The recommended way to provide Internet access to an internal Outlook Web App (OWA) server is by using DEFENDO's reverse proxy. Its security options protect the Internet Information Server (IIS) running OWA. These are the requirements for this setup:

• The OWA web server must listen to port 443 (SSL offloading to port 80 unencrypted is possible)
• The reverse proxy must accept encrypted connections on 443

DEFENDO's port 443 is already in use by its administration GUI. So a different port for encrypted connections has to be configured for DEFENDO's reverse proxy. Firewall DNAT rules can be used to redirect OWA client connects from port 443 to the reverse proxy port. A detailed description is available in the reverse proxy documentation of DEFENDO's online manual and documentation.

The default authentication method of OWA is HTTP authentication. Kerberos, NTML and Basic are usually offered in the given order. Except for Internet-Explorer most clients will use Basic, some may choose NTLM.

As an alternative option OWA can use "Forms-Based Authentication". Instead of a browser popup to specify the credentials an embedded HTML form asks for login and password. Even if enabled, OWA will use this authentication style only for encrypted (HTTPS) connections.

As the strongest form of authentication DEFENDO's reverse proxy can request a client certificate. A browser which has no suitable certificate installed simply isn't forwarded to IIS. While client certificates are also supported by some ActiveSync clients (e.g. iPhone), it is not possible to have Outlook authenticate itself with a certificate. If however DEFENDO has multiple Internet IPs, you could simply add an additional reverse proxy port for OutlookAnywhere. Use two DNAT rules to forward inbound connections to either the unauthenticated port for OutlookAnywhere or the authenticated port, depending on the destination IP.