Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-04-20
You may want to use a reverse proxy server to manage incoming requests to a computer that is running Microsoft Exchange Server 2007 that has the Client Access server role installed or to servers that provide Outlook Web Access. A reverse proxy server provides the following advantages over a direct connection to a Client Access server:
- Security The reverse proxy server
provides an extra protective layer between the network and external
computers. As a security best practice, use a reverse proxy server
so that your Client Access server is not directly exposed to the
- SSL encryption and acceleration Instead
of configuring the Client Access server to provide Secure Sockets
Layer (SSL) encryption, you can offload that function to the
reverse proxy server. In addition to encrypting data that is sent
between the Web browser and the Client Access server, this enables
the reverse proxy server to inspect the data packets and apply
filters before they reach the Client Access server. If SSL
encryption is offloaded to a proxy server, data that is sent
between the reverse proxy server and the Client Access server will
not be encrypted unless you use SSL bridging.
- SSL bridging If you must encrypt
communication between the reverse proxy server and the Client
Access server, you can end the SSL session between the Web browser
and reverse proxy server, and then establish a new SSL session
between the reverse proxy server and the Client Access server. This
protects the Client Access server from direct access from the
Internet, enables the reverse proxy server to filter the data
packets before they reach the Client Access server, and encrypts
the data along the whole path between the Web browser and the
Client Access server. Only the reverse proxy server will require a
certificate from a reliable certification authority. The Client
Access server can use either a self-signed certificate or a
certificate from an enterprise certification authority. If your
reverse proxy server is connected to multiple internal servers,
this may reduce certificate costs.
- SSL offloading You can also terminate
the SSL connection at the reverse proxy server and continue to the
Client Access server with a connection that is not encrypted. This
is known as SSL offloading. If you use SSL offloading, the internal
URL for Outlook Web Access must be set to use HTTP and
the external URL must be set to use HTTPS. You can configure the
internal URL and external URL by using the Exchange Management
Console or by using the Set-OwaVirtualDirectory cmdlet with
the InternalURL parameter and ExternalURL parameter
in the Exchange Management Shell.
- Load balancing A reverse proxy server
can distribute the traffic that is destined for a single URL to a
group of servers.
You can use Microsoft Internet Security and Acceleration (ISA) Server as a reverse proxy server.
For more information about how to use ISA Server as a reverse proxy server, see the Microsoft Internet Security and Acceleration Server Web site.
Before You Begin
To perform the following procedure on an ISA Server 2006 computer, the account you use must be delegated the ISA Server Enterprise Administrator role. To configure Outlook Web Access on the Exchange Client Access server, the account you use must be delegated the Exchange Server Administrator role and must be a member of the local Administrators group for the target server.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.
To use ISA Server 2006 to configure a reverse proxy for Outlook Web Access
In the ISA Server 2006 console, use the Publish Exchange Web Client Access wizard to publish Outlook Web Access.
Configure ISA Server to authenticate users when they connect to the Outlook Web Access virtual directories (optional).
For more information about how to configure ISA Server, see Publishing Exchange Server 2007 with ISA Server 2006.
If you have configured the ISA Server computer to authenticate users, we recommend that you configure the Outlook Web Access virtual directories to use either Integrated Windows authentication or Basic authentication, depending on which type of authentication is required by your organization. When you use Basic authentication or Integrated Windows authentication, users are prompted for their logon information only one time.
|Integrated Windows authentication prohibits access to documents on Windows file shares or in Windows SharePoint Services document libraries from Outlook Web Access. If you must access documents from Outlook Web Access, you must use Basic authentication.|
For More Information
- For more information about how to use ISA Server 2006 with
Exchange 2007, see the following topics:
- For more information about Outlook Web Access
authentication methods, see the following topics:
- For more information about how to use the
Set-OwaVirtualDirectory cmdlet and the Exchange Management
Console to manage Outlook Web Access virtual directories,
see the following topics: