MarkMichael
asked on
TMG & Exchange 2007
Hi Experts,
Im trying to get Outlook Anywhere working with TMG Standard.
I have TMG installed with only the default rules using the following configuration:
Internal NIC
External NIC
Default route is on the External NIC and static routes back to the Internal network. I can connect to the Internet etc, all working.
I am trying to publish our Exchange CAS server to the Internet using the TMG.
I have gone through the wizard to publish OWA using the actual Exchange Wizard, however this does not seem to allow me to use Outlook Anywhere for this?
Also, as part of publishing OWA using TMG, when connecting to the web site, the first page comes up as the Exchange 2010 Outlook Web App, then I type in my credentials and then the page refreshes and changes to the Exchange 2007 OWA and users can then login. Is this meant to happen?
I have also tried publishing OWA using a standard website publishing rule, which would be fine, however I am still unable to get Outlook Anywhere to work, I thought it was just fine to publish 443 of the correct IP and this should all just work?
Can someone help me with a few quick instructions please?
Also, what type of authentication is TMG meant to do to the Exchange server?
Thanks.
Im trying to get Outlook Anywhere working with TMG Standard.
I have TMG installed with only the default rules using the following configuration:
Internal NIC
External NIC
Default route is on the External NIC and static routes back to the Internal network. I can connect to the Internet etc, all working.
I am trying to publish our Exchange CAS server to the Internet using the TMG.
I have gone through the wizard to publish OWA using the actual Exchange Wizard, however this does not seem to allow me to use Outlook Anywhere for this?
Also, as part of publishing OWA using TMG, when connecting to the web site, the first page comes up as the Exchange 2010 Outlook Web App, then I type in my credentials and then the page refreshes and changes to the Exchange 2007 OWA and users can then login. Is this meant to happen?
I have also tried publishing OWA using a standard website publishing rule, which would be fine, however I am still unable to get Outlook Anywhere to work, I thought it was just fine to publish 443 of the correct IP and this should all just work?
Can someone help me with a few quick instructions please?
Also, what type of authentication is TMG meant to do to the Exchange server?
Thanks.
ASKER
Ah, Ok.
I'll give that a go.
Does this stop OWA from using forms based authentication internally for users without Outlook?
I'll give that a go.
Does this stop OWA from using forms based authentication internally for users without Outlook?
yes it will but it will log them in automatically as it's using integrated authentication
ASKER
one last thing. What Authentication Delegation in TMG should I set up for this?
No delegation, but client may authenticate directly?
No delegation, but client may authenticate directly?
It would be basic to match the CAS server.
ASKER
Perfect. OWA works perfectly fine with a TMG page of Exchange 2010.
Is there a way to change this to the feel and look of OWA instead of Outlook Web App?
Is there a way to change this to the feel and look of OWA instead of Outlook Web App?
Unfortunately not. This is the OWA login for FTMG.
ASKER
Ok.
I'm trying to connect to the auto discovery services.
When I try to connect to https://autodiscover.company.com/autodiscover.autodiscover.xml I get redirected back to the FTMG start page.
Is there something in FTMG I need to change to allow autodiscover through?
I've configured the public names to allow connectivity on this like you said earlier.
I've removed all paths and allowed /*
I've also added not only
exchange.customer.com
but also
autodiscover.customer.com
As I'm using a SAN on a server with a single IP for the CAS.
Is there something I need to adjust to allow autodiscover through?
I'm trying to connect to the auto discovery services.
When I try to connect to https://autodiscover.company.com/autodiscover.autodiscover.xml I get redirected back to the FTMG start page.
Is there something in FTMG I need to change to allow autodiscover through?
I've configured the public names to allow connectivity on this like you said earlier.
I've removed all paths and allowed /*
I've also added not only
exchange.customer.com
but also
autodiscover.customer.com
As I'm using a SAN on a server with a single IP for the CAS.
Is there something I need to adjust to allow autodiscover through?
ASKER
No further advice?
Looks like the FF login page is coming up when trying to go to the autodiscover URL. So, looks like that part is requiring authentication too.
Looks like the FF login page is coming up when trying to go to the autodiscover URL. So, looks like that part is requiring authentication too.
Sorry, I missed the notification for your last comment.
I will have access to an FTMG sewer tomorrow so will check it out forgot then.
I will have access to an FTMG sewer tomorrow so will check it out forgot then.
ASKER
Hi again.
Any further update on this please?
Thanks again.
Any further update on this please?
Thanks again.
Have you enabled outlook anywhere on your exchqnge server ?
Go to testexchangeconnectivity.c
Go to testexchangeconnectivity.c
ASKER
Hi,
Thanks for your reply.
Here are the results you requested:
--
[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>Test-OwaCon
AuthenticationMethod : WindowsIntegrated
ClientAccessServer : EXCHCAS.domain.local
Scenario : Logon
ScenarioDescription : Log on to Outlook Web Access and verify the response page.
PerformanceCounterName : Logon Latency
Result : Success
MailboxServer : EXCHMB.domain.local
StartTime : 04/10/2010 10:23:59
Latency : 00:00:00.0624992
SecureAccess : True
Error :
UserName : CAS_cf4a005add6045aa
VirtualDirectoryName : owa (Default Web Site)
Url : https://exchange.capcolondon.com/owa/
UrlType : Internal
EventType : Success
Port : 0
ConnectionType : Plaintext
However, when I ran the test the first time.. It didnt respond for 30 secs and reported an issue.
When i instantly re-run the test, it went through fine and runs every time fine from now on.
Thanks for your reply.
Here are the results you requested:
--
[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>Test-OwaCon
AuthenticationMethod : WindowsIntegrated
ClientAccessServer : EXCHCAS.domain.local
Scenario : Logon
ScenarioDescription : Log on to Outlook Web Access and verify the response page.
PerformanceCounterName : Logon Latency
Result : Success
MailboxServer : EXCHMB.domain.local
StartTime : 04/10/2010 10:23:59
Latency : 00:00:00.0624992
SecureAccess : True
Error :
UserName : CAS_cf4a005add6045aa
VirtualDirectoryName : owa (Default Web Site)
Url : https://exchange.capcolondon.com/owa/
UrlType : Internal
EventType : Success
Port : 0
ConnectionType : Plaintext
However, when I ran the test the first time.. It didnt respond for 30 secs and reported an issue.
When i instantly re-run the test, it went through fine and runs every time fine from now on.
Actually i meant http://www.testexchangeconnectivity.com
Thanks
Thanks
ASKER
ExRCA is testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
Attempting to test Autodiscover for elinia@capcolondon.com
Autodiscover was tested successfully.
Test Steps
Autodiscover settings for Outlook Anywhere are being validated.
Outlook Anywhere Autodiscover Settings validated
Attempting to resolve the host name exchange.capcolondon.com in DNS.
Host successfully resolved
Additional Details
Testing TCP Port 443 on host exchange.capcolondon.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Testing Http Authentication Methods for URL https://exchange.capcolondon.com/rpc/rpcproxy.dll
The HTTP authentication test failed.
Tell me more about this issue and how to resolve it
Additional Details
All passed except the RPC check.
I have also changed my OWA settings to use basic or NTLM, both still fail on this test.
Since I am using TMG, is this always going to fail?
The RPC/HTTP test failed.
Test Steps
Attempting to test Autodiscover for elinia@capcolondon.com
Autodiscover was tested successfully.
Test Steps
Autodiscover settings for Outlook Anywhere are being validated.
Outlook Anywhere Autodiscover Settings validated
Attempting to resolve the host name exchange.capcolondon.com in DNS.
Host successfully resolved
Additional Details
Testing TCP Port 443 on host exchange.capcolondon.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Testing Http Authentication Methods for URL https://exchange.capcolondon.com/rpc/rpcproxy.dll
The HTTP authentication test failed.
Tell me more about this issue and how to resolve it
Additional Details
All passed except the RPC check.
I have also changed my OWA settings to use basic or NTLM, both still fail on this test.
Since I am using TMG, is this always going to fail?
do you mind providing me with a screen shot for your listener settings ? it looks there is something wrong
ASKER
Here are the screenies of not only the listener, but the rule too.
screen1.JPG
screen2.JPG
screen3.JPG
screen4.JPG
screen5.JPG
screen6.JPG
screen7.jpg
screen1.JPG
screen2.JPG
screen3.JPG
screen4.JPG
screen5.JPG
screen6.JPG
screen7.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1. Authentication Delegation is set to 'Basic Authentication'
2.
I've now replaced the /* with each subdirectory as you mentioned.
Here is my autodiscovery directory output:
[PS] C:\Windows\System32>Get-Au
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
---
After replacing the /* with each individual subdirectory, I noticed OAB wasn't allowing Basic Authentication. I enabled this in IIS and restarted it.
The error for that has now gone and the Exchange Connectivity check works fine. I'm about to test this from a workstation on a standalone adsl connection.
2.
I've now replaced the /* with each subdirectory as you mentioned.
Here is my autodiscovery directory output:
[PS] C:\Windows\System32>Get-Au
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
---
After replacing the /* with each individual subdirectory, I noticed OAB wasn't allowing Basic Authentication. I enabled this in IIS and restarted it.
The error for that has now gone and the Exchange Connectivity check works fine. I'm about to test this from a workstation on a standalone adsl connection.
the directories I gave you are only for rpc/http (outlook anywhere) you should recreate other rules for owa and activesync using the wizard.
is testexchangeconnectivity.c
is testexchangeconnectivity.c
ASKER
Confirmed!
You're help was excellent!
Thank you very much.
I will also have to give a few of the points to dez too, as his part helped me get the OWA page up to start with.
Cheers all!
You're help was excellent!
Thank you very much.
I will also have to give a few of the points to dez too, as his part helped me get the OWA page up to start with.
Cheers all!
you are welcome glad i was of help
ASKER
I spoke too soon.
I will create the rules using the wizard for the rest.
Does this mean I need a new listener?
I will create the rules using the wizard for the rest.
Does this mean I need a new listener?
no you won't need a new listener at all just other paths
make sure to add autodiscover to the public names of the rpc rule
make sure to add autodiscover to the public names of the rpc rule
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your help.
As for the double login you need to change the properties of the OWA virtual directory using the Exchange Management Console under Server configuration and Client Access. Right click OWA and select properties and make sure that basic and integrated authentication are checked (not forms based authentication)