Solved

TMG & Exchange 2007

Posted on 2010-09-23
26
1,075 Views
Last Modified: 2012-05-10
Hi Experts,

Im trying to get Outlook Anywhere working with TMG Standard.

I have TMG installed with only the default rules using the following configuration:

Internal NIC
External NIC

Default route is on the External NIC and static routes back to the Internal network. I can connect to the Internet etc, all working.

I am trying to publish our Exchange CAS server to the Internet using the TMG.

I have gone through the wizard to publish OWA using the actual Exchange Wizard, however this does not seem to allow me to use Outlook Anywhere for this?

Also, as part of publishing OWA using TMG, when connecting to the web site, the first page comes up as the Exchange 2010 Outlook Web App, then I type in my credentials and then the page refreshes and changes to the Exchange 2007 OWA and users can then login. Is this meant to happen?


I have also tried publishing OWA using a standard website publishing rule, which would be fine, however I am still unable to get Outlook Anywhere to work, I thought it was just fine to publish 443 of the correct IP and this should all just work?

Can someone help me with a few quick instructions please?
Also, what type of authentication is TMG meant to do to the Exchange server?

Thanks.

0
Comment
Question by:MarkMichael
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 8
  • 5
26 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33743629
On the publishing rule under the Paths section you need to remove all the path's that are in there and replace it with /*

As for the double login you need to change the properties of the OWA virtual directory using the Exchange Management Console under Server configuration and Client Access.  Right click OWA and select properties and make sure that basic and integrated authentication are checked (not forms based authentication)
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33744196
Ah, Ok.

I'll give that a go.

Does this stop OWA from using forms based authentication internally for users without Outlook?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33744868
yes it will but it will log them in automatically as it's using integrated authentication
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 15

Author Comment

by:MarkMichael
ID: 33744998
one last thing. What Authentication Delegation in TMG should I set up for this?

No delegation, but client may authenticate directly?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33745310
It would be basic to match the CAS server.
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33745493
Perfect. OWA works perfectly fine with a TMG page of Exchange 2010.
Is there a way to change this to the feel and look of OWA instead of Outlook Web App?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33745599
Unfortunately not.  This is the OWA login for FTMG.
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33745738
Ok.

I'm trying to connect to the auto discovery services.

When I try to connect to https://autodiscover.company.com/autodiscover.autodiscover.xml I get redirected back to the FTMG start page.

Is there something in FTMG I need to change to allow autodiscover through?

I've configured the public names to allow connectivity on this like you said earlier.

I've removed all paths and allowed /*
I've also added not only

exchange.customer.com
but also
autodiscover.customer.com

As I'm using a SAN on a server with a single IP for the CAS.

Is there something I need to adjust to allow autodiscover through?
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33764950
No further advice?

Looks like the FF login page is coming up when trying to go to the autodiscover URL. So, looks like that part is requiring authentication too.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33764983
Sorry, I missed the notification for your last comment.

I will have access to an FTMG sewer tomorrow so will check it out forgot then.
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33818853
Hi again.

Any further update on this please?

Thanks again.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33819390
Have you enabled outlook anywhere on your exchqnge server ?

Go to testexchangeconnectivity.com and run an outlook nywhere test and oost the results
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33820955
Hi,

Thanks for your reply.

Here are the results you requested:

--

[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>Test-OwaConnectivity | fl


AuthenticationMethod   : WindowsIntegrated
ClientAccessServer     : EXCHCAS.domain.local
Scenario               : Logon
ScenarioDescription    : Log on to Outlook Web Access and verify the response page.
PerformanceCounterName : Logon Latency
Result                 : Success
MailboxServer          : EXCHMB.domain.local
StartTime              : 04/10/2010 10:23:59
Latency                : 00:00:00.0624992
SecureAccess           : True
Error                  :
UserName               : CAS_cf4a005add6045aa
VirtualDirectoryName   : owa (Default Web Site)
Url                    : https://exchange.capcolondon.com/owa/
UrlType                : Internal
EventType              : Success
Port                   : 0
ConnectionType         : Plaintext

However, when I ran the test the first time.. It didnt respond for 30 secs and reported an issue.
When i instantly re-run the test, it went through fine and runs every time fine from now on.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33821089
Actually i meant http://www.testexchangeconnectivity.com 
Thanks
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33821340
ExRCA is testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to test Autodiscover for elinia@capcolondon.com
       Autodiscover was tested successfully.
       
      Test Steps
      Autodiscover settings for Outlook Anywhere are being validated.
       Outlook Anywhere Autodiscover Settings validated
      Attempting to resolve the host name exchange.capcolondon.com in DNS.
       Host successfully resolved
       
      Additional Details
      Testing TCP Port 443 on host exchange.capcolondon.com to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      The IIS configuration is being checked for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Testing Http Authentication Methods for URL https://exchange.capcolondon.com/rpc/rpcproxy.dll
       The HTTP authentication test failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details


All passed except the RPC check.

I have also changed my OWA settings to use basic or NTLM, both still fail on this test.

Since I am using TMG, is this always going to fail?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33821349
do you mind providing me with a screen shot for your listener settings ? it looks there is something wrong
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33821626
Here are the screenies of not only the listener, but the rule too.


screen1.JPG
screen2.JPG
screen3.JPG
screen4.JPG
screen5.JPG
screen6.JPG
screen7.jpg
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 33821681
thank you for this

1. what do you have in authentication delegation ?
2. I know you have been told to do so but I don't like the /* in the paths IMHO it is not a good way to do it
replace it with
/rpc/*
/OAB/*
/ews/*
/AutoDiscover/*
and click on test rule give me the result


3. run Get-AutodiscoverVirtualDirectory | fl *auth* on your exchange server and give me the resutls
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33821880
1. Authentication Delegation is set to 'Basic Authentication'


2.
I've now replaced the /* with each subdirectory as you mentioned.

Here is my autodiscovery directory output:


[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | fl *auth*


InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

---

After replacing the /* with each individual subdirectory, I noticed OAB wasn't allowing Basic Authentication. I enabled this in IIS and restarted it.

The error for that has now gone and the Exchange Connectivity check works fine. I'm about to test this from a workstation on a standalone adsl connection.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33821892
the directories I gave you are only for rpc/http (outlook anywhere) you should recreate other rules for owa and activesync using the wizard.

is testexchangeconnectivity.com now passing ?
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33821926
Confirmed!

You're help was excellent!

Thank you very much.

I will also have to give a few of the points to dez too, as his part helped me get the OWA page up to start with.

Cheers all!
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33821931
you are welcome glad i was of help
0
 
LVL 15

Author Comment

by:MarkMichael
ID: 33821936
I spoke too soon.

I will create the rules using the wizard for the rest.
Does this mean I need a new listener?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33821947
no you won't need a new listener at all just other paths

make sure to add autodiscover to the public names of the rpc rule
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 500 total points
ID: 33821973
if you want to add all the paths to the same rule you can

/public/*
/OWA/*
/Exchange/*
/ecp/*
for OWA

and
/Microsoft-Server-ActiveSync/*
for activesync

0
 
LVL 15

Author Closing Comment

by:MarkMichael
ID: 33947306
Thanks for all your help.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question