Outlook Web Access redirection via Microsoft ISA 2006

Posted by on Jun 23, 2009 in Exchange, Exchange 2007, ISA

We all know from experience that advising end users to browse  to https://mail.yourdomain.com/OWA if you are running Exchange 2007 or /exchange if you are running Exchange 2003 is usually problematic .  Oh! and did I forget to mention that it’s HTTPS and not http!  We must admit that not all end users are likely going to remember this URL and at times even struggle to distinguish the difference between secure and non secure sites.  Well if you are running ISA 2006 as an edge or secondary application layer firewall then we can easily simplify the URL that we will publish to our end users by creating a deny rule which will then automatically redirect them to the correct address.  By the end of this post,  your end users will only need to remember a simple URL in the form of  mail.yourdomain.com (notice that http or https is not required). This post is assuming that you already have an existing Exchange Publishing Rule in ISA 2006.  Note, that this technique can also be used for other websites that ISA may already be protecting such as SharePoint and Terminal Server Web Access.

Let’s begin by launching the ISA Management Console, and navigate to create a new web site publishing rule.  The New Access Rule Wizard will launch in which you will begin by specifying a name for your rule.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Select Deny as your Rule Action

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Select Publish a single web site or load balancer.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Select Use SSL to connect to the published Web server or server farm.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Enter your Internal Publishing Details which should be identical to the original Exchange Publishing rule. Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Click Next and then Next again skipping the Path details.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Enter the Public Name details as per your original Exchange Publishing rule.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Select the existing Exchange Web listener that you already have created for your Exchange Publishing Rule.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Select, No delegation, and client cannot authenticate directly.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Remove Authenticated Users if present and select All Users instead.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

You will then receive the below warning as we have selected All Users.  Ignore this warning and click on OK to continue.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

Now that the rule has been created, we need to specify the redirect page.  Right Click on the newly created rule and select properties.  Navigate to the Action tab and click on the check box beside “Redirect HTTP requests to this Web page:” and enter the full Outlook Web Access URL.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

We are now complete.  You will need to ensure that the deny rule is place immediately below the original Exchange Publishing Rule as per the below screen shot.  When a user now enters the url mail.yourdomain.com it will hit the redirection rule that we have just created which will then redirect to https://mail.yourdomain.com/owa and authenticate against your original Exchange OWA rule.

 Outlook Web Access redirection via Microsoft ISA 2006 isa exchange 2007 exchange

In summary we have removed the all so common confusion that end users may encounter when browsing to the Outlook Web Access site.  This methodology provided above with the deny rule can also be used against any other web site publishing rule including SharePoint Sites and Terminal Server Web Access.