Exchange 2010

Using Forefront UAG (Unified Access Gateway) for publishing OWA 2010


Published: 2010-07-18
Updated: –
Version: 1.0



This will be a complete walkthrough to setup up certificate based on a CA server on a DC.
My environment looks like this

1 x Windows 2003 (DC/DNS/CA)
1 x Forefront UAG
1 x Exchange 2010 CAS/HUB/MBX

Everything is running as virtual machines in VMware workstation.
Just to mention, this is done in a lab and no reality allocation with memory, the machines are just for this post and not serving any production environment.

Before doing anything with UAG we need to configure the network with correct ip addresses.

My UAG server is installed with Windows 2008 R2 x64 with 2 Nics (E1000), running with an internal Nic setup
DNS: (pointing to the DC)

The external Nic is setup with
DNS: External IP
Default Gateway: Pointing to my external gateway

On the TMG server in the hosts file I have edited it with notepad and pointed out

Just to get the name resolution to working fine with the rule and certificate.

It time to launch the installation wizard for Forefront UAG

It will take some time for the installation to finish.

The first thing to do when the installation is done is to export the certificate from my Exchange server and import it on the UAG server.

For creating and requesting certificates on Exchange, have a look at this link:

The export and import of the existing certificate is really easy, start Exchange Management Console (EMC) and go to Server configuration, select the certificate and right click, choose export exchange certificate.

The certificate import is easy, go to the UAG server and start an mmc console and add the snapin for certificates (computer) for the local computer. Then select Personal and right click on that and select all tasks -> import and point out the certificate that was just exported from Exchange server.

When it’s done it should look like below.

Notice: If you’re using own CA server like I do in this example, make sure that the trusted root certificate is installed on UAG server before you’re trying to import the certificate.



First time when UAG is started, it will give you a wizard and configure the network settings for it.

Define the internal ip addresses.

Configuration selection, in my case I only have one server so I select single server.

Then after these steps it’s time to active these settings.

Now it’s time for the configuration of the UAG

Start with creating a HTTPS trunk by right clicking the HTTPS connections

I will create a HTTPS trunk just for this purpose.

The trunk type should be set to “portal trunk” and select to publish exchange applications via the portal.

Step 2, give the trunk a name and a public name, this name should match the name on the certificate and in my case I was also adding this name into the hostfile of the UAG server.

My name in the lab is:

We need to add an authentication server (AD server) so I did like the picture below shows.

Select the server and then go further to next step.

It’s time to choose the correct certificate so the name matches each other, in my case it’s:

Step 5 will be to select endpoint security, I don’t have any NAP servers so I’ll select Forefront UAG.

Step 6, Endpoint policy’s, let the default policy’s stay there

Step 7, select Exchange version and which services that should be published.

Step 8, Configure Application

Give it a friendly name.

Step 9, Select Endpoint Policies

Let the default policy’s stay there.

Step 10, Deploying an Application

Select to Configure an application server

Step 11, Select Web servers

In address field I type in;, or could be fqdn of the server.

This name will be resolved on the UAG to my Exchange server since it’s added to the host file.

Double check so the Public host name is configured correctly;

Step 12, Authentication

In here I select 401 request, with that means the UAG will check the credentials and if they are correct the users will be authenticated and forwarded to the correct instance.

Step 13, Outlook Anywhere, the authentication method I will use is; Basic Authentication

Double check so the public host name is correct

For autodiscover I will use; Basic Authentication

Step 13 (14), Portal Link (Yes I know, it’s the same number as before, but it’s says so in the application)

Portal name; portal
Application URL;

Step 15, Authorization

Select Authorize all users

When all steps are configured it will look like this

Don’t forget to save and active the settings, or else it will not work J



It’s time for the testing of the solution with a Windows 7 machine.

On the Windows 7 machine in the hosts file I have edited it with notepad and pointed out

This is done since I don’t have as a DNS zone internally so the client can find the UAG/publishing portal.

Let’s start IE and go to

I went successfully into the OWA

Successfully authenticated and logged on!

Feel free to give feedback on the post, hope it will help someone