Forum Discussion

Drago-Petrovic's avatar
Nov 27, 2023

Entra Application Proxy for Outlook Web App (OWA)

[Blog Post]
I have put a new #article online. This time it's about the protection of Outlook Web App #OWA.
In my article, I describe how we can protect OWA with #Entra Application Proxy for #onprem #MSExchange environments and thus get the possibility to use Entra #MFA.
This article is a step by step guide.

https://www.msb365.blog/?p=5447

#Microsoft #MVPbuzz #EntraID #OutlookWebApp #ApplicationProxy

 

 

  • arturaragao's avatar
    arturaragao
    Copper Contributor
    We have a hybrid implementation and are experiencing issues that I can't properly understand.

    If all requests are made by encapsulating OWA communication with the Application Proxy, why is the link address of the attachments pointing to a different link than the proxy?
    I've already tried changing this link in the Exchange virtual directories, but OWA continues to point to mail.contoso.com, the attachment link. This means that this request is made outside the Entra Application Proxy and goes against the server that is not allowed in the Firewall.
    We did a test to quickly release and test and after that we were able to download. But, it doesn't make sense to have the solution working like this, unless it doesn't really have support from the OWA publication. I only see this information for Hybrid Agent and we don't have this in our environment. Our environment is Hybrid only with CU12.

    What is the official documentation that mentions that OWA and ECP resources do not support publishing properly?
  • arturaragao's avatar
    arturaragao
    Copper Contributor
    I'm returning to this here, because after I reviewed the entire scenario with another analyst, he made me understand that I wasn't so wrong in my thinking before posting this information.

    There was a moment when I identified that the request for attachments was going to the external address and not the internal one. I wasn't able to gauge this well, so I ended up coming here to try to find more answers.

    We do not use the hybrid agent. We use Wizzard Hybrid for the hybrid environment setup.

    What we think is that requests for attachments appear to be being made outside of the App Proxy. At least, it tries to access the address mail.contoso.com, even changing the external address to mail-contoso.msappproxy.net

    The strangest thing is that I changed the OWA and ECP virtual directories to mail-contoso.msappproxy.net/, but when I open OWA externally, the attachment continues to point to mail.contoso.com.
  • arturaragao's avatar
    arturaragao
    Copper Contributor
    OWA x Enter Application Proxy.

    Are publishing current versions, OnPremises or Hybrid supported or not? Would you know how to inform? I only found documentation stating that Agent Hybrid was not supported in the publication.

Resources