alex_baird
asked on
Exchange 2010 OWA: Getting internal access working...
Hi! I have setup an exchange 2010 server with OWA access. Using TMG and procedures outlined in the MS ForeFront Threat Management Gateway book from MS, I was able to successfully get the external clients authenticating and using OWA. However, in order to get the OWA working externally, I had to change the bindings on the exchange/OWA default server for port 443 from the default exchange server (mercury) certificate to the external, validated certificate. Now when internal clients try to go to the internal owa address (https://mercury.myserver.local/owa) they get a message that IE "can't display the web page". I have tried using the IP for the exchange server and still the same message. Internal users can reach it fine if they use the external address that is validated by the certificate binding. I can fix this problem by switching the bindings back to the internal certificate, but then the external users can't access.
How can I give access to both the external, and internal users?
Thanks,
-Alex-
How can I give access to both the external, and internal users?
Thanks,
-Alex-
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I never saw that wizard GV! I have walked through the process of the certificate request wizard you referred to. However , I am testing Exchange 2010 out and don't want to go to an paid authority to certify the SAN. Can I self-certify the request that I generated?
Thanks,
-Alex-
Thanks,
-Alex-
Yes, you can. You can install certificate authority service on one of your servers or you can install one of free CA servers and issue the certificate you need. The (only) drawback would be, that you will have to install CA server and issued exchange certificate on all computers that are not part of your domain.
For domain computers will be enough to install CA server certificate on exchange server or domain controller. (trusted root CA)
For domain computers will be enough to install CA server certificate on exchange server or domain controller. (trusted root CA)
Free and really simple CA server:
http://simpleauthority.com/download.html
http://simpleauthority.com/download.html
ASKER
Did not see the certificate wizard! Thanks for pointing it out!
As a note from someone who has just gone through setting up a new domain (windows 2008r2) with Exchange 2010 AND TMG, there are several things that I found would have speeded up my new Domain/Exchange installation immensely:
For All 2008R2 servers involved:
- Every server should without pause be patched fully before installing any other roles beyond the most basic.
-Make sure that if you setting up a split domain, you add a forward lookup zone on your DNS server that points to your Exchange server with it's external FQDN.
-IF you are using server 2008R2 you don't need to disable IPV6 on the servers. I don't think that disabling will impede anything, but leaving it on doesn't hurt either. Don't know if this is true with 2008 servers.
For The Edge Server with TMG:
-If you are going to have your edge server also host TMG, then make sure you install everything in the correct order: Exchange/Edge first, then Forefront Protection for Exchange, then TMG. Installing out of order can cause alot of headaches.
-Make sure that you remember to put an Outbound DNS Allow rule on TMG first thing so that your domain has Internet access.
-If you are using dual nics for the TMG setup (one internal/one external) remember to leave the external NIC DNS empty. The only DNS entry will be on the internal nic pointed to your DC (or wherever you have DNS setup). Also, make sure that the gateway entry for the internal nic is empty, not just 0.0.0.0. This will cause you issues during TMG setup if it isn't empty.
-Remember to install the appropriate certificates on the TMG server if you intend to give access to OWA, activesync, etc. The certifcate is the one that you will export from the exchange CAS/Hub server after you have gone through the New Exchange certificate wizard on that server. The certificate needs to be installed in both the local computers "personal" and "trusted authority" to work for TMG.
-Turn off the "externally secured" checkbox under the advanced tab in the Listener for the "Internal_Mail_Servers" Properties under SMTP Routes in TMG. Make sure that TLS, Basic and Exchange Server authentication is checked. I couldn't get any email in or out of my system till this was unchecked.
-Make sure that your OWA on the CAS/Hub is not being authenticated with forms. You are using forms authentication at the TMG and you can't have it active on both.
-When you setup your Exchange Web Client Access rules for OWA, Activesync and Outlook Anywhere, your "To" tab should have the FQDN of your external site in both the "This rule applies to this published site" AND the "Computer name or IP address" boxes. You setup your internal DNS previously, to look for that FQDN on your Exchange CAS/Hub so it will point to the internalserver.
-Setup the ActiveSync, OWA and Outlook Anywhere authentication method as Basic.
-Don't forget to setup an edge subscription using the TMG wizard on the "E-Mail Policy" section of TMG. Copy the resulting XML to the CAS/HUB AFTER you have setup your Exchange Certificate using the new certificate wizard and assigned services to it.
-Use the MS Exchange test site to troubleshoot your setup: https://www.testexchangeconnectivity.com
-Install rollups for Exchange using ONLY an elevated command line. Rollups take forever when they are "building net assemblies". Just be patient. You can hurry up the install by disabling the check for certificate revocation, but I would advise not doing that.
-For the edge transport to work, BOTH the edge and the HUB/CAS need to have the same rollups installed.
For the Exchange Hub/CAS server
-Make sure that you have installed all the prerequisite roles and services needed for the CAS/HUB. This is outlined here: http://msunified.net/2009/10/30/exchange-2010-prerequisites-on-server-2008-r2/
-Go through the New Exchange Certificate wizard immediately. Here is a good overview of the Wizard:http://technet.microsoft.com/en-us/exchange/ee890058.aspx
-When you are adding the extra CNs to the certificate, make sure that you include your FQDN's for the internal and external. Remember to put your autodiscovers in there to.
-If you want to get up and going quick, install a Certificate Authority locally and use that to fufill the request file that you generate from the New Exchange Certificate wizard. I installed the MS CA on my DC and used that. It worked fine.
-Remember to assign the proper services to the certificate including smtp, web, imap, etc...
-Don't delete your old exchange certificate on the HUB/CAS
-Make sure that you use the exchange powershell to start the edge synchronization after you have installed the edge sub from the edge server.
Hope this helps!
-Alex-
As a note from someone who has just gone through setting up a new domain (windows 2008r2) with Exchange 2010 AND TMG, there are several things that I found would have speeded up my new Domain/Exchange installation immensely:
For All 2008R2 servers involved:
- Every server should without pause be patched fully before installing any other roles beyond the most basic.
-Make sure that if you setting up a split domain, you add a forward lookup zone on your DNS server that points to your Exchange server with it's external FQDN.
-IF you are using server 2008R2 you don't need to disable IPV6 on the servers. I don't think that disabling will impede anything, but leaving it on doesn't hurt either. Don't know if this is true with 2008 servers.
For The Edge Server with TMG:
-If you are going to have your edge server also host TMG, then make sure you install everything in the correct order: Exchange/Edge first, then Forefront Protection for Exchange, then TMG. Installing out of order can cause alot of headaches.
-Make sure that you remember to put an Outbound DNS Allow rule on TMG first thing so that your domain has Internet access.
-If you are using dual nics for the TMG setup (one internal/one external) remember to leave the external NIC DNS empty. The only DNS entry will be on the internal nic pointed to your DC (or wherever you have DNS setup). Also, make sure that the gateway entry for the internal nic is empty, not just 0.0.0.0. This will cause you issues during TMG setup if it isn't empty.
-Remember to install the appropriate certificates on the TMG server if you intend to give access to OWA, activesync, etc. The certifcate is the one that you will export from the exchange CAS/Hub server after you have gone through the New Exchange certificate wizard on that server. The certificate needs to be installed in both the local computers "personal" and "trusted authority" to work for TMG.
-Turn off the "externally secured" checkbox under the advanced tab in the Listener for the "Internal_Mail_Servers" Properties under SMTP Routes in TMG. Make sure that TLS, Basic and Exchange Server authentication is checked. I couldn't get any email in or out of my system till this was unchecked.
-Make sure that your OWA on the CAS/Hub is not being authenticated with forms. You are using forms authentication at the TMG and you can't have it active on both.
-When you setup your Exchange Web Client Access rules for OWA, Activesync and Outlook Anywhere, your "To" tab should have the FQDN of your external site in both the "This rule applies to this published site" AND the "Computer name or IP address" boxes. You setup your internal DNS previously, to look for that FQDN on your Exchange CAS/Hub so it will point to the internalserver.
-Setup the ActiveSync, OWA and Outlook Anywhere authentication method as Basic.
-Don't forget to setup an edge subscription using the TMG wizard on the "E-Mail Policy" section of TMG. Copy the resulting XML to the CAS/HUB AFTER you have setup your Exchange Certificate using the new certificate wizard and assigned services to it.
-Use the MS Exchange test site to troubleshoot your setup: https://www.testexchangeconnectivity.com
-Install rollups for Exchange using ONLY an elevated command line. Rollups take forever when they are "building net assemblies". Just be patient. You can hurry up the install by disabling the check for certificate revocation, but I would advise not doing that.
-For the edge transport to work, BOTH the edge and the HUB/CAS need to have the same rollups installed.
For the Exchange Hub/CAS server
-Make sure that you have installed all the prerequisite roles and services needed for the CAS/HUB. This is outlined here: http://msunified.net/2009/10/30/exchange-2010-prerequisites-on-server-2008-r2/
-Go through the New Exchange Certificate wizard immediately. Here is a good overview of the Wizard:http://technet.microsoft.com/en-us/exchange/ee890058.aspx
-When you are adding the extra CNs to the certificate, make sure that you include your FQDN's for the internal and external. Remember to put your autodiscovers in there to.
-If you want to get up and going quick, install a Certificate Authority locally and use that to fufill the request file that you generate from the New Exchange Certificate wizard. I installed the MS CA on my DC and used that. It worked fine.
-Remember to assign the proper services to the certificate including smtp, web, imap, etc...
-Don't delete your old exchange certificate on the HUB/CAS
-Make sure that you use the exchange powershell to start the edge synchronization after you have installed the edge sub from the edge server.
Hope this helps!
-Alex-
http://technet.microsoft.com/en-us/library/aa995942.aspx
You should use certificate with multiple host names.