Issues occur when you publish OWA in Exchange Server 2010 SP1 by using Forefront UAG

Symptoms

When you publish Microsoft Outlook Web App (OWA) in Microsoft Exchange Server 2010 Service Pack 1 (SP1) by using Microsoft Forefront Unified Access Gateway (UAG), the following issues may occur:
  • An end-user receives an access violation error message when the user accesses OWA.
  • Theme elements and images are rendered in the OWA interface incorrectly.
  • The logoff link on the Forefront UAG portal works incorrectly.

Cause

These issues occur because some modifications that are required are not implemented in the Forefront UAG rule sets and in OWA.

Exchange Server 2010 SP1 changes some parts of the OWA architecture and some URLs that are used by OWA. However, these changes require additional modifications to Forefront UAG and to OWA.

Resolution

To resolve these issues, change the AppWrap file and the URL rule sets that are created by Forefront UAG.

To change the AppWrap file, follow these steps:
  1. Locate the HTTPS_WhlFiltAppWrap_ForPortal.xml file in the following folder:

    <the Forefront UAG installation directory>\von\conf\WizardDefaults\AppWrapTemplates
  2. Open the file in a text editor or in the Forefront UAG Editor console by using edit mode.
  3. Locate the following text in the file:
    <URL case_sensitive="false">/ecp.*</URL>
  4. Insert the following text after the line that you located:
    <SAR>

    <SEARCH encoding="base64">b25jbGljaz0icmV0dXJuIEp1bXBUbygnbG9nb2ZmLmFzcHg/c3JjPWV4Y2gnLCB0cnVlKSI=</SEARCH>

    <REPLACE encoding="base64">b25jbGljaz0iZW5kU2Vzc2lvbigpOyI=</REPLACE>

    </SAR>
    After you insert the text, the AppWrap file resembles the following:
    <!-- Logoff in ECP -->

    <DATA_CHANGE>

    <URL case_sensitive="false">/ecp.*</URL>

    <SAR conditional_variable="DontShowLogoff" conditional_var_value="True">

    <SEARCH encoding="base64">PGRpdiBpZD0ibG9nT2ZmIg==</SEARCH>

    <REPLACE encoding="base64">PGRpdiBpZD0ibG9nT2ZmIiBzdHlsZT0iZGlzcGxheTpub25lIg==</REPLACE>

    </SAR>

    <SAR conditional_variable="DontShowLogoff" conditional_var_value="FALSE">

    <SEARCH encoding="base64">b25jbGljaz0icmV0dXJuIEp1bXBUbygnTG9nb3V0Jyki</SEARCH>

    <REPLACE encoding="base64">b25jbGljaz0iZW5kU2Vzc2lvbigpOyI=</REPLACE>

    </SAR>

    <SAR>

    <SEARCH encoding="base64">b25jbGljaz0icmV0dXJuIEp1bXBUbygnbG9nb2ZmLmFzcHg/c3JjPWV4Y2gnLCB0cnVlKSI=</SEARCH>

    <REPLACE encoding="base64">b25jbGljaz0iZW5kU2Vzc2lvbigpOyI=</REPLACE>

    </SAR>

    <SAR conditional_variable="DontShowLogoff" conditional_var_value="FALSE">

    <SEARCH encoding="base64">PGEgY2xhc3M9ImxvZ09mZkxpbmsi</SEARCH>

    <REPLACE encoding="base64">PHNjcmlwdCBsYW5ndWFnZT0iSmF2YVNjcmlwdCIgc3JjPSJXaGxPd25VUkxzY3JpcHRzL0NhY2hlQ2xlYW4uanMiPjwvc2NyaXB0PjxzY3JpcHQgbGFuZ3VhZ2U9IkphdmFTY3JpcHQiIHNyYz0iV2hsT3duVVJMbG9nb2ZmUGFyYW1zLmFzcD9zaXRlX25hbWU9V2hsU2l0ZU5hbWUmc2VjdXJlPVdobFNlY3VyZSI+PC9zY3JpcHQ+DQo8c2NyaXB0IGxhbmd1YWdlPSJKYXZhU2NyaXB0IiBzcmM9IldobE93blVSTHNjcmlwdHMvbG9nb2ZmLmpzIj48L3NjcmlwdD48YSBjbGFzcz0ibG9nT2ZmTGluayI=</REPLACE>

    </SAR>

    </DATA_CHANGE>

To change the URL rule sets, follow these steps:
  1. Select the Forefront UAG trunk that publishes OWA in Exchange Server 2010 SP1.
  2. On the Properties page of the main trunk, click Configure to open the trunk properties.
  3. Select the URL Set tab.
  4. Locate and change the following URL rules for the application:
    Rule setURL ruleNew changed URL rule
    ExchangePub2010_Rule7/owa(/[a-z0-9._-]+@[a-z0-9.-]+)?/[0-9.]+/themes/(default|black|base|1|2|3)//owa(/[a-z0-9._-]+@[a-z0-9.-]+)?/[0-9.]+/themes/([a-z0-9_-]{1,20})/
    ExchangePub2010_Rule 8/owa(/[a-z0-9._-]+@[a-z0-9.-]+)?/[0-9.]+/themes/(default|black|base|1|2|3)/[a-z0-9_-]+\.(gif|css|wav|wrng|png|ico)/owa(/[a-z0-9._-]+@[a-z0-9.-]+)?/[0-9.]+/themes/([a-z0-9_-]{1,20})/[a-z0-9_-]+\.(gif|css|wav|wrng|png|ico)
    ExchangePub2010_Rule 29/forms/[0-9.]+/themes/(default|black|base)/[a-z0-9-]+\.(gif|png|ico)/forms/[0-9.]+/themes/([a-z0-9_-]{1,20})/[a-z0-9-]+\.(gif|png|ico)

  5. Add two new rules. To do this, follow these steps:
    1. Click Add Primary.
    2. Locate the ExchangePub2010 rules in the URL list. Locate the largest numbered rule of the ExchangePub2010 rules in numeric order.

      The new rule names contain a number that is an increment of the largest numbered rule of the ExchangePub2010 rules. If the largest numbered rule is 40, use the rule names in the following table. These rule names contain 41 and 42.

      If the largest numbered rule is not 40, use rule names that contain numbers that are an increment of the largest numbered rule. The number does not affect the functioning of Forefront UAG. However, the numbers of two rules must not be the same.

      Rule nameActionURLParametersMethods
      ExchangePub2010_Rule 41

      Accept/owa/csdc\.gif

      IgnoreGET,POST
      ExchangePub2010_Rule 42Accept/owa(/[a-z0-9._-]+@[a-z0-9.-]+)?/[0-9.]+/clientbin/owasi.xapIgnoreGET
    3. Create the two rules by using the values in the table that is in the previous step.
After you change both the AppWrap file and the URL rule sets, start the Forefront UAG configuration. The following results occur while the Forefront UAG configuration starts:
  • All active and authenticated Forefront UAG sessions are maintained.
  • Users who access web applications are not affected. If a user requests a web resource while Forefront UAG configuration starts, an image or page might not appear.
  • All remote network access tunnels over Secure Socket Tunneling Protocol (SSTP) or Network Connector are closed. Therefore, client applications lose connectivity to the servers if the applications use any secure sockets layer (SSL) virtual private network (VPN) functionality. However, users can relaunch tunneled client applications by clicking the application link on the Forefront UAG portal homepage because the Forefront UAG session is maintained. These applications include Network Connector.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about Forefront UAG, visit the following Microsoft website:
Properties

Article ID: 2444842 - Last Review: Oct 29, 2010 - Revision: 1

Feedback