OWA Root redirect rule to prevent Access Denied error
When using any LoadMaster Exchange Template and accessing the Virtual Service's Fully Qualified Domain Name (FQDN) without the /owa string included, an Access Denied 403 error message may be presented in the browser when the Edge Security Pack (ESP) feature has been enabled. This article will explain how to resolve this behaviour and prevent the Access Denied 403 Forbidden response.
Application: Microsoft Exchange 2013, 2016, and 2019
ESP enabled on a Virtual Service (VS) can restrict which requested URLs can be granted access and which URLs can be denied access. When using a LoadMaster Exchange Template, by default the ESP Allowed Virtual Directories on the OWA Sub Virtual Service (SubVS) will restrict access to URL requests with only /owa* appended. For example, https://mail.domain.com/owa will be allowed. However, the root request: https://mail.domain.com/ will be blocked and subject to the Access Denied 403 response in the web browser.
|Steps to Reproduce:|
|Error Message:||Access Denied 403 Forbidden|
|Cause:||ESP is checking the requested URLs that the clients send to ensure they match the predefined strings under the Allowed Virtual Directories section for the SubVS in question.|
|Resolution:||All LoadMaster Exchange Templates come with a prebuilt Content Rule that will automatically append the /owa to all root requests without it. This rule is called "Redirect_Root_xxxx", where "xxxx" can be a number.|
To apply this Content Rule or ensure it has already been applied correctly, navigate to the Exchange Virtual Service on the LoadMaster and click Modify. Expand the Advanced Properties section and go to HTTP Header Modifications > Show Header Rules. If the rule mentioned above has been applied under Request Rules, then no further action is required. If it is not listed here, then click on the dropdown box, select the "Redirect_Root_xxxx" rule and click add. This rule should always be set under Request Rules, which should appear similar to the below screenshot if applied correctly:
After applying this rule, all requests to https://mail.domain.com/ will now be mapped to https://mail.domain.com/owa, which is a permitted format for the ESP Allowed Virtual Directories Configuration.
Additional Information on ESP:
Microsoft Exchange 2013, 2016 and 2019 Templates: