If anyone’s ever tried this, you will have probably found (as I have done) that sometimes everything goes smoothly and the SBS wizards take care of everything… and other times its an absolute nightmare.
So, for future reference for myself, and to help out anyone else tyring to publish OWA in SBS 2003 Premium, here is a small guide on what you can do to get it working:
Note that this method does not use Forms Based Authentication and I am not suggesting that this is the best way or the most secure way – its just that it is the only way I have ever managed to get it to work. If anyone has any better suggestions I would be more than happy to hear them 🙂
Install Certificate Services and setup a new root CA. You should be able to do all this through IIS or the SBS wizards but personally I have found that doing it yourself through a proper CA works a lot more often. So, once you have installed Certificate Services and configured your CA, go to https://yourserver/certsrv and request a new web server certificate from your server. You dont have to fill in all the info such as Country and Email address etc, just make sure you enter a name for the cert and make sure the Friendly Name is identical to the FQDN that users will access OWA via. So for example, mail.yourdomain.com. Tick the box that says Install In Local Computer Store and then once you have completed this page you should see a link on the next page saying “Install Certificate” – click this and your done.
Set the “Default Web Site” in IIS to listen on the internal IP of the SBS server and the loopback address 127.0.0.1 on port 443. Then assign it the certificate that you just generated from your CA. Also, double check that the Exchweb, Exchange and ExchAdmin virtual directories in IIS are all set to use the “ExchangeApplicationPool” app pool.
Get rid of any OWA publishing rule that the SBS wizards may have already created and then create a new Secure Web Server Publishing rule. Follow the wizard through and when prompted for the server that you want to publish do not click Browse – instead just type in the FQDN that you intend to publish OWA on (eg mail.mydomain.com). You can pretty much just accept defaults for all the other options in the wizard but just ensure that you select Anywhere or External in the FROM section. Once complete, go into the rule you just created and make sure in the TO tab it has the “Forward orginal headers” box ticked. Also make sure the radio box for “requests appear to come from the original client” (not the ISA) is selected. In the Public Name tab of this rule you should have it set to mail.yourdomain.co.uk as well. Then in the Paths tab make sure you have /Exchange/* and /Exchweb/* and /Public/*. Now go into the Web Listeners tab and go to the properties of the web listener (usually named SBS Web Listener). Go into the preferences tab in there and then select the certificate that you created earlier in your CA and ensure that Integrated authentication is selected. Also double check that the listener is set to actually listen on the External network.
Now, if you dont already have any DNS zones setup for your internet domain name then you will need to create a new Primary Zone in DNS for this. So for example, if your internet domain was named mydomain.com then even though you already have a DNS zone for mydomain.local or whatever your internal domain is called you would need to now create one for mydomain.com. Once this is done, add a new A record in there that resolves the FQDN of your internet domain to the internal IP of your SBS server. So for example, mail.mydomain.com = 192.168.10.1. The reason we need to do this is because the ISA server rule is publishing the internet address, so if we didnt setup a DNS record for this then ISA would allow the connection through and try to forward it to mail.mydomain.com but it would not be able to resolve this, so nothing would happen.
Once done, it is often a good idea to run ipconfig /flushdns to make sure the server does not try to resolve the internet FQDN using its DNS cache.
You should now be able to use the same URL from anywhere – internal, external, VPN etc. The URL would look like this: https://mail.mydomain.com/exchange
Oh and if you ever need to setup RPC over HTTPS in Outlook or if you simply just want to get rid of the annoying certificate warning that pops up each time you go to the OWA site then you will need to export the root CA cert from your CA and then install that on any machines that will access OWA or need to use RPC over HTTPS (or you can purchase a certificate from somewhere like VeriSign and use that)