0

Commands to Publish Exchange Using WAP

Posted on by Rhoderick Milne [MSFT]

This post was created as I have to rebuild multiple test environments, some of which use AD FS and Web Application Proxy (WAP) to publish Exchange services to the Internet.  WAP allows you to publish only the specific Exchange virtual directories required for external access, for example /owa & /ecp along with the others.  This means that only those particular paths are then available externally, restricting access to other areas on IIS.

There are multiple virtual directories to publish.  Rather than have to click all the things multiple times,  I prefer to use PowerShell and then a series of find & replace to update the FQDN and TLS certificate thumbprint for the specific environment.

Sample Commands To Publish Exchange Via WAP

As noted in the details below (scroll down if you want to read through for the rational etc.) these are the URLs that we want to publish via WAP.  Note that you will need to use your certificate’s thumbprint.  Retrieve the thumbprint using this post.

Also the URLs will need to be updated to match your environment.

https://mail.wingtiptoys.ca/autodiscover/
https://autodiscover.wingtiptoys.ca/autodiscover/
https://mail.wingtiptoys.ca/MAPI/
https://mail.wingtiptoys.ca/ews/
https://mail.wingtiptoys.ca/oab/
https://mail.wingtiptoys.ca/owa/

Add-WebApplicationProxyApplication -BackendServerUrl 'https://mail.tailspintoys.ca/autodiscover/' -ExternalCertificateThumbprint 'C6B71C2100154ABB2CE26CB95F60B010A4D9D388' -ExternalUrl 'https://mail.tailspintoys.ca/autodiscover/' -Name 'Autodiscover' -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl 'https://autodiscover.tailspintoys.ca/autodiscover/' -ExternalCertificateThumbprint 'C6B71C2100154ABB2CE26CB95F60B010A4D9D388' -ExternalUrl 'https://autodiscover.tailspintoys.ca/autodiscover/' -Name 'Autodiscover' -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -InactiveTransactionsTimeoutSec 300 -ClientCertificatePreauthenticationThumbprint '' -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl 'https://mail.tailspintoys.ca/ews/' -ExternalCertificateThumbprint 'C6B71C2100154ABB2CE26CB95F60B010A4D9D388' -ExternalUrl 'https://mail.tailspintoys.ca/ews/' -Name 'EWS' -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -InactiveTransactionsTimeoutSec 300 -ClientCertificatePreauthenticationThumbprint '' -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl 'https://mail.tailspintoys.ca/MAPI/' -ExternalCertificateThumbprint 'C6B71C2100154ABB2CE26CB95F60B010A4D9D388' -ExternalUrl 'https://mail.tailspintoys.ca/MAPI/' -Name 'MAPI' -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -InactiveTransactionsTimeoutSec 300 -ClientCertificatePreauthenticationThumbprint '' -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl 'https://mail.tailspintoys.ca/oab/' -ExternalCertificateThumbprint 'C6B71C2100154ABB2CE26CB95F60B010A4D9D388' -ExternalUrl 'https://mail.tailspintoys.ca/oab/' -Name 'OAB' -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -InactiveTransactionsTimeoutSec 300 -ClientCertificatePreauthenticationThumbprint '' -ExternalPreAuthentication PassThrough

Add-WebApplicationProxyApplication -BackendServerUrl 'https://mail.tailspintoys.ca/owa/' -ExternalCertificateThumbprint 'C6B71C2100154ABB2CE26CB95F60B010A4D9D388' -ExternalUrl 'https://mail.tailspintoys.ca/owa/' -Name 'OWA' -ClientCertificateAuthenticationBindingMode None -BackendServerCertificateValidation None -InactiveTransactionsTimeoutSec 300 -ClientCertificatePreauthenticationThumbprint '' -ExternalPreAuthentication PassThrough

My Typical Configuration

The below is typically what I will use.  Note that the OWA FQDN etc. can be changed to suit your own preference/environment.

My Typical Set of Published WAP Applications

One common question is the highlighted line – why is there a second Autodiscover publishing rule?  And why does that Autodiscover rule use a different FQDN than the actual designated namespace – autodiscover.wingtiptoys.ca? For a full write-up see this post: Exchange Autodiscover Publishing Blocked By L7 Load Balancer

This is due to the default behaviour of the Exchange HCW when it creates the OAUTH configuration between Exchange Online and on-premises Exchange.  To illustrate this, the below was taken from another environment which proves it is NOT a one-off.

Note the highlighted URL that we see when running Get-IntraOrganizationConnector:

Get-IntraOrganizationConfiguration

OnPremiseDiscoveryEndpoint                  : https://mail.tailspintoys.ca/autodiscover/autodiscover.svc

Exchange Autodiscover Published Twice - OAUTH Is The Reason Why

This is because the EWS URL forms the basis of the DiscoveryEndpoint.

OnPremiseWebServiceEndpoint                 : https://mail.tailspintoys.ca/EWS/Exchange.asmx

And that can also be seen by running the Get-WebServicesVirtualDirectory cmdlet.  Note that addition of -ADPropertiesOnly.

On-Premises OAUTH Endpoint - Used to Created the OAUTH DiscoveryEndpoint

Sample WAP Publishing COnfiguration Viewed Using PowerShell

Below is the same configuration, and is displayed using PowerShell.

Get-WebApplicationProxyApplication

List Of WAP Published Applications Using PowerShell

 If we want to filter just on the ExternalURL: 

Get-WebApplicationProxyApplication | Select ExternalURL

ExternalURL
-----------
https://mail.wingtiptoys.ca/autodiscover/
https://autodiscover.wingtiptoys.ca/autodiscover/
https://mail.wingtiptoys.ca/MAPI/
https://mail.wingtiptoys.ca/ews/
https://mail.wingtiptoys.ca/oab/
https://mail.wingtiptoys.ca/owa/

Retrieving All Exchagne WAP Applications Using PowerShell

Details on the OWA publishing rule:

Get-WebApplicationProxyApplication -Name "OWA" | FL

Details of One Published Application - OWA

For text readers/search engines:

ADFSRelyingPartyID                           :
ADFSRelyingPartyName                         :
ADFSUserCertificateStore                     :
BackendServerAuthenticationMode              : NoAuthentication
BackendServerAuthenticationSPN               :
BackendServerCertificateValidation           : None
BackendServerUrl                             : https://mail.wingtiptoys.ca/owa/
ClientCertificateAuthenticationBindingMode   : None
ClientCertificatePreauthenticationThumbprint :
DisableHttpOnlyCookieProtection              : False
DisableTranslateUrlInRequestHeaders          : False
DisableTranslateUrlInResponseHeaders         : False
EnableHTTPRedirect                           : False
EnableSignOut                                : False
ExternalCertificateThumbprint                : FD85845FE8B933F16DCFDA524439FCB860E57E44
ExternalPreauthentication                    : PassThrough
ExternalUrl                                  : https://mail.wingtiptoys.ca/owa/
ID                                           : 61da1f4b-6b39-83d7-e31e-56865157c9b2
InactiveTransactionsTimeoutSec               : 300
Name                                         : OWA
PersistentAccessCookieExpirationTimeSec      : 0
UseOAuthAuthentication                       : False
PSComputerName                               :

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *