Solved

TMG & Exchange 2007

Posted on 2010-09-23
26
1,068 Views
Last Modified: 2012-05-10
Hi Experts,

Im trying to get Outlook Anywhere working with TMG Standard.

I have TMG installed with only the default rules using the following configuration:

Internal NIC
External NIC

Default route is on the External NIC and static routes back to the Internal network. I can connect to the Internet etc, all working.

I am trying to publish our Exchange CAS server to the Internet using the TMG.

I have gone through the wizard to publish OWA using the actual Exchange Wizard, however this does not seem to allow me to use Outlook Anywhere for this?

Also, as part of publishing OWA using TMG, when connecting to the web site, the first page comes up as the Exchange 2010 Outlook Web App, then I type in my credentials and then the page refreshes and changes to the Exchange 2007 OWA and users can then login. Is this meant to happen?


I have also tried publishing OWA using a standard website publishing rule, which would be fine, however I am still unable to get Outlook Anywhere to work, I thought it was just fine to publish 443 of the correct IP and this should all just work?

Can someone help me with a few quick instructions please?
Also, what type of authentication is TMG meant to do to the Exchange server?

Thanks.

0
Comment
Question by:MarkMichael
  • 13
  • 8
  • 5
26 Comments
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
On the publishing rule under the Paths section you need to remove all the path's that are in there and replace it with /*

As for the double login you need to change the properties of the OWA virtual directory using the Exchange Management Console under Server configuration and Client Access.  Right click OWA and select properties and make sure that basic and integrated authentication are checked (not forms based authentication)
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
Ah, Ok.

I'll give that a go.

Does this stop OWA from using forms based authentication internally for users without Outlook?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
yes it will but it will log them in automatically as it's using integrated authentication
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
one last thing. What Authentication Delegation in TMG should I set up for this?

No delegation, but client may authenticate directly?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
It would be basic to match the CAS server.
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
Perfect. OWA works perfectly fine with a TMG page of Exchange 2010.
Is there a way to change this to the feel and look of OWA instead of Outlook Web App?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Unfortunately not.  This is the OWA login for FTMG.
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
Ok.

I'm trying to connect to the auto discovery services.

When I try to connect to https://autodiscover.company.com/autodiscover.autodiscover.xml I get redirected back to the FTMG start page.

Is there something in FTMG I need to change to allow autodiscover through?

I've configured the public names to allow connectivity on this like you said earlier.

I've removed all paths and allowed /*
I've also added not only

exchange.customer.com
but also
autodiscover.customer.com

As I'm using a SAN on a server with a single IP for the CAS.

Is there something I need to adjust to allow autodiscover through?
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
No further advice?

Looks like the FF login page is coming up when trying to go to the autodiscover URL. So, looks like that part is requiring authentication too.
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Sorry, I missed the notification for your last comment.

I will have access to an FTMG sewer tomorrow so will check it out forgot then.
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
Hi again.

Any further update on this please?

Thanks again.
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
Have you enabled outlook anywhere on your exchqnge server ?

Go to testexchangeconnectivity.com and run an outlook nywhere test and oost the results
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
Hi,

Thanks for your reply.

Here are the results you requested:

--

[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>Test-OwaConnectivity | fl


AuthenticationMethod   : WindowsIntegrated
ClientAccessServer     : EXCHCAS.domain.local
Scenario               : Logon
ScenarioDescription    : Log on to Outlook Web Access and verify the response page.
PerformanceCounterName : Logon Latency
Result                 : Success
MailboxServer          : EXCHMB.domain.local
StartTime              : 04/10/2010 10:23:59
Latency                : 00:00:00.0624992
SecureAccess           : True
Error                  :
UserName               : CAS_cf4a005add6045aa
VirtualDirectoryName   : owa (Default Web Site)
Url                    : https://exchange.capcolondon.com/owa/
UrlType                : Internal
EventType              : Success
Port                   : 0
ConnectionType         : Plaintext

However, when I ran the test the first time.. It didnt respond for 30 secs and reported an issue.
When i instantly re-run the test, it went through fine and runs every time fine from now on.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 49

Expert Comment

by:Akhater
Comment Utility
Actually i meant http://www.testexchangeconnectivity.com
Thanks
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
ExRCA is testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to test Autodiscover for elinia@capcolondon.com
       Autodiscover was tested successfully.
       
      Test Steps
      Autodiscover settings for Outlook Anywhere are being validated.
       Outlook Anywhere Autodiscover Settings validated
      Attempting to resolve the host name exchange.capcolondon.com in DNS.
       Host successfully resolved
       
      Additional Details
      Testing TCP Port 443 on host exchange.capcolondon.com to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      The IIS configuration is being checked for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Testing Http Authentication Methods for URL https://exchange.capcolondon.com/rpc/rpcproxy.dll
       The HTTP authentication test failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details


All passed except the RPC check.

I have also changed my OWA settings to use basic or NTLM, both still fail on this test.

Since I am using TMG, is this always going to fail?
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
do you mind providing me with a screen shot for your listener settings ? it looks there is something wrong
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
Here are the screenies of not only the listener, but the rule too.


screen1.JPG
screen2.JPG
screen3.JPG
screen4.JPG
screen5.JPG
screen6.JPG
screen7.jpg
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
Comment Utility
thank you for this

1. what do you have in authentication delegation ?
2. I know you have been told to do so but I don't like the /* in the paths IMHO it is not a good way to do it
replace it with
/rpc/*
/OAB/*
/ews/*
/AutoDiscover/*
and click on test rule give me the result


3. run Get-AutodiscoverVirtualDirectory | fl *auth* on your exchange server and give me the resutls
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
1. Authentication Delegation is set to 'Basic Authentication'


2.
I've now replaced the /* with each subdirectory as you mentioned.

Here is my autodiscovery directory output:


[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | fl *auth*


InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

---

After replacing the /* with each individual subdirectory, I noticed OAB wasn't allowing Basic Authentication. I enabled this in IIS and restarted it.

The error for that has now gone and the Exchange Connectivity check works fine. I'm about to test this from a workstation on a standalone adsl connection.
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
the directories I gave you are only for rpc/http (outlook anywhere) you should recreate other rules for owa and activesync using the wizard.

is testexchangeconnectivity.com now passing ?
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
Confirmed!

You're help was excellent!

Thank you very much.

I will also have to give a few of the points to dez too, as his part helped me get the OWA page up to start with.

Cheers all!
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
you are welcome glad i was of help
0
 
LVL 15

Author Comment

by:MarkMichael
Comment Utility
I spoke too soon.

I will create the rules using the wizard for the rest.
Does this mean I need a new listener?
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
no you won't need a new listener at all just other paths

make sure to add autodiscover to the public names of the rpc rule
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 500 total points
Comment Utility
if you want to add all the paths to the same rule you can

/public/*
/OWA/*
/Exchange/*
/ecp/*
for OWA

and
/Microsoft-Server-ActiveSync/*
for activesync

0
 
LVL 15

Author Closing Comment

by:MarkMichael
Comment Utility
Thanks for all your help.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now