• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1084
  • Last Modified:

TMG & Exchange 2007

Hi Experts,

Im trying to get Outlook Anywhere working with TMG Standard.

I have TMG installed with only the default rules using the following configuration:

Internal NIC
External NIC

Default route is on the External NIC and static routes back to the Internal network. I can connect to the Internet etc, all working.

I am trying to publish our Exchange CAS server to the Internet using the TMG.

I have gone through the wizard to publish OWA using the actual Exchange Wizard, however this does not seem to allow me to use Outlook Anywhere for this?

Also, as part of publishing OWA using TMG, when connecting to the web site, the first page comes up as the Exchange 2010 Outlook Web App, then I type in my credentials and then the page refreshes and changes to the Exchange 2007 OWA and users can then login. Is this meant to happen?


I have also tried publishing OWA using a standard website publishing rule, which would be fine, however I am still unable to get Outlook Anywhere to work, I thought it was just fine to publish 443 of the correct IP and this should all just work?

Can someone help me with a few quick instructions please?
Also, what type of authentication is TMG meant to do to the Exchange server?

Thanks.

0
MarkMichael
Asked:
MarkMichael
  • 13
  • 8
  • 5
2 Solutions
 
Glen KnightCommented:
On the publishing rule under the Paths section you need to remove all the path's that are in there and replace it with /*

As for the double login you need to change the properties of the OWA virtual directory using the Exchange Management Console under Server configuration and Client Access.  Right click OWA and select properties and make sure that basic and integrated authentication are checked (not forms based authentication)
0
 
MarkMichaelAuthor Commented:
Ah, Ok.

I'll give that a go.

Does this stop OWA from using forms based authentication internally for users without Outlook?
0
 
Glen KnightCommented:
yes it will but it will log them in automatically as it's using integrated authentication
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
MarkMichaelAuthor Commented:
one last thing. What Authentication Delegation in TMG should I set up for this?

No delegation, but client may authenticate directly?
0
 
Glen KnightCommented:
It would be basic to match the CAS server.
0
 
MarkMichaelAuthor Commented:
Perfect. OWA works perfectly fine with a TMG page of Exchange 2010.
Is there a way to change this to the feel and look of OWA instead of Outlook Web App?
0
 
Glen KnightCommented:
Unfortunately not.  This is the OWA login for FTMG.
0
 
MarkMichaelAuthor Commented:
Ok.

I'm trying to connect to the auto discovery services.

When I try to connect to https://autodiscover.company.com/autodiscover.autodiscover.xml I get redirected back to the FTMG start page.

Is there something in FTMG I need to change to allow autodiscover through?

I've configured the public names to allow connectivity on this like you said earlier.

I've removed all paths and allowed /*
I've also added not only

exchange.customer.com
but also
autodiscover.customer.com

As I'm using a SAN on a server with a single IP for the CAS.

Is there something I need to adjust to allow autodiscover through?
0
 
MarkMichaelAuthor Commented:
No further advice?

Looks like the FF login page is coming up when trying to go to the autodiscover URL. So, looks like that part is requiring authentication too.
0
 
Glen KnightCommented:
Sorry, I missed the notification for your last comment.

I will have access to an FTMG sewer tomorrow so will check it out forgot then.
0
 
MarkMichaelAuthor Commented:
Hi again.

Any further update on this please?

Thanks again.
0
 
AkhaterCommented:
Have you enabled outlook anywhere on your exchqnge server ?

Go to testexchangeconnectivity.com and run an outlook nywhere test and oost the results
0
 
MarkMichaelAuthor Commented:
Hi,

Thanks for your reply.

Here are the results you requested:

--

[PS] C:\Program Files\Microsoft\Exchange Server\Scripts>Test-OwaConnectivity | fl


AuthenticationMethod   : WindowsIntegrated
ClientAccessServer     : EXCHCAS.domain.local
Scenario               : Logon
ScenarioDescription    : Log on to Outlook Web Access and verify the response page.
PerformanceCounterName : Logon Latency
Result                 : Success
MailboxServer          : EXCHMB.domain.local
StartTime              : 04/10/2010 10:23:59
Latency                : 00:00:00.0624992
SecureAccess           : True
Error                  :
UserName               : CAS_cf4a005add6045aa
VirtualDirectoryName   : owa (Default Web Site)
Url                    : https://exchange.capcolondon.com/owa/
UrlType                : Internal
EventType              : Success
Port                   : 0
ConnectionType         : Plaintext

However, when I ran the test the first time.. It didnt respond for 30 secs and reported an issue.
When i instantly re-run the test, it went through fine and runs every time fine from now on.
0
 
AkhaterCommented:
Actually i meant http://www.testexchangeconnectivity.com 
Thanks
0
 
MarkMichaelAuthor Commented:
ExRCA is testing RPC/HTTP connectivity.
       The RPC/HTTP test failed.
       
      Test Steps
       
      Attempting to test Autodiscover for elinia@capcolondon.com
       Autodiscover was tested successfully.
       
      Test Steps
      Autodiscover settings for Outlook Anywhere are being validated.
       Outlook Anywhere Autodiscover Settings validated
      Attempting to resolve the host name exchange.capcolondon.com in DNS.
       Host successfully resolved
       
      Additional Details
      Testing TCP Port 443 on host exchange.capcolondon.com to ensure it is listening and open.
       The port was opened successfully.
      ExRCA is testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      The IIS configuration is being checked for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Testing Http Authentication Methods for URL https://exchange.capcolondon.com/rpc/rpcproxy.dll
       The HTTP authentication test failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details


All passed except the RPC check.

I have also changed my OWA settings to use basic or NTLM, both still fail on this test.

Since I am using TMG, is this always going to fail?
0
 
AkhaterCommented:
do you mind providing me with a screen shot for your listener settings ? it looks there is something wrong
0
 
MarkMichaelAuthor Commented:
Here are the screenies of not only the listener, but the rule too.


screen1.JPG
screen2.JPG
screen3.JPG
screen4.JPG
screen5.JPG
screen6.JPG
screen7.jpg
0
 
AkhaterCommented:
thank you for this

1. what do you have in authentication delegation ?
2. I know you have been told to do so but I don't like the /* in the paths IMHO it is not a good way to do it
replace it with
/rpc/*
/OAB/*
/ews/*
/AutoDiscover/*
and click on test rule give me the result


3. run Get-AutodiscoverVirtualDirectory | fl *auth* on your exchange server and give me the resutls
0
 
MarkMichaelAuthor Commented:
1. Authentication Delegation is set to 'Basic Authentication'


2.
I've now replaced the /* with each subdirectory as you mentioned.

Here is my autodiscovery directory output:


[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | fl *auth*


InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

---

After replacing the /* with each individual subdirectory, I noticed OAB wasn't allowing Basic Authentication. I enabled this in IIS and restarted it.

The error for that has now gone and the Exchange Connectivity check works fine. I'm about to test this from a workstation on a standalone adsl connection.
0
 
AkhaterCommented:
the directories I gave you are only for rpc/http (outlook anywhere) you should recreate other rules for owa and activesync using the wizard.

is testexchangeconnectivity.com now passing ?
0
 
MarkMichaelAuthor Commented:
Confirmed!

You're help was excellent!

Thank you very much.

I will also have to give a few of the points to dez too, as his part helped me get the OWA page up to start with.

Cheers all!
0
 
AkhaterCommented:
you are welcome glad i was of help
0
 
MarkMichaelAuthor Commented:
I spoke too soon.

I will create the rules using the wizard for the rest.
Does this mean I need a new listener?
0
 
AkhaterCommented:
no you won't need a new listener at all just other paths

make sure to add autodiscover to the public names of the rpc rule
0
 
AkhaterCommented:
if you want to add all the paths to the same rule you can

/public/*
/OWA/*
/Exchange/*
/ecp/*
for OWA

and
/Microsoft-Server-ActiveSync/*
for activesync

0
 
MarkMichaelAuthor Commented:
Thanks for all your help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 13
  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now