OWA (and Others) Logout Trick

Russ_ · ‎10-20-2009

Ever go through the trouble of modifying OWA so that when users click Logoff, they're also logged out of the Secure Access (IVE)session? And, then the Exchange folks upgrade and poof, you're work is gone. Now you have to negotiate time with Exchange folks, again, to work your magic. You can take the Exchange folks (and others) out of the equation by using the IVE Single Sign-On feature to accomplish the logout. While it's not quite as nice, this method is very effective. I use it for OWA, Sharepoint and other rewritten web apps. Here are example steps for OWA:

Note: These steps assume that you already have OWA working through your Secure Access appliance. Some of the steps may be different depending on your environment (versions, load balancing, DNS, etc).

1. Go to Resource Policies --> Web --> Selective Rewriting and create a new policy.

2. Name the policy whatever you like. I named mine "Don't rewrite IVE".

3. In the Resources field, enter "https://", the external hostname (FQDN) of your IVE, and ":443/*". For example: https://webmail.company-x.com:443/*

4. Apply the policy to the your OWA role.

5. Choose the "Don't rewrite content: Redirect to target web server" action.

6. Click the Save Changes button.

7. Next, go to Resource Policies --> Web --> SSO Form Post and create a new policy.

8. Again, name the policy whatever you like. I named mine "OWA Single Sign-Off".

9. In the Resource field, enter the URL to your OWA logoff page. You can logon to your internal OWA URL and click logoff to discover the URL. Mine looks like https://exchangefe.company-x.net:443/exchweb/bin/USA/logoff.asp.

10. Apply the policy to the your OWA role.

11. Choose the "Perform the POST defined below" action.

12. In the POST to URL field, enter the URL of you IVE logout page. For example: https://webmail.company-x.com/dana-na/auth/logout.cgi.

13. Click Save Changes.

14. Try it out.

Now when someone clicks the Logoff button in OWA, the IVE will see the OWA logoff URL as a Single Sign-On resource and Post to the IVE logout URL. Tada! IVE session logged out!

The downside to using this "feature" is that the internal session may not be logged out because the IVE is intercepting. But, most of these web apps have a session time-out. And, I'd rather have a internal session unresolved than an external session...

Message Edited by Russ on 10-20-2009 01:51 PM

SonicBoom_ · ‎10-22-2009

good to know , im sure this can be used in more ways asa well with just about any other signoff internal link

Russ_ · ‎10-22-2009

Yes, I use this "solution" for SharePoint, Citrix, and some lesser known web applications.

rdit_ · ‎11-13-2009

my problem is exactly the opposite. tonight i want to upgrade our system to 6.3R6.1 and in our test-environment this version is already running. but when i click "logoff" at OWA it disconnects me from the whole IVE, the session is killed also...i dont know why, no SSO policy is defined for doing that.

any idea? need help very fast, hope somebody can help on that!

TRK-NKA_ · ‎10-20-2010

If you want to keep the portal open perhaps you should open OWA in a new window ?

SonicBoom_ · ‎10-21-2010

i have been trying to get something like this to work for terminal server sessions, would it be done the same way or have you gotten it to work with TS?

TRK-NKA_ · ‎01-03-2011

I actually just used the SSO method to redirect one URL to another.

Works nice.

Would be nice to have some better control with selective rewriting so you could actually do this here.

I mean my latest SSO isn't really SSO :-)

OWA (and Others) Logout Trick

OWA (and Others) Logout Trick

Re: OWA (and Others) Logout Trick

Re: OWA (and Others) Logout Trick

Re: OWA (and Others) Logout Trick

Re: OWA (and Others) Logout Trick

Re: OWA (and Others) Logout Trick

Re: OWA (and Others) Logout Trick