We have an Exchange 2013 Project and plan the publishing of the Outlook Anywhere Service. We have the following scenario:

- Outlook Anywhere with preauthentication from the Internet

- Preauthentication Basic or NTLM

- No direct access to the Exchange CAS Server from Internet (Reverse Proxy, or LB)

- No TMG 

Now I'm looking for a solution which can do preauthentication.

Best Regards - Bueschu

Hi,

According to your description, I understand that deploy pre-authentication for Outlook Anywhere with basic and HTML, however no Reverse Proxy, LB or TMG.
If I misunderstand your concern, please do not hesitate to let me know.

You want put the CAS-server inside the firewall (configuring it with a public IP or NATing a public IP to it) and allow HTTPS traffic (TCP/443) to it. It cant be done as your expected.
We need an device or application(TMG, UAG or proxy) to implement pre-authentication, if it certified then permit this traffic access to Exchange server.
Please refer to below link so that you can get more information about your question: Life in a Post TMG World Is It As Scary As You Think?

Thanks

Hi

Thanks for your help.

In our Scenario the client wishes preuthentication for owa, activesync and outlook anywhere access from the internet. I know the link you mention (Life in a Post TMG World..) and can understand the arguments, but the clients needs preauthentication cause of company policy.

Now im Looking for a Reverse Proxy, LB or whatever device which can do preauthentication for owa,eas,oa in the perimeter network. If the traffic ist authenticated it goes directly to the CAS infrastructure in the LAN.

Do you know any manufacture, which delivers such devices (Kemp, Citrix Netscaler, F5...)

Best Regards - Bueschu

Hi,

Web Application Proxy can provide both reverse proxy and pre-authentication functions.

More detailed information:
1. Web Application Proxy serves as a reverse proxy for any application that is published through it and as such, the end user experience is the same as if the end users device connects directly to the application.
2. Web Application Proxy provides a protection layer against malicious HTTP requests that originate from the Internet through the following features:  PreauthenticationMake sure that only authenticated traffic can get into the corporate network.

More details to see: Planning to Publish Applications Using Web Application Proxy
https://technet.microsoft.com/en-us/library/dn383650.aspx?f=255&MSPPError=-2147217396

Thanks

Hi

I think WAP can do preauthentiaton for Web Services like OWA and ActiveSync, but not for Outlook Anywhere.

Best Regards - Bueschu

Hi,

We may need Software load balancer in a separate server layer to archive your goal. Also you can use Kemp Load Balancer setup to proxy the new Exchange 2013 server, the KEMP balancer does handle pre-authentication (basic) just like the ISA 2006 server does.

Thanks

Hi

Thank you for the support.

Do you know anything about citrix netscaler for this scenario?

Best Regards - Bueschu

Hi,

Im sorry I couldnt any similar scenario in Microsoft document, however I find some thread about KEMP for Exchange 2013, for your reference:
https://social.technet.microsoft.com/Forums/exchange/en-US/33783274-0505-47eb-9555-230d0a72ae74/2007-to-2013-migration-with-outlook-anywhere-basic-authentication?forum=exchangesvrdeploy
https://social.technet.microsoft.com/Forums/itmanagement/en-US/61c66034-776b-49d7-a870-d81aeb8398ae/exchange-2013-edge-transport-cas-load-balancing?forum=exchangesvrdeploy

Additional, I recommend search Kemp with Exchange 2013 in Kemp official document. I appreciate your understanding.

Thanks