Solved

ForeFront TMG and OWA Redirect

Posted on 2010-11-21
22
2,688 Views
Last Modified: 2012-05-10
Hello Everyone,
I think I have a simple question but need to ask. I am installing a new Forefront TMG server to be used as my Exchange Edge server and have run into a small snag.
The current Exchange CAS is published directly to the web behind an ASA. I have setup a redirect so that when users simply go to http://mail.domain.com to automatically redirect to https://mail.domain.com which has been working wonderfully.

My problem is when I add the TMG server in front of the Exchange and publish the website users must enter the full path of https://mail.domain.com/owa in order for OWA to come up, TMG is not auto redirecting request from http to https and I also have to put the /owa and the end of it which I didn’t have to do before.

Until I get this issue resolved I will be sending request directly to the CAS server, anyone know how I can edit TMG or the published listener to do what I need it to do?

Thank you,
-Mike
0
Comment
Question by:BAYCCS
  • 11
  • 6
  • 3
  • +1
22 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 334 total points
Comment Utility
The simple way is tongo to your publishing rule, paths tab and add the /
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
Thank you that solved the /owa problem, but now how do I have http request auto forward to https?
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
In your listener configure it to use both http and https
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
I see where I had to add http under the listener, I didn't have the check box "Enable HTTP connection on port" enabled. I checked that and also the setting under it to redirect HTTP to HTTPS with the option "Redirect all traffic from HTTP to HTTPS."

For some reason it still isn't working so I looked in the TMG Log and found that the reason it was denied was "The policy rules do not allow the user request" If I look under the users tab under the policy it has All Authenticated Users, should I change that to all users?
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
Try to change to all users and let me know if it will work
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
Please keep it as "All Authenticated Users". and make sure that :
1. Authentication tab on the listener configured to use "HTMLform authentication"
2. Authentication delegation tab on the rule configured to use NTLM authentication.
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
Nope that didn't seem to do it, I must be missing something stupid.
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
1. Authentication tab on the listener configured to use "HTMLform authentication"

I set this back after selecting All Users didn't work.

2. Authentication delegation tab on the rule configured to use NTLM authentication.

It was set to Basic Authentication and switched it with no different result, https://mail.domain.com comes right up but mail.domain.com doesn't do anything.

Thank you for your input!
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
whats the error message you got on the browser ?
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
I am not getting an error, it kicks over to the search engine and Bing is looking to see if it can help.

I only see in the TMG log that "The policy rules do not allow the user request" when the source machine tries to go to mail.domain.com. if I manually enter https://mail.domain.com it works with no problem.
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
Found the problem!

Just need to fiqure out how to change it...

lert Information
Description: The Web Proxy filter failed to bind its socket to 10.25.50.2 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.


The Web Proxy filter failed to bind its socket to 10.2.2.3 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.
 
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
I can't seem to find anything that could be bound to 10.25.50.2 Port 80

Anyone have any ideas?
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
Just an update I have checked to make sure that the Web Proxy isn't using port 80 it is set to the default of 8080 and ISS is not installed on the machine.

0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
Oh well it seems your tmg is listening to port 80

Run netstat -ano | fing " :80"

Can you see it listening?

Also in your services do you have the web service?
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
Sorry that I haven't gotten back to you, I got caught up with something else today.. I could not do the full command you asked, for some reason it didn't like it. I was able to do a netstat -ano and here it is:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       704
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       1004
  TCP    0.0.0.0:2171           0.0.0.0:0              LISTENING       1240
  TCP    0.0.0.0:2172           0.0.0.0:0              LISTENING       1240
  TCP    0.0.0.0:2173           0.0.0.0:0              LISTENING       1240
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       3600
  TCP    0.0.0.0:3847           0.0.0.0:0              LISTENING       1680
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       1316
  TCP    0.0.0.0:10000          0.0.0.0:0              LISTENING       424
  TCP    0.0.0.0:10001          0.0.0.0:0              LISTENING       788
  TCP    0.0.0.0:10002          0.0.0.0:0              LISTENING       832
  TCP    0.0.0.0:10026          0.0.0.0:0              LISTENING       1296
  TCP    0.0.0.0:10027          0.0.0.0:0              LISTENING       524
  TCP    0.0.0.0:10089          0.0.0.0:0              LISTENING       1932
  TCP    0.0.0.0:10127          0.0.0.0:0              LISTENING       2368
  TCP    0.0.0.0:10155          0.0.0.0:0              LISTENING       4000
  TCP    0.0.0.0:10177          0.0.0.0:0              LISTENING       3908
  TCP    0.0.0.0:10259          0.0.0.0:0              LISTENING       516
  TCP    0.0.0.0:10284          0.0.0.0:0              LISTENING       3940
  TCP    0.0.0.0:10348          0.0.0.0:0              LISTENING       3312
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:50389          0.0.0.0:0              LISTENING       1296
  TCP    0.0.0.0:50636          0.0.0.0:0              LISTENING       1296
  TCP    10.2.2.2:25            0.0.0.0:0              LISTENING       3312
  TCP    10.2.2.2:139           0.0.0.0:0              LISTENING       4
  TCP    10.2.2.2:10216         0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.2:16803         65.54.81.147:80        CLOSE_WAIT      3908
  TCP    10.2.2.3:25            0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:110           0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:143           0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:443           0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:10186         0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:25          0.0.0.0:0              LISTENING       3312
  TCP    10.25.50.2:139         0.0.0.0:0              LISTENING       4
  TCP    10.25.50.2:1745        0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:2171        10.25.50.2:10267       ESTABLISHED     1240
  TCP    10.25.50.2:8080        0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10182       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10183       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10184       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10185       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10198       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10267       10.25.50.2:2171        ESTABLISHED     2368
  TCP    10.25.50.2:10396       10.25.50.4:445         ESTABLISHED     4
  TCP    10.25.50.2:13286       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:16822       10.25.50.4:49159       TIME_WAIT       0
  TCP    10.25.50.2:16823       10.25.50.4:49159       TIME_WAIT       0
  TCP    127.0.0.1:8008         0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8080         0.0.0.0:0              LISTENING       3908
  TCP    127.0.0.1:10075        127.0.0.1:50389        ESTABLISHED     1808
  TCP    127.0.0.1:10335        127.0.0.1:50389        ESTABLISHED     3312
  TCP    127.0.0.1:10380        127.0.0.1:50389        ESTABLISHED     3940
  TCP    127.0.0.1:13476        127.0.0.1:50389        ESTABLISHED     3312
  TCP    127.0.0.1:16260        127.0.0.1:50389        ESTABLISHED     1808
  TCP    127.0.0.1:16266        127.0.0.1:50389        ESTABLISHED     3312
  TCP    127.0.0.1:50389        127.0.0.1:10075        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:10335        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:10380        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:13476        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:16260        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:16266        ESTABLISHED     1296
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       704
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:1433              [::]:0                 LISTENING       1004
  TCP    [::]:2173              [::]:0                 LISTENING       1240
  TCP    [::]:3389              [::]:0                 LISTENING       3600
  TCP    [::]:3847              [::]:0                 LISTENING       1680
  TCP    [::]:9389              [::]:0                 LISTENING       1316
  TCP    [::]:10000             [::]:0                 LISTENING       424
  TCP    [::]:10001             [::]:0                 LISTENING       788
  TCP    [::]:10002             [::]:0                 LISTENING       832
  TCP    [::]:10026             [::]:0                 LISTENING       1296
  TCP    [::]:10027             [::]:0                 LISTENING       524
  TCP    [::]:10089             [::]:0                 LISTENING       1932
  TCP    [::]:10127             [::]:0                 LISTENING       2368
  TCP    [::]:10155             [::]:0                 LISTENING       4000
  TCP    [::]:10177             [::]:0                 LISTENING       3908
  TCP    [::]:10259             [::]:0                 LISTENING       516
  TCP    [::]:10284             [::]:0                 LISTENING       3940
  TCP    [::]:10348             [::]:0                 LISTENING       3312
  TCP    [::]:47001             [::]:0                 LISTENING       4
  UDP    0.0.0.0:123            *:*                                    880
  UDP    0.0.0.0:500            *:*                                    832
  UDP    0.0.0.0:1645           *:*                                    832
  UDP    0.0.0.0:1645           *:*                                    832
  UDP    0.0.0.0:1645           *:*                                    832
  UDP    0.0.0.0:1646           *:*                                    832
  UDP    0.0.0.0:1646           *:*                                    832
  UDP    0.0.0.0:1646           *:*                                    832
  UDP    0.0.0.0:1812           *:*                                    832
  UDP    0.0.0.0:1812           *:*                                    832
  UDP    0.0.0.0:1812           *:*                                    832
  UDP    0.0.0.0:1813           *:*                                    832
  UDP    0.0.0.0:1813           *:*                                    832
  UDP    0.0.0.0:1813           *:*                                    832
  UDP    0.0.0.0:4500           *:*                                    832
  UDP    0.0.0.0:5355           *:*                                    984
  UDP    10.2.2.2:137           *:*                                    4
  UDP    10.2.2.2:138           *:*                                    4
  UDP    10.2.2.2:2171          *:*                                    1240
  UDP    10.2.2.2:50389         *:*                                    1296
  UDP    10.2.2.3:2171          *:*                                    1240
  UDP    10.2.2.3:50389         *:*                                    1296
  UDP    10.25.50.2:137         *:*                                    4
  UDP    10.25.50.2:138         *:*                                    4
  UDP    10.25.50.2:2171        *:*                                    1240
  UDP    10.25.50.2:50389       *:*                                    1296
  UDP    127.0.0.1:23631        *:*                                    4768
  UDP    127.0.0.1:23632        *:*                                    3312
  UDP    127.0.0.1:23633        *:*                                    3940
  UDP    127.0.0.1:23635        *:*                                    1680
  UDP    127.0.0.1:30245        *:*                                    2368
  UDP    127.0.0.1:34599        *:*                                    1240
  UDP    127.0.0.1:34600        *:*                                    1316
  UDP    127.0.0.1:34601        *:*                                    1932
  UDP    127.0.0.1:34602        *:*                                    1808
  UDP    127.0.0.1:36318        *:*                                    984
  UDP    127.0.0.1:39691        *:*                                    1296
  UDP    127.0.0.1:40422        *:*                                    832
  UDP    127.0.0.1:51384        *:*                                    1004
  UDP    127.0.0.1:57253        *:*                                    524
  UDP    127.0.0.1:57255        *:*                                    1104
  UDP    [::]:123               *:*                                    880
  UDP    [::]:500               *:*                                    832
  UDP    [::]:4500              *:*                                    832
  UDP    [::1]:23636            *:*                                    832
  UDP    [::1]:23637            *:*                                    832
  UDP    [::ffff:10.2.2.2]:1645  *:*                                    832
  UDP    [::ffff:10.2.2.2]:1646  *:*                                    832
  UDP    [::ffff:10.2.2.2]:1812  *:*                                    832
  UDP    [::ffff:10.2.2.2]:1813  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1645  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1646  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1812  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1813  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1645  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1646  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1812  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1813  *:*                                    832

I guess you can see it listening to process id 4 but I have no idea what that is.
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 166 total points
Comment Utility
you can find it by use task manager..
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
The process is identified as system.

BTW you had asked if the web service is running are you referring to the World Wide Web Publishing Services? If so then Yes it is running.
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 334 total points
Comment Utility
yes this is it and and you can see the process 4 is using port 80

try to stop manually the World Wide Web Publishing Services and restart the service of ISA afterwards adn test
0
 
LVL 5

Author Comment

by:BAYCCS
Comment Utility
Well that was it, I had to reboot the server after disabling the www publishing service but it is now redirecting http to https...

I can't thank you enough from your time and help!
0
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
you are welcome, glad it helped
0
 
LVL 1

Expert Comment

by:shabexpert
Comment Utility
Dear Mike;

Easy way to redirect http to https and redirect OWA address to use /owa automatically.
Please find bellow steps:

1- On TMG creat a normal web publish rule.
2- configure this rule to deny traffic to the address http://mail.domain.com and complete all steps as default when you create an exchange publish rule.
3- after creating previous rule , double click and on the page that u specified to deny access add https://mail.domain.com/owa.
4- make the rule you has created in order before OWA publish rule.
5- confirm that you enable port 80 and 443 on used web listener.

The Summry of this:

That you tell your TMG if you receive any request asking for http://mail.domain.com please redirect it to https://mail.domain.com/owa.


please let me know if you need more help.
0
 
LVL 1

Expert Comment

by:shabexpert
Comment Utility
Dear Mike;

Please find more additinal details:

1. In the console tree of TMG Server Management, click Firewall Policy.

2. On the Tasks tab, click Publish Web Sites. Use the wizard to create the rule as outlined in the following table:
Create Web Publishing.
 
Select Rule Action as Deny.
 
In Publishing Type Select Publish a single Web site or load balancer.
 
In Server Connectivity Security Select Use SSL to connect to the published Web server or server farm.
 
Internal Publishing Details      Internal site name      Type the internal FQDN of the CAS Servers: mail.domain.com.
   
Internal Publishing Details      Path (optional)      Type / in the Path field.

Public Name Details      Accept requests for

Public name      This domain name (type below)

Type the domain name mail.domain.com.

Select Web Listener      Web listener      Select the Web listener you created previously, Exchange FBA.
Authentication Delegation      Select the method used by ISA Server to authenticate to the published Web server

Select Basic authentication.

User Sets      This rule applies to requests from the following user sets
Select All Users.
 
Completing the New Web Publishing Rule Wizard Completing the New Web Publishing Wizard Review the selected settings, and click Finish to complete the wizard.

3. Right-click the rule you just created and click Properties.

4. Select the Action tab, select Redirect HTTP requests to this Web page, and type the correct URL, https://mail.domain.com/owa, in the Redirect requests to an alternate Web page field.

5. Select the Application Settings tab, select Use Customized HTML forms instead of the default, type Exchange in the Custom HTML  form set directory field, and then click OK.

6. Click the Apply button in the details pane to save the changes and update the configuration.

please let me know if you need more details.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now