Access Manager and Microsoft OWA

From MicroFocusInternationalWiki
Jump to: navigation, search

NetIQ Access Manager and Microsoft's Outlook Web Access (OWA)

It's a bit tricky getting Microsoft's OWA working with Access Manager. Here are some steps that should get you going.

Configure a Bypass PIN

Configure a bypass PIN for the following contexts:

  • /ExchWeb/*
  • /Exchange/*
  • /public/*

To edit the Pin lists go to NAM admin > Access Manager > Access Gateways > AG Name > Edit > Pin List.

Ensure both the frontend and backend connections use either HTTP or HTTPS

If the client to Access Gateway (AG) connects on TCP port 443, then the AG to Microsoft OWA server must also be on TCP port 443, visa versa for 80. If you mix 443 and 80 then functions such as Delete and Dismiss Reminder do not work properly and will give an error. You must also take care of the host name rewriting issue mentioned below.

Note: It's easier to "Do Not Verify" of Web Server Trust Root if the IIS Cert is signed by non-standard CA. Make sure CN of CSR is what IIS receives as Header Name (can wildcard if not sure).

Forward the Received Host Name and Rewrite It

Although setting the web server host name should work, it doesn't seem to. Instead, select Forward Received Host Name and then rewrite the DNS names of the external DNS to your internal DNS.

You can change the host name from the web server host name to forward the received host name by using NAM admin > Access Manager > Access Gateways > AG name > Edit > Services > Reverse Proxy/Authentication > Service-name > Web Server Addresses > Host Header.

You can set the DNS name rewrite by using NAM admin > Access Manager > Access Gateways > AG name > Edit > Services > Reverse Proxy/Authentication > Service-name > HTML rewriting > Additional DNS Name List.

Authentication

Configure the authorization so that:

  • /ExchWeb/* is public.
  • /Exchange/* is secure.
  • /public/* is secure.

Identity Injection

Identity Inject the Auth Header for LDAP CN, not the DN, and the password.

Form Fill

You can also utilize the OWA login form to perform a form fill authentication.

References