these kind of deployments



    regards,

    Wednesday, March 18, 2020 10:13 AM
  • hi all,

    the is the whole scenario advise please

    dears,
    i have 2 2016 exchange servers configured in dag mode. external urls are not published. users can connect just internally.
    the client recently asked to publish it externally using web app proxy.
    i have seen that this needs an adfs server to be installed and maybe adcs server( not sure)
    for the moment, we are not planning to have our root ca as for the exchange server we are using public certificates from go daddy.
    my question is, as adfs and web app proxy needs certificates when installing and configuring can i use the same one of the exchange server??


    second thing, the customer wants to deploy the wap in his dmz. does the wap needs to have a public ip?
    can you advise on the procesure please
    as i cant seen many details about these kind of deployments



    regards,

    You may want to ask this in a Windows/WAP/ADFS forum to get answers there since this is not really an Exchange question.
    Wednesday, March 18, 2020 4:37 PM
  • Hi,

    According to your questions:

    1. As we suggested above, you can use the same public certificate if its’ subject covers the external URL.

    2. Yes, the WAP needs to have a Public IP. Here is the article which you can refer to: How to install and configure Web Application Proxy for ADFS.

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Regards,

    Vera Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, March 19, 2020 6:53 AM
  • hi vera,

    . As we suggested above, you can use the same public certificate if its’ subject covers the external URL.: but in the link we see this: 

    "The certificate selected here should be the one that whose subject match the Federation Service name, for example, fs.adatum.dk or *.adatum.dk."

    however, my certfiicate just covers the external url and not the fed service name. can you advise on that please?

    regards,


    Thursday, March 19, 2020 7:17 AM
  • Hi,

    As the article referred, the external url should include the address to externally published federation service. If your cert covers the external URL correctly, it should match the Federation Service name.

    Regards,

    Vera Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, March 19, 2020 9:21 AM
  • vera,

    my federation service name would be: adfs.contoso.com

    any my certificate covers these external urls for exchange: mail.contoso.com and autodiscover.contoso.com.

    this is the scenario. can you advise if this certificate will work or do i have to purhcase a new one??

    thank you in advance

    you are  so helpful

    Thursday, March 19, 2020 10:37 AM
  • vera,

    my federation service name would be: adfs.contoso.com

    any my certificate covers these external urls for exchange: mail.contoso.com and autodiscover.contoso.com.

    this is the scenario. can you advise if this certificate will work or do i have to purhcase a new one??

    thank you in advance

    you are  so helpful

    The existing Exchange Cert should work since you are publishing those URLs.
    Thursday, March 19, 2020 12:25 PM
  • hi vera,

    thnk you for your help.

    one last thing, as wap will be deployed in DMZ and as a workgroup. therfore i will add as host files the dns of the adfs federation name. Does the fedearatin name should match the fqdn of adfs? if no what to put in host files ( federation and fqdn?)

    but concerning the network, wap will have one net adapter with the network of the DMZ. 

    how this network will be connected to the external network( where a record of the public ip mail.domain.com..)

    and how it will be routed to the internal network ( to adfs i suppose)

    i talked to the network team, the ip on the wap will be natted to public ip of the external dns. how the ip will communicate with the internal network? it is done through the firewall, but i mean it will be redirected to the adfs ip from the firewall? or to tje exchange IP?

    can you advise on this part if you have any idea

    best regards,



    • Edited by eg1559 Friday, March 20, 2020 9:50 AM
    Friday, March 20, 2020 6:43 AM
  • hi guys,

    anyone can advise how to route the access from the external to the internal network with wap?

    noting that wap is infront and behind a firewall separating it from the internal network and the external isp.

    will the wap ip should be routed to the exchange server? or to the adfs server? noting that i dont have a load balancer, so the ip will be directed to just one of thes two.

    your help is appreciated as i am stuck with this configuration

    regards

    Thursday, March 26, 2020 9:18 AM
  • Hi eg155g,

    It seems your issue is more with wap not Exchange. The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thanks for your understanding and hope your question will be resolved soon.

    Regards,

    Beverly Gao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, March 27, 2020 9:08 AM