Solved

Publishing Exchange 2007 OWA using NTLM with Forefront TMG?

Posted on 2010-08-26
10
1,045 Views
Last Modified: 2012-06-21
Is there any benefit to making a separate rule for OWA in TMG so that NTLM can be used for authentication from the TMG server to the CAS?  This article suggests it when using ISA 2006, but I haven't been able to tell any difference and security shouldn't be an issue since we use SSL: http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part6.html 
0
Comment
Question by:mbromb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33536732
Tom is as good a source of info on this subject as any - and, now that he works for Microsoft in the Forefront team - he is well worth listening to. If he is unsure of the reasoning - but states it needs doing - then it ceases to be a question of benefit and moves into the 'what screws up if I don't do it that way' territory.

Again - he states he is not sure why it has to be done and if he doesn't know, given his access to the developers, then I doubt we will be able to give a rationale for it either.



0
 

Accepted Solution

by:
mbromb earned 0 total points
ID: 33536755
I'm just rereading the following MS articles.  I think it's making more sense to me now.

http://technet.microsoft.com/en-us/library/bb794751.aspx#AppendixD
http://technet.microsoft.com/en-us/library/bb232199(EXCHG.80).aspx
0
 

Author Closing Comment

by:mbromb
ID: 33536875
Good Explanations in these articles
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Expert Comment

by:aymanq
ID: 33536881
No benefit at all

YOu will still have to use FBA from outside , and between ISA and CAS is SSL as you say so there is no extra security feature, the article was just to illustrate this ability
0
 

Author Comment

by:mbromb
ID: 33536900
Well, if TMG is handling the authentication for you, and it is using NTLM then I would think you would get the benefit of NTLM even if using froms-based.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33539288
I see you have accepted your own answer so therefore no further input is required.
0
 

Author Comment

by:mbromb
ID: 33542709
I would be willing to talk to the moderators or do what I can to give away the points if my answer is incomplete.  the documents state the benefits, and it seems they apply with ISA or TMG when publishing Exchange, but if I've got that wrong then that's a better answer.  If using forms-based on the listener nullifies using NTLM for delegation I would like to know.
0
 
LVL 3

Expert Comment

by:aymanq
ID: 33548708
I still beleive that using NTLM over SSL channel is same as using Basic authentication over SSL from security perspective.

You wont be required to enter your password again as ISA or TMG will use your password entered through FBA and use it against internal OWA VD.

The only thing I can see is if you didnt enable OWA Virtual Directory fro basic authentication "enabled by default" then you will need to use Integrated Windows Authentication delegation only.
0
 

Author Comment

by:mbromb
ID: 33558964
From a security perspective I agree, but I wanted to know the difference from a functional perspective.   According to the articles i posted above, there are additional functiona available using NTLM as the delegation auth.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question