To configure Outlook Web Access with forms-based authentication
In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
In the Tasks pane, click the Toolbox tab.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.
Complete the New Web Listener Wizard as outlined in the following table.
Page Field or property Setting or action
Welcome to the New Web Listener Wizard
Web listener name
Type a name for the Web listener. For example, type OWA Forms-Based Listener.
Client Connection Security
Select Require SSL secured connections with clients.
Web Listener IP Addresses
Listen for incoming Web requests on these networks
Select the External network. Click Select IP Addresses, and select Specified IP Addresses on the Forefront TMG computer in the selected network. Under Available IP Addresses, select the IP address for the Web site, click Add, and then click OK.
Listener SSL Certificates
Select Use a single certificate for this Web listener, click Select Certificate, and select a certificate for which the host name that users use to access the published Web site appears in the Issued To field.
Select how clients will provide credentials to Forefront TMG
In the drop-down list, select HTML Form Authentication.
For instructions about using HTTP authentication (the default option) or SSL Client Certificate Authentication, see Configuring access for Outlook Web Access clients.
Collect additional delegation credentials in the form
This check box appears only when HTML Form Authentication is selected.
Select this check box only if you intend to select RADIUS OTP or SecurID.
Select how Forefront TMG will validate client credentials
Select one of the available options. In a workgroup deployment, you can use only RADIUS, LDAP (Active Directory), RADIUS OTP, or SecurID.
Single Sign On Settings
Enable SSO for Web sites published with this listener
If you enable single sign on, you must click Add and specify a domain within which single sign on will be applied.
Completing the New Web Listener Wizard
Review the settings and click Finish. If a message box appears, click Yes to enable the system policy rule Allow All HTTP Traffic from Forefront TMG to All Networks (for CRL downloads).
In the Tasks pane, click the Tasks tab.
On the Tasks tab, click Publish Exchange Web Client Access to open the New Exchange Publishing Rule Wizard.
Complete the New Exchange Publishing Rule Wizard as outlined in the following table.
Page Field or property Setting or action
Welcome to the New Exchange Publishing Rule Wizard
Exchange publishing rule name
Type a name for the Exchange publishing rule. For example, type OWA Forms-Based.
Select the version of Exchange Server that is running on your Exchange servers.
Web client mail services
Select Outlook Web Access.
Select Publish a single Web site or load balancer. The other options are beyond the scope of this procedure.
Server Connection Security
Select Use SSL to connect the published Web server or Web farm. This option requires installation on each Exchange front-end server of an SSL server certificate for which the host name that Forefront TMG uses to contact an Exchange server appears in the Issued To field.
Internal Publishing Details
Internal site name
Type the host name that Forefront TMG will use in HTTP request messages sent to the published server.
If the internal site name specified in this field is not resolvable and is not the computer name or IP address of the published server, select Use a computer name or IP address to connect to the published server, and type the resolvable computer name or IP address of the published server.
Public Name Details
Accept requests for
Select This domain name (type below).
Type the public FQDN or IP address that external users will use to access the published Outlook Web Access site.
Select Web Listener
In the drop-down list, select the Web listener that you created in Step 4. You can then click Edit to modify properties of the Web listener selected.
Select the method used by Forefront TMG to authenticate to the published Web server
Select Basic authentication.
This rule applies to requests from the following user sets
If you are using Windows credentials validation, do not change the default All Authenticated Users. If you are using RADIUS or LDAP validation, you must use a user set that is configured for the RADIUS or LDAP namespace, respectively.
Completing the New Exchange Publishing Rule Wizard
Review the settings and click Finish.
In the details pane, click the Apply button to save and update the configuration, and then click OK.
Copyright © 2009 by Microsoft Corporation. All rights reserved.