Exchange services publishing deployment options

This topic describes the Exchange services publishing deployment options that are available when using Forefront Unified Access Gateway (UAG). You can publish one or more Exchange mail services via a single Forefront UAG portal, thus providing users with a single entry point to multiple Exchange services.

Forefront UAG enables two deployment scenarios for your Exchange services:

Scenario 1: Creating a portal and then publishing Exchange services as an application in the portal.

For details about publishing applications in a portal, see Implementing a trunk.

This scenario is useful if you have a number of applications that you want to publish through the portal, in addition to publishing Exchange. You may also use this scenario if you are future proofing your deployment; for example, currently you may only require remote access to Exchange services, but in the future, you may also require access to SharePoint Web sites.

When users access Outlook Web Access (OWA) through the portal, OWA is contained within the portal frame, and if you are using single sign-on (SSO), users are not required to reenter their login credentials. When using Outlook Anywhere and ActiveSync, users do not interact with the portal.

If you intend to publish several Exchange services with different configurations, this is the recommended scenario to publish Exchange though the portal.

Scenario 2: Creating a portal and simultaneously publishing Exchange as an application in the portal, where the portal does not appear to the client.

For details about creating a portal and simultaneously publishing Exchange as an application, see Implementing a trunk.

Note:
To create a portal and simultaneously publish Exchange services, on the Select Trunk Type page of the Create Trunk Wizard, select the Publish Exchange applications via the portal check box. The wizard then guides you through the steps to create the trunk and publish the Exchange services. After completing the wizard, the Exchange application is set as the initial portal application, by default.

Note:

To create a portal and simultaneously publish Exchange services, on the Select Trunk Type page of the Create Trunk Wizard, select the Publish Exchange applications via the portal check box. The wizard then guides you through the steps to create the trunk and publish the Exchange services. After completing the wizard, the Exchange application is set as the initial portal application, by default.

Scenario 2 is similar to scenario 1. However, although you can publish additional applications through the portal in this scenario, you must manually make changes to the portal configuration to allow end users to access them.

The ideal way to publish your Exchange services is if you already have a fully qualified domain name (FQDN) that suggests the purpose of the portal, for example, https://mail.contoso.com.

When you publish OWA via a Forefront UAG portal, you can select to apply one or both of the following options:

Define the OWA application as the site's initial application.

The OWA page serves as the portal home page; that is, the first page presented to users after they log on to the portal.

Note:

If your trunk does not use Basic or NTLM/KCD authentication, you must define OWA as the site’s initial application.

Note:
If your trunk does not use Basic or NTLM/KCD authentication, you must define OWA as the site’s initial application.

Apply the OWA look and feel to the portal's logon and logoff pages.

If you had a previous deployment of OWA without Forefront UAG, end users may already be familiar with OWA. This option allows you to continue to provide a familiar look and feel to your end users.

When an end user accesses the site, a health check is performed on the client endpoint. If the client endpoint passes the health check, Forefront UAG allows the end user to set the security settings on the OWA logon page to This is a private endpoint or This is a public or shared endpoint.

If the client endpoint does not pass the health check, Forefront UAG sets the security settings on the OWA logon page to This is a public or shared endpoint. The user cannot change this setting.

By default, Forefront UAG identifies all clients as public endpoints. To change this, edit the policy used by Forefront UAG to identify privileged endpoints. For more information, see Modifying Exchange endpoint policies.

Tip:
The administrator should set the OWA session timeout to be longer than the portal session timeout, so that users are not automatically logged out of OWA while still logged in to the portal.

If you want to define the OWA application as the portal home page, the following OWA functionality is applied to the portal's logon page:
- When accessing OWA, end users can choose whether to use Outlook Web Access Light or Outlook Web Access Premium.
- For details about browser requirements for OWA, see Educating Information Workers About Outlook Web Access

For deployment instructions, see Publishing Exchange services scenarios.

Supported Exchange versions

Forefront UAG supports publishing the following versions of Microsoft Exchange Server:

Exchange Server 2010. Forefront UAG Service Pack 1 also supports Exchange Server 2010 Service Pack 1
Exchange Server 2007
Exchange Server 2003

In addition, Forefront UAG SP1 supports coexistence topologies where different Exchange versions are simultaneously deployed in organizations. For example, when an organization is moving users from Exchange Server 2007 to Exchange Server 2010, Forefront UAG SP1 supports publishing OWA for both versions during the transition period.