OWA, Forefront TMG, Change Password, Page Not Found Error 403

Microsoft Forefront LogoAfter upgrading from ISA Server 2006 to Forefront TMG 2010, the Change Password feature in Outlook Web Access (OWA) stopped working. It gave a 403 page error. I looked high and low for a solution but found only poor/bad/incorrect/non-helpful information.

Clicking the Change Password link in OWA attempts to open this page:

In Internet Explorer, this page gives the error:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

The fix for me was to add /ecp/* on the Paths tab of the OWA rule in Forefront TMG.

1. On the Forefront TMG server, go to Firewall Policy > Exchange OWA (or whatever your OWA policy is called).
2. Select Edit Selected Rule on the Tasks tab. The Properties dialog opens.
3. Select the Paths tab.
4. Click Add and enter the internal path you want to allow. In my case, the hint came from the URL. I entered /ecp/*.
5. Click Apply, OK.