How to Set Up Secure and Simple Outlook Web Access for Your Users
Setting up Outlook Web Access (OWA) can provide convenient email access for your users, but the default URLs are often confusing and complex. This post covers best practices for simplifying OWA access while keeping it secure.
The Benefits of Simplified OWA Access
Outlook Web Access allows users to access their Exchange email accounts from any web browser. However, the default OWA URLs contain long strings of random characters that are opaque to end users. For example:
These kinds of URLs are difficult to remember, type on mobile devices, and share with others. Simplifying the URLs provides a better experience for your users. Some key benefits include:
- Increased adoption as users find OWA easier to use
- Reduced support tickets when users struggle with complex URLs
- Cleaner links for sharing access in emails, chats, etc.
- Consistent access on PCs, phones, tablets, and other devices
By implementing redirects and enforcing SSL selectively, you can provide straightforward OWA access while maintaining security on the backend.
Optimize OWA URLs with IIS Redirects
The first step to simplifying OWA access is setting up redirects using Microsoft's Internet Information Services (IIS). This allows you to map friendly URLs like http://mail to the full OWA path.
Why Use IIS for Redirects
IIS provides a robust, secure way to handle URL redirects on your Exchange Server. Benefits of using IIS include:
- Centralized configuration for redirects in one place
- Flexibility to redirect individual directories or sites
- Support for both HTTP to HTTPS and non-SSL redirects
- Integrates smoothly with existing Exchange Server setup
- Enable/disable redirects without altering other services
Alternative options like mod_rewrite on Apache are less standardized and may require more low-level configuration. IIS makes it easy to implement redirects for OWA optimization.
Configure IIS for OWA Redirects
To set up redirects for OWA access in IIS:
- Open IIS Manager on your Exchange Server
- Expand the tree and select the Default Web Site
- Under IIS > HTTP Redirect, double click on Redirect Requests
- Check the box for "Redirect requests to this destination"
- Check the box for "Only redirect requests to content in this directory (not subdirectories)"
- Enter your full OWA URL (e.g. https://mail.domain.com/owa) as the redirect destination
- Click Apply in the Actions pane
Now all traffic to http://mail will seamlessly redirect to the proper OWA path without any manual configuration on the client side.
Confirm Functionality of IIS Redirects
To validate that your IIS redirects are working correctly:
- Open a new private/incognito browser window
- Attempt to access http://mail and confirm you are redirected to the full OWA URL
- Check that any bookmarks or shortcuts using the simplified URL still work properly
- Access OWA on mobile devices using the friendly URL to test responsiveness
If the redirect fails, double check your IIS configuration. The redirect should be applied at the Default Web Site level, not lower directories.
Secure OWA with Selective SSL Enforcement
While simplifying access, it's crucial to still enforce encryption on sensitive parts of the OWA architecture. SSL provides essential security to protect your users' emails and credentials.
The Risks of Unencrypted OWA Access
Allowing unsecured HTTP traffic exposes your OWA implementation to serious risks:
- Plaintext transmission of emails, calendar data, contacts, etc.
- Passwords and logins susceptible to interception
- Users unknowingly accessing fake/malicious OWA sites
- Vulnerability to attacks like firesheep sniffing on open WiFi
- Non-compliance with regulations like HIPAA for health data
Any purported convenience of unencrypted access is outweighed by these security issues.
Best Practices for OWA SSL Configuration
When optimizing SSL usage for OWA, follow these best practices:
- Disable SSL on non-sensitive directories like Aspnet_client that don't handle private data
- Enable SSL redirection on critical Outlook-related directories like Exchange, Exchweb, and Public
- Disable SSL on the Default Web Site to allow simplified http://mail access
- Re-enable SSL on sensitive backends like Autodiscover, EWS, OWA, and Rpc to require encryption
This enforces encryption where needed while permitting unencrypted access only to innocuous resources.
Technical Steps to Configure Selective SSL
To implement selective SSL enforcement on your OWA environment:
- Open IIS Manager and navigate to the Default Web Site
- Expand Outlook Web App and select Aspnet_client
- Open SSL Settings and uncheck "Require SSL"
- Repeat for images, themes, and any other non-sensitive directories
- Go to Exchange Back End, Autodiscover, EWS, OWA, and Rpc directories
- Open SSL Settings and check "Require SSL" to enforce encryption
- Return to the Default Web Site level and uncheck "Require SSL"
- Click Apply in the Actions pane to save changes
Now you can access the friendly http://mail URL while still requiring encryption on the critical backends.
Validate Proper Functioning of Optimized OWA
Once you have implemented both the simplified redirects and selective SSL, validate that OWA is working properly:
- Test access - Browse to http://mail and confirm you can access OWA without certificate warnings
- Check SSL status - Load backend directories like Autodiscover directly and verify the lock icon appears
- Diagnostics - Run the TestOutlookConnectivity tool at https://www.testexchangeconnectivity.com
- Mobile testing - Confirm mobile devices can access OWA using your simplified URL
Also check that any existing bookmarks and shortcuts to the previous complex URLs still function properly. Users should not notice any disruption.
Troubleshooting Issues
If you encounter any problems with simplified access or SSL enforcement, first check the IIS configuration and confirm the proper settings under HTTP Redirects and SSL Settings.
Other items to check:
- Validate certificate bindings are correct on the Default Web Site and backend directories in IIS
- Check for conflicting redirects at lower levels like web.config files
- Confirm your SSL certificate is valid and contains the necessary names/subjects
- Disable caching during testing so you are not redirected to a previous version
- Test access from an external network to rule out internal DNS issues
With trial and error, you should be able to find and fix the misconfiguration causing any redirection or SSL errors.
Conclusion
Optimizing Outlook Web Access for simplicity and security improves the email experience for your users across devices. Leveraging IIS redirects lets you map friendly URLs like http://mail to the complex OWA path. Selectively enforcing SSL protects sensitive data while allowing unencrypted access for innocuous content.
Key benefits of this streamlined and secure OWA configuration include:
- Increased user productivity with easy access from anywhere
- Reduced support costs when users can self-serve more effectively
- Secure email and data transmission via SSL on critical backends
- Compliance with regulations requiring encryption of sensitive data
- Consistent experience on PCs, phones, tablets, and other devices
As email continues to be a primary communication mechanism, improving OWA access ensures your users stay connected. For more tips, check out our blog for the latest on Exchange Server, Office 365, and other useful technologies. And feel free to contact us if you need assistance optimizing your OWA environment!