Redirection to OWA 2007 Directory in ISA 2004/2006

Introduction

Recently I have seen a fair number of cases where ISA Administrators were trying to redirect connections made to the root OWA Web site to the /owa folder when publishing Exchange 2007 through ISA Server 2004/2006. In these particular cases they were using a documented trick for Exchange 2003 that involves entering a path on the OWA rule that looks like this /exchange\ . The trick is documented here and works quite well for Exchange 2003. The problem is that people believe it should also work for Exchange 2007. When they try this method they end up with a garbled inbox with a lot of red Xs showing up as shown in Figure 1:

Figure 1 – Problem that appears when using this approach with Exchange 2007.

The Cause

I was curious about this and quickly discovered that putting the path /owa\ in the publishing rule was causing the issue as shown in Figure 2:

Figure 2 – OWA 2007 Publishing rule

Gathering Data

So why would this work for Exchange 2003 but not Exchange 2007? It was time to break out the traces. I set Network Monitor up on the internal NIC of the ISA Server and in order to see what was going on I had to bridge to HTTP from ISA to Exchange. The first trace shows only the HTTP traffic between ISA and the OWA Server when using the /exchange\ path in the rule for Exchange 2003.

 

Figure 3 – Netmon trace taken from the internal NIC of ISA Server

We can see in Frame 1 that ISA Sends a GET request to /exchange%5c where %5c is the URL Escape character for \. In Frame 2 OWA apparently converts this and sends a 302 redirect to /exchange/ and then it continues on normally at this point.

In the trace for OWA 2007 where /owa\ was used we see the initial part of the conversation is similar but then we never receive a redirect as shown in Figure 4:

Figure 4 – Trace from Exchange Server

To view what was happening on the client I used HTTP Watch. After the initial GET request we receive a bunch of 403 Forbidden errors. There is no redirection sent from Exchange , the style sheet is not returned and this is why the Inbox is garbled, see Figure 5:

Figure 5 – Access forbidden error

Resolution

So how can we accomplish this redirection?

In ISA 2004 we can accomplish this by making a change to the IIS server that hosts OWA 2007 (usually the Exchange CAS Server). On the Default Web Site right-click on properties and go to the Home Directory tab. Click the radio button for “A redirection to a URL” and enter /owa in the “Redirect to:” box. Also check the “A directory below URL entered”, as shown in Figure 6:

Figure 6 – IIS Default Website on Exchange

Next simply go into your OWA rule on ISA 2004 rule and add / as the internal path as shown in Figure 7:

Figure 7 – Paths tab from the OWA Publishing rule on ISA.

Now when external clients enter https://owa.fabrikam.com and successfully authenticate they will be redirected to https://owa.fabrikam.com/owa

The good news is that ISA Server 2006 makes this even easier to accomplish because it includes a feature on the Action tab that allows for a redirection. ISA Server actually sends a HTTP 302 (Redirect) to the client when the request matches the rule. I found that the easiest way to accomplish this is to copy your existing OWA rule and paste it above the original and call it something like “OWA Redirect”. In the Action tab on the new Redirect rule select Deny and check the box “Redirect HTTP requests to this Web page.” Put in the path to your OWA directory so in my case it would have been https://owa.fabrikam.com/owa as shown in Figure 8:

Figure 8 – ISA Server 2006 redirect option

Now in the same rule go to the Paths tab, remove what is in there, and add only / as the path as shown in Figure 9:

Figure 9 – Paths tab on the redirect publishing rule.

Note: In ISA 2004 your external clients still have to remember to use HTTPS. In ISA 2006 as long as your OWA rule is using a listener that listens for both HTTP and HTTPS they will not have to remember this.

Conclusion

In this article I showed you how a trick that was used to redirect OWA 2003 clients from the root folder to the /exchange folder doesn’t work with OWA 2007 and redirection to the /owa folder. I also showed you how you can still accomplish this in both ISA 2004 and ISA 2006. ISA 2006 has the additional flexibility of a redirect feature and is a compelling reason to upgrade if you are still on ISA 2004. Threat Management Gateway which is the next generation of ISA Server will also include this functionality.

Author

Keith Abluton

Security Support Engineer – Forefront Edge Team

Microsoft – Charlotte

Technical Reviewer
Yuri Diogenes
Sr Security Support Escalation Engineer – Forefront Edge Team

Microsoft – Texas