The recommended way to provide Internet access to an internal Outlook Web Access server is by using DEFENDO's reverse proxy. Its security options protect the OWA server. Additinally the proxy acts as an SSL offloader if encrypted connections (HTTPS) are used. This reduces the OWA server's load. In a >Technet article Microsoft specifies the following requirements for this setup:

• The OWA web server must listen to port 80
• The reverse proxy must accept plaintext connections on port 80, encrypted connections on 443

DEFENDO's port 443 is already in use by its administration GUI. So a different port for encrypted connections has to be configured for DEFENDO's reverse proxy. Firewall DNAT rules can be used to redirect OWA client connects to port 443 to the reverse proxy port. A detailed description is available in the reverse proxy documentation of DEFENDO's online help system or manual.

The default authentication method of OWA is HTTP authentication. Kerberos, NTML and Basic are usually offered in the given order. Except for Internet-Explorer most clients will use Basic, some may choose NTLM. Access with Internet-Explorer will usually fail as neither Kerberos nor NTLM will work via Internet and proxy with IE. Therefore you should disable Kerberos and NTLM in the Internet-Information-Server (IIS) setup.

As an alternative option OWA can use "Forms-Based Authentication". Instead of a browser popup to specify the credentials an embedded HTML form asks for login and password. Even if enabled, OWA will use this authentication style only for encrypted (HTTPS) connections. DEFENDO forwards the encryption state to OWA, however OWA must be told that DEFENDO acts as an HTTPS offloader, first. The free Microsoft tool owaadmin allows you to set this option. Without this tool you have to modify the registry manually as described by a >Microsoft Technet article. Advantage of Forms-Based Authentication: The additional authentication by DEFENDO's reverse proxy can be enabled.