OWA 2013 using UAG 2010

Hi there:

I'd like to poll the group to see if anyone has deployed OWA 2013 using UAG 2010.  Any challenges or issues?

In particular I'm looking to see if you were able to configure the IIS settings on the 2013 Exchange CAS for Forms Based Auth (FBA). 

There seems to be some confusion concerning the modes of authentication required by UAG. What I've found is that when FBA is enabled for the Exchange CAS IIS, an end-user logging on through the UAG portal gets a double-logon prompt - once for UAG and once for OWA.

Any help greatly appreciated.

May 7th, 2015 12:28am

I have deployed it.  It's very temperamental.  To make proper use of a reverse proxy, it has to do the FBA.  Personally I think it's gross overkill for what you want to do with it.

FWIW, Microsoft claims that it doesn't deploy any reverse proxy in Office 365 Exchange Online because Exchange 2013 is secure by default.

Free Windows Admin Tool Kit Click here and download it now
May 7th, 2015 2:13am

Hi:

How did you overcome the double logon that FBA on the Exchange CAS IIS causes?

May 7th, 2015 6:58am

Hi,

Since the UAG does not support Single Sign-on with Exchange forms based authentication, please change Exchange to use something else than Form based authentication.
More details about UAG 2010 publishing Exchange 2013 requires two logons, for you reference:
https://social.technet.microsoft.com/Forums/office/en-US/e524c884-3739-4d18-aa0c-5fadae000f25/uag-2010-publishing-exchange-2013-requires-two-logons?forum=forefrontedgeiag
Also, publishing Exchange 2013 with UAG 2010 is similar with publishing Exchange 2010. Heres the blog to archive this:
http://blogs.technet.com/b/exchange/archive/2010/07/16/publishing-exchange-server-2010-with-forefront-uag-and-tmg.aspx

Thanks

Free Windows Admin Tool Kit Click here and download it now
May 8th, 2015 3:29am
To accomplish that but retain FBA internally, you might need to create separate OWA and ECP virtual directories.
May 8th, 2015 11:39am

Yes, a separate OWA/ECP site does work - however, with Basic/NTLM enabled for OWA - the sign-off page does not work correctly - meaning it requires the end-user to "close the browser" to complete sign-out.  In Exchange2010 this was not the case.

If FBA is enabled - double logon.

Free Windows Admin Tool Kit Click here and download it now
May 12th, 2015 9:42am

Hi,

As Andy mention, we might be need multiple OWA/ECP Virtual Directories to achieve your goal.
For your reference: http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx

May 28th, 2015 3:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics