Solved

ForeFront TMG and OWA Redirect

Posted on 2010-11-21
22
2,746 Views
Last Modified: 2012-05-10
Hello Everyone,
I think I have a simple question but need to ask. I am installing a new Forefront TMG server to be used as my Exchange Edge server and have run into a small snag.
The current Exchange CAS is published directly to the web behind an ASA. I have setup a redirect so that when users simply go to http://mail.domain.com to automatically redirect to https://mail.domain.com which has been working wonderfully.

My problem is when I add the TMG server in front of the Exchange and publish the website users must enter the full path of https://mail.domain.com/owa in order for OWA to come up, TMG is not auto redirecting request from http to https and I also have to put the /owa and the end of it which I didn’t have to do before.

Until I get this issue resolved I will be sending request directly to the CAS server, anyone know how I can edit TMG or the published listener to do what I need it to do?

Thank you,
-Mike
0
Comment
Question by:BAYCCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 6
  • 3
  • +1
22 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 334 total points
ID: 34183590
The simple way is tongo to your publishing rule, paths tab and add the /
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183657
Thank you that solved the /owa problem, but now how do I have http request auto forward to https?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34183660
In your listener configure it to use both http and https
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 5

Author Comment

by:BAYCCS
ID: 34183719
I see where I had to add http under the listener, I didn't have the check box "Enable HTTP connection on port" enabled. I checked that and also the setting under it to redirect HTTP to HTTPS with the option "Redirect all traffic from HTTP to HTTPS."

For some reason it still isn't working so I looked in the TMG Log and found that the reason it was denied was "The policy rules do not allow the user request" If I look under the users tab under the policy it has All Authenticated Users, should I change that to all users?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34183771
Try to change to all users and let me know if it will work
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34183795
Please keep it as "All Authenticated Users". and make sure that :
1. Authentication tab on the listener configured to use "HTMLform authentication"
2. Authentication delegation tab on the rule configured to use NTLM authentication.
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183811
Nope that didn't seem to do it, I must be missing something stupid.
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183860
1. Authentication tab on the listener configured to use "HTMLform authentication"

I set this back after selecting All Users didn't work.

2. Authentication delegation tab on the rule configured to use NTLM authentication.

It was set to Basic Authentication and switched it with no different result, https://mail.domain.com comes right up but mail.domain.com doesn't do anything.

Thank you for your input!
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34183892
whats the error message you got on the browser ?
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183904
I am not getting an error, it kicks over to the search engine and Bing is looking to see if it can help.

I only see in the TMG log that "The policy rules do not allow the user request" when the source machine tries to go to mail.domain.com. if I manually enter https://mail.domain.com it works with no problem.
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34183971
Found the problem!

Just need to fiqure out how to change it...

lert Information
Description: The Web Proxy filter failed to bind its socket to 10.25.50.2 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.


The Web Proxy filter failed to bind its socket to 10.2.2.3 port 80. This may have been caused by another service that is already using the same port or by a network adapter that is not functional. To resolve this issue, restart the Microsoft Firewall service. The error code specified in the data area of the event properties indicates the cause of the failure.
The failure is due to error: An attempt was made to access a socket in a way forbidden by its access permissions.
 
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34184095
I can't seem to find anything that could be bound to 10.25.50.2 Port 80

Anyone have any ideas?
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34184206
Just an update I have checked to make sure that the Web Proxy isn't using port 80 it is set to the default of 8080 and ISS is not installed on the machine.

0
 
LVL 49

Expert Comment

by:Akhater
ID: 34184301
Oh well it seems your tmg is listening to port 80

Run netstat -ano | fing " :80"

Can you see it listening?

Also in your services do you have the web service?
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34189991
Sorry that I haven't gotten back to you, I got caught up with something else today.. I could not do the full command you asked, for some reason it didn't like it. I was able to do a netstat -ano and here it is:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       704
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       1004
  TCP    0.0.0.0:2171           0.0.0.0:0              LISTENING       1240
  TCP    0.0.0.0:2172           0.0.0.0:0              LISTENING       1240
  TCP    0.0.0.0:2173           0.0.0.0:0              LISTENING       1240
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       3600
  TCP    0.0.0.0:3847           0.0.0.0:0              LISTENING       1680
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       1316
  TCP    0.0.0.0:10000          0.0.0.0:0              LISTENING       424
  TCP    0.0.0.0:10001          0.0.0.0:0              LISTENING       788
  TCP    0.0.0.0:10002          0.0.0.0:0              LISTENING       832
  TCP    0.0.0.0:10026          0.0.0.0:0              LISTENING       1296
  TCP    0.0.0.0:10027          0.0.0.0:0              LISTENING       524
  TCP    0.0.0.0:10089          0.0.0.0:0              LISTENING       1932
  TCP    0.0.0.0:10127          0.0.0.0:0              LISTENING       2368
  TCP    0.0.0.0:10155          0.0.0.0:0              LISTENING       4000
  TCP    0.0.0.0:10177          0.0.0.0:0              LISTENING       3908
  TCP    0.0.0.0:10259          0.0.0.0:0              LISTENING       516
  TCP    0.0.0.0:10284          0.0.0.0:0              LISTENING       3940
  TCP    0.0.0.0:10348          0.0.0.0:0              LISTENING       3312
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:50389          0.0.0.0:0              LISTENING       1296
  TCP    0.0.0.0:50636          0.0.0.0:0              LISTENING       1296
  TCP    10.2.2.2:25            0.0.0.0:0              LISTENING       3312
  TCP    10.2.2.2:139           0.0.0.0:0              LISTENING       4
  TCP    10.2.2.2:10216         0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.2:16803         65.54.81.147:80        CLOSE_WAIT      3908
  TCP    10.2.2.3:25            0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:110           0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:143           0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:443           0.0.0.0:0              LISTENING       3908
  TCP    10.2.2.3:10186         0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:25          0.0.0.0:0              LISTENING       3312
  TCP    10.25.50.2:139         0.0.0.0:0              LISTENING       4
  TCP    10.25.50.2:1745        0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:2171        10.25.50.2:10267       ESTABLISHED     1240
  TCP    10.25.50.2:8080        0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10182       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10183       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10184       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10185       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10198       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:10267       10.25.50.2:2171        ESTABLISHED     2368
  TCP    10.25.50.2:10396       10.25.50.4:445         ESTABLISHED     4
  TCP    10.25.50.2:13286       0.0.0.0:0              LISTENING       3908
  TCP    10.25.50.2:16822       10.25.50.4:49159       TIME_WAIT       0
  TCP    10.25.50.2:16823       10.25.50.4:49159       TIME_WAIT       0
  TCP    127.0.0.1:8008         0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:8080         0.0.0.0:0              LISTENING       3908
  TCP    127.0.0.1:10075        127.0.0.1:50389        ESTABLISHED     1808
  TCP    127.0.0.1:10335        127.0.0.1:50389        ESTABLISHED     3312
  TCP    127.0.0.1:10380        127.0.0.1:50389        ESTABLISHED     3940
  TCP    127.0.0.1:13476        127.0.0.1:50389        ESTABLISHED     3312
  TCP    127.0.0.1:16260        127.0.0.1:50389        ESTABLISHED     1808
  TCP    127.0.0.1:16266        127.0.0.1:50389        ESTABLISHED     3312
  TCP    127.0.0.1:50389        127.0.0.1:10075        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:10335        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:10380        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:13476        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:16260        ESTABLISHED     1296
  TCP    127.0.0.1:50389        127.0.0.1:16266        ESTABLISHED     1296
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       704
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:1433              [::]:0                 LISTENING       1004
  TCP    [::]:2173              [::]:0                 LISTENING       1240
  TCP    [::]:3389              [::]:0                 LISTENING       3600
  TCP    [::]:3847              [::]:0                 LISTENING       1680
  TCP    [::]:9389              [::]:0                 LISTENING       1316
  TCP    [::]:10000             [::]:0                 LISTENING       424
  TCP    [::]:10001             [::]:0                 LISTENING       788
  TCP    [::]:10002             [::]:0                 LISTENING       832
  TCP    [::]:10026             [::]:0                 LISTENING       1296
  TCP    [::]:10027             [::]:0                 LISTENING       524
  TCP    [::]:10089             [::]:0                 LISTENING       1932
  TCP    [::]:10127             [::]:0                 LISTENING       2368
  TCP    [::]:10155             [::]:0                 LISTENING       4000
  TCP    [::]:10177             [::]:0                 LISTENING       3908
  TCP    [::]:10259             [::]:0                 LISTENING       516
  TCP    [::]:10284             [::]:0                 LISTENING       3940
  TCP    [::]:10348             [::]:0                 LISTENING       3312
  TCP    [::]:47001             [::]:0                 LISTENING       4
  UDP    0.0.0.0:123            *:*                                    880
  UDP    0.0.0.0:500            *:*                                    832
  UDP    0.0.0.0:1645           *:*                                    832
  UDP    0.0.0.0:1645           *:*                                    832
  UDP    0.0.0.0:1645           *:*                                    832
  UDP    0.0.0.0:1646           *:*                                    832
  UDP    0.0.0.0:1646           *:*                                    832
  UDP    0.0.0.0:1646           *:*                                    832
  UDP    0.0.0.0:1812           *:*                                    832
  UDP    0.0.0.0:1812           *:*                                    832
  UDP    0.0.0.0:1812           *:*                                    832
  UDP    0.0.0.0:1813           *:*                                    832
  UDP    0.0.0.0:1813           *:*                                    832
  UDP    0.0.0.0:1813           *:*                                    832
  UDP    0.0.0.0:4500           *:*                                    832
  UDP    0.0.0.0:5355           *:*                                    984
  UDP    10.2.2.2:137           *:*                                    4
  UDP    10.2.2.2:138           *:*                                    4
  UDP    10.2.2.2:2171          *:*                                    1240
  UDP    10.2.2.2:50389         *:*                                    1296
  UDP    10.2.2.3:2171          *:*                                    1240
  UDP    10.2.2.3:50389         *:*                                    1296
  UDP    10.25.50.2:137         *:*                                    4
  UDP    10.25.50.2:138         *:*                                    4
  UDP    10.25.50.2:2171        *:*                                    1240
  UDP    10.25.50.2:50389       *:*                                    1296
  UDP    127.0.0.1:23631        *:*                                    4768
  UDP    127.0.0.1:23632        *:*                                    3312
  UDP    127.0.0.1:23633        *:*                                    3940
  UDP    127.0.0.1:23635        *:*                                    1680
  UDP    127.0.0.1:30245        *:*                                    2368
  UDP    127.0.0.1:34599        *:*                                    1240
  UDP    127.0.0.1:34600        *:*                                    1316
  UDP    127.0.0.1:34601        *:*                                    1932
  UDP    127.0.0.1:34602        *:*                                    1808
  UDP    127.0.0.1:36318        *:*                                    984
  UDP    127.0.0.1:39691        *:*                                    1296
  UDP    127.0.0.1:40422        *:*                                    832
  UDP    127.0.0.1:51384        *:*                                    1004
  UDP    127.0.0.1:57253        *:*                                    524
  UDP    127.0.0.1:57255        *:*                                    1104
  UDP    [::]:123               *:*                                    880
  UDP    [::]:500               *:*                                    832
  UDP    [::]:4500              *:*                                    832
  UDP    [::1]:23636            *:*                                    832
  UDP    [::1]:23637            *:*                                    832
  UDP    [::ffff:10.2.2.2]:1645  *:*                                    832
  UDP    [::ffff:10.2.2.2]:1646  *:*                                    832
  UDP    [::ffff:10.2.2.2]:1812  *:*                                    832
  UDP    [::ffff:10.2.2.2]:1813  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1645  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1646  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1812  *:*                                    832
  UDP    [::ffff:10.2.2.3]:1813  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1645  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1646  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1812  *:*                                    832
  UDP    [::ffff:10.25.50.2]:1813  *:*                                    832

I guess you can see it listening to process id 4 but I have no idea what that is.
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 166 total points
ID: 34190035
you can find it by use task manager..
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34190136
The process is identified as system.

BTW you had asked if the web service is running are you referring to the World Wide Web Publishing Services? If so then Yes it is running.
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 334 total points
ID: 34190487
yes this is it and and you can see the process 4 is using port 80

try to stop manually the World Wide Web Publishing Services and restart the service of ISA afterwards adn test
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 34191068
Well that was it, I had to reboot the server after disabling the www publishing service but it is now redirecting http to https...

I can't thank you enough from your time and help!
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34191110
you are welcome, glad it helped
0
 
LVL 1

Expert Comment

by:shabexpert
ID: 34444027
Dear Mike;

Easy way to redirect http to https and redirect OWA address to use /owa automatically.
Please find bellow steps:

1- On TMG creat a normal web publish rule.
2- configure this rule to deny traffic to the address http://mail.domain.com and complete all steps as default when you create an exchange publish rule.
3- after creating previous rule , double click and on the page that u specified to deny access add https://mail.domain.com/owa.
4- make the rule you has created in order before OWA publish rule.
5- confirm that you enable port 80 and 443 on used web listener.

The Summry of this:

That you tell your TMG if you receive any request asking for http://mail.domain.com please redirect it to https://mail.domain.com/owa.


please let me know if you need more help.
0
 
LVL 1

Expert Comment

by:shabexpert
ID: 34444109
Dear Mike;

Please find more additinal details:

1. In the console tree of TMG Server Management, click Firewall Policy.

2. On the Tasks tab, click Publish Web Sites. Use the wizard to create the rule as outlined in the following table:
Create Web Publishing.
 
Select Rule Action as Deny.
 
In Publishing Type Select Publish a single Web site or load balancer.
 
In Server Connectivity Security Select Use SSL to connect to the published Web server or server farm.
 
Internal Publishing Details      Internal site name      Type the internal FQDN of the CAS Servers: mail.domain.com.
   
Internal Publishing Details      Path (optional)      Type / in the Path field.

Public Name Details      Accept requests for

Public name      This domain name (type below)

Type the domain name mail.domain.com.

Select Web Listener      Web listener      Select the Web listener you created previously, Exchange FBA.
Authentication Delegation      Select the method used by ISA Server to authenticate to the published Web server

Select Basic authentication.

User Sets      This rule applies to requests from the following user sets
Select All Users.
 
Completing the New Web Publishing Rule Wizard Completing the New Web Publishing Wizard Review the selected settings, and click Finish to complete the wizard.

3. Right-click the rule you just created and click Properties.

4. Select the Action tab, select Redirect HTTP requests to this Web page, and type the correct URL, https://mail.domain.com/owa, in the Redirect requests to an alternate Web page field.

5. Select the Application Settings tab, select Use Customized HTML forms instead of the default, type Exchange in the Custom HTML  form set directory field, and then click OK.

6. Click the Apply button in the details pane to save the changes and update the configuration.

please let me know if you need more details.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question