Move OWA from ISA/TMG/UAG to WAP

Configure Web Application Proxy (WAP) to publish Exchange 2007 Webmail (OWA).

Pre reqs:
ADFS Installed and Configured
WAP Installed and Configured

So I will go through the steps needed to Publish OWA With WAP Server, and lets start With the Publishing rule at Our WAP Server.

Open the Remote Access Management Console (RAMC).

Screen Shot 06-25-14 at 12.08 PM

Click Publish to create a rule for the Webmail.

Screen Shot 06-25-14 at 12.11 PM

So follow the Publish Wizard, but I choose to use PassThrough Rule instead of configuring a Non-Claims-Aware pre-authentication With ADFS.

Screen Shot 06-25-14 at 12.12 PM Screen Shot 06-25-14 at 12.15 PM

Screen Shot 06-25-14 at 12.16 PM

Screen Shot 06-25-14 at 12.16 PM 001

Screen Shot 06-25-14 at 12.17 PM

So now we have published Webmail With SSL or HTTPS, because WAP can’t publish HTTP. We will then use HTTP Redirect in IIS to redirect users from HTTP to HTTPS.

Start IIS and choose Default Web Site and HTTP Redirect, and fill in the destionation to redirect the users to.

Screen Shot 06-25-14 at 12.24 PM

Now we have configured the Publishing rule for the WAP Server and we have configured HTTP Redirect to HTTPS, but WAP doesn’t change the URL to /OWA as ISA, TMG or UAG can do, so we need to configure the Exchange Server to redirect from to

Login to Your Exchange Server and navigate to Your wwwroot folder, usualy underneath C:inetpub.

Create a New file, name it default.asp and paste in this code:

[code language=”html”]

<% response.redirect("")%>


Open IIS at Your Exchange Server and Navigate to Default Web SiteDefault Document. Use the right side Action to Add the file you created and move it to the top:

Screen Shot 06-25-14 at 12.41 PM

This should manage all internal browsing and browsing that comes through Your WAP Server, or you could do it the second way by changing the Error Page for Error Code 403:

Screen Shot 06-25-14 at 02.41 PM

The biggest difference is that when redirecting With a Default Document you need to deactivate the SSL requirement in iIS:

Screen Shot 06-25-14 at 03.03 PM

This is just for you internal Connection, as the once going through Your WAP Server has allready been redirected to HTTP.

But the ISA, TMG or UAG does one feature that WAP and Exchange Servers can’t do alone, and that is to give Forms Based Authentication (FBA) togethere With Basic and Windows Integrated Authentication.

So we need to choose between Single Sign-On for Domain Joined Devices (Windows Integrated Authentication) and fallback to a Popup Box (Basic Authentication), or having all using FBA which is the more common standard OWA Login Page.

What to prefere Depends on Your users, either if they mostly use Domain Joined Devices or are more into Bring Your Own Device (BYOD).


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts