Enterprise Vault and TMG OWA Publishing

Next part II : Publishing the Enterprise Vault URLs used for Outlook Anywhere

When an organisation uses Enterprise Vault email archiving, they use it primarely with Outlook. Users always want access to their archived items. Sometimes when they are not at the office / in the company network, they are using OWA. OWA preferably has access to the archive too. Here comes the tricky part. While publishing Exchange and OWA url using TMG to the outside internet is a "piece of cake", publishing Enterprise Vault can be a hassle. This is why I wrote this little tutorial about publishing Enterprise Vault with TMG. When using Outlook Anywhere, we also have to publish Enterprise Vault. This means we will create 2 web publishing rules for Enterprise Vault


  • You should have installed Exchange 2007/2010 servers.
  • A public SAN certificate is present
  • Exchange and OWA urls are already published


  • You want to use the https protocol for accessing Enterprise Vault from the internet.
  • You use http for accessing Enterprise Vault from inside the organisation ( less configuration and no need to install extra expensive certificates )

Configuration steps:

  • Configure Enterprise Vault desktop policy
    • Open the Vault Admin Console and navigate to Policies -> Exchange -> Mailbox and open the mailbox policy that applies to the Outlook Anywhere users.
    • Go into the Advanced tab and choose "Outlook" from the "List settings from" drop down box.
    • Set RPC over HTTP connection to "Use proxy".
    • Set RPC over HTTP proxy URL to the external host name that users use to access Outlook Anywhere followed by /EnterpriseVault.
      synchronize all mailboxes.
  • Configure TMG and publish the "Enterprise Vault" urls ( archive explorer + search archive + the OWA ev buttons ) ( using the Exchange OWA listener object )
    • Open the TMG management console
    • Create a new webpublishing rule using the "New Web Publishing Rule Wizard"
    • Name the rule "Enterprise Vault"
    • Select the "Publish a single web site or load balancer" option and click Next.
    • select "use non-secured connections to connect to the published web server or server farm" and click Next.  If the Enterprise Vault server is internally configured for SSL, select "Use SSL to connect to the published web server or web server farm". ( remark that http will only be used on the internal side of the Threat Management Gateway ( TMG ) )
    • In the "Internal site name" field, type the Enterprise Vault server name that internal clients use to access Enterprise Vault and click Next.
    • In the Path (optional) field, type EnterpriseVault/* and click Next. ( this is the virtual directory name. the wildcard is used for all pages )
    • In the "Accept requests for:" field, choose This domain name (type below). For the public name, type in the external host name that outside users use to access Outlook Anywhere and click Next.
    • On the next screen, select the web listener used for Outlook Anywhere.
    • For the authentication delegation screen, choose NTLM authentication and click Next.
    • Leave the default setting for the user sets screen. The default should be "All Authenticated Users". Click Next and then Finish.
    • configure link translations: the left side url is the part of the url on the internal side. the right side url is the string that replaces the left one to form the external url. ( EXAMPLE: Replace: http://evserver1 with https://webmail.heerwegh.ch )

If we open the rule and review the settings, we'll have something like:

Next part II : Publishing the Enterprise Vault URLs used for Outlook Anywhere

Related links