WatchGuard XCS and Outlook Web Access 2013 The Secure WebMail proxy provides a highly secure mechanism for accessing Microsoft OWA (Outlook Web Access). OWA uses a very similar interface to Outlook and provides an attractive, easy to use remote interface for users to access their Exchange mailboxes remotely. With OWA, users can see all of their mail, contacts, and calendar using a web browser. As OWA is accessible from the Internet, its use presents a number of security challenges. The Secure WebMail Proxy feature is designed to support OWA use while protecting the system from Internet attacks. The OWA connection is managed using a full application proxy. The WatchGuard XCS completely recreates all HTTP and HTTPS requests made by the external client to the internal OWA Exchange server. In a typical deployment, OWA users will connect to the OWA interface via the public interface of the WatchGuard XCS. The WatchGuard XCS will then proxy the traffic via its private interface to the OWA server. The connection is secure because the requests by the OWA clients are recreated by the WatchGuard XCS. If the WatchGuard XCS is deployed in the DMZ network of a network firewall, OWA users will first connect to the public interface of the network firewall. The traffic is forwarded to the WatchGuard XCS and then the requests will be recreated and forwarded to the OWA server. On the network firewall, incoming port 443 needs to be opened from the public interface to the DMZ to allow traffic from the Internet to the WatchGuard XCS. Port 80 from the DMZ to the private network also needs to be configured to allow the WatchGuard XCS to connect to the OWA server. 1
Configure the Secure WebMail OWA proxy To configure the Secure WebMail proxy for OWA: 1. Select Configuration > WebMail > WebMail. 2. Click Add Server. 3. Specify the HTTP URL of the server where OWA is located in the Address field (including the ending / character), for example: http://exchange.example.com/owa/ 4. Enter an optional name to describe this server in the Label field. 5. Select any local users that will be allowed to use OWA by selecting the corresponding check box. Users can also be authenticated to OWA via Active Directory or another LDAP service. For more information, see Add a Directory Server on page 3. 6. Enable the Try WebMail ID/login first option if the LDAP user s samaccountname is equivalent to the mail attribute. The WatchGuard XCS sends the user account portion of the user s mail attribute to the OWA server by default (such as user in the address user@example.com). If this is different from the samaccountname attribute, the Try WebMail ID/login first option should not be selected. If it is selected, the user will get an invalid ID error message. The user must enter their user name and password again to gain access to OWA. 7. Click Apply. 8. Select Configuration > WebMail > WebMail. 9. Make sure that the Proxy mail option is enabled in the Access Types section. 2 WatchGuard XCS and Outlook Web Access 2013
10. Select Configuration > Network > Interfaces. 11. Make sure the WebMail option is enabled on the network interface from which users will be accessing WebMail. Add a Directory Server To add a directory server for remote authentication for users: 1. Select Configuration > LDAP > Directory Servers. 2. Enter your LDAP server configuration. 3. Click Apply. 3
Add Remote Authentication Configuration 1. Select Administration > Accounts > Remote Authentication. 2. Click New to add a new LDAP source. 3. Click Apply. 4. From the Default Server drop-down list, select the OWA server you created to use as the default LDAP user profile. 5. Click Apply. 4 WatchGuard XCS and Outlook Web Access 2013
Configure Outlook Web Access OWA (Outlook Web Access) provides a way to access Exchange server mailboxes and folders with standard web browsers. OWA 2013 is included with Microsoft Exchange server. Disable SSL for Outlook Web Access on the IIS Server OWA uses IIS (Internet Information Server) to access the Exchange server. Internal communications between the WatchGuard XCS and the OWA server are in plain HTTP, and you must disable SSL in your OWA settings. To configure IIS for use with OWA 2013: 1. Open the Internet Information Services (IIS) Manager. 2. Select [SERVERNAME] > Sites > Default Web Site > owa. 3. Select SSL Settings. 4. Disable the Require SSL option. 5. Restart IIS from PowerShell with the command: iisreset /noforce 5
Enable Basic Authentication The WatchGuard XCS only supports Basic Authentication when communicating with the OWA server. To make sure that Basic Authentication is installed on your IIS server: 1. Open the Internet Information Services (IIS) Manager. 2. Select Servers > Virtual Directories > OWA > Authentication. 3. Select Basic Authentication. If you do not see the Basic Authentication option, you must install the Basic Authentication module during the initial IIS installation. Select Server Manager > Roles > Web Server (IIS). Click Add Role Services. Make sure that Basic Authentication is installed. You may be prompted with a warning that you should switch the ECP authentication method to Basic Authentication. Perform this step in servers > virtual Directories > ecp > authentication. 4. Restart IIS by running the following command from the command line: iisreset /noforce 6 WatchGuard XCS and Outlook Web Access 2013
Disable the OWA Premium Client The WatchGuard XCS Secure WebMail Proxy does not support OWA Premium Client mode, and you must disable Premium Client mode in the OWA configuration. Public Folders are not available when using the regular client mode. 1. Open the Exchange Control Panel (ECP), then go to servers > virtual directories > owa > features. 2. Disable the Premium client option. 7
3. From Exchange Control Panel, go to permissions > Outlook Web App policies > default. 4. Disable the Premium client option. 5. Restart IIS by running the following command from the command line: iisreset /noforce 6. Test OWA and make sure the regular OWA2013 client is presented after you log in. 8 WatchGuard XCS and Outlook Web Access 2013