Solved

So near and yet so far!

Posted on 2011-03-01
34
1,105 Views
Last Modified: 2012-05-11
It really has been a long slog setting up my first Exchange 2010 server in co-existance with a fully working Exchange 2007 server and the situation I am at is that it is all up and running sucessfully with SP1 installed and an external SSlL certificate from Entrust being used that has the following domain names on it kingsmail4.kings-ely.cambs.sch.uk and the internal name of kingsmail4 and internal access via OWA is fine as I have moved a mailbox over for testing and using https://kingsmail4/owa the user is logged straight on so all brilliant so far. If I am to use this server in the future I need to allow external access for users and this is where it all grinds to a halt as I just cannot access my test account through Forefront as it just fails repeatedly. I get the Form screen up and I have used the Forefront Wizard to create a rule and also have sucessfully created a web listener using the same Entrust Certificate and indeed this shows up as fine in the Outlook Web App but authentication fails to pass through to the mail server and it says it cannot authenticate to Forefront. The Forefront server is a full member of the domain so I am really at a loss how to proceed next as there is not a lot out there. Any help would be greatfully received as I am so close to deploying and yet without external access it is of no use Regards

Steve Dunlin
0
Comment
Question by:SteveDunlin
  • 14
  • 12
  • 8
34 Comments
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Are you creating a publishing rule on forefront for Exchange 2010 OWA and if so, what do you have under the authentication delegation?

Have you turned of Forms Based Authentication on the Exchange 2010 CAS server?
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
does the request get to forefront at all?  Look in the logs and see the real time tracking when you try and connect externally.
i assume you have set external dns to point to the right ip, with the domain matching the certifiacte.  What error do you get?
what authentication did you set in the listener?
0
 

Author Comment

by:SteveDunlin
Comment Utility
I have turned off Forms based authentication on the CAS yes and Forefront is set to Basic Authentication on the rule and HTML Authentication and active directory on the Web Listener
0
 

Author Comment

by:SteveDunlin
Comment Utility
I have had a colleague check externally as I have myself and you hit the Forefront TMG and I know there are no issues with incorrect IP addresses or DNS as it is published externally for me by Virgin
The issue is something to do with authenticatio. You can check the site yourself if you use https://kingsmail4.kings-ely.cambs.sch.uk/owa  
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
And what authentication methods do you have set on the OWA virtual directory listed under Server Configuration > Client Access ?
What happens when you click Test Rule on the Exchange rule in forefront?
0
 

Author Comment

by:SteveDunlin
Comment Utility
The Test rule all shows as sucessfull apart from ping and the Server Config in Client Access is set to Integrated and Basic
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
can you browse to OWA from the FTMG server itself?
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
Checking my config, I have basic authentication on the OWA virtual directory.  
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
I have Basic and Integrated on 2 that I have checked.
This allows internal users to browse to OWA without password prompts.
0
 

Author Comment

by:SteveDunlin
Comment Utility
Yes by having basic and integrated set my test user logs on without being prompted for credentials so the CAS server internally is doing exactly what it should. I cannot browse from my Forefront server to my mail server
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
i know you said the tmg is in the domain but do you have a firewall in between them? can you ping it by name or ip?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
you need a rule to allow HTTPS trafic from localhost (FTMG) to CAS server.
0
 

Author Comment

by:SteveDunlin
Comment Utility
OK thought the rule might do the trick but still the same Have tested from an external at our prep school and it still fails authentication and says "You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again."  Shame as I had not tried that Steve
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
Can you ping the CAS from TMG by name and IP?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
how are you entering the username? Are you using DOMAIN\username?
0
 

Author Comment

by:SteveDunlin
Comment Utility
yes I am entering domain\username  Ignore last message that said you cannot logon to Forefront as that was me ommitting to type the password in. If I type the pasword in I get no error mesage but it just fails to log in
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
but you can now get to OWA from the FTMG server?

You say you get no error, does the password screen re-appear? If so does it still have the forefront footer?
 forefrontfooter.jpgIf not then you haven't disabled forms based authentication on the Exchange CAS Server, or if you have you haven't reset IIS by running IISRESET from a command prompt
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:SteveDunlin
Comment Utility
No I cannot get to OWA from the Forefront server. You can see yourself at https://kingsmail4.kings-ely.cambs.sch.uk/owa  From the screen I enter domain\username and the password and press return and nothing happens it just stays as the screen you included above with the Forefront Footer so you hit Forefront externally but for some reason authentication is not passed to the CAS
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
from the actual FTMG server, using either the console or a remote desktop session you need to be able to browse to the CAS server and login.
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
so, if you can't get to the cas from the tmg then is there a firewall between them and can you ping the cas from the tmg?
0
 

Author Comment

by:SteveDunlin
Comment Utility
Good morning -  I thought a break was needed after all of your help yesterday which I was really greatful for. I did not quite follow the remote desktop session and console part as I did not know what you meant by console. However the remote desktop through up something interesting and also I disc overed something else unusual but have not researched further yet. If I do a remote desktop session using Kingsmail4 it fails to connect with an error message of "The connection cannot be completed because the remote computer that was reached is not the one you specified"  However if I use the IP address of Kingsmail4 it works. The other strange issue I came across was when I created a network share on Kingsmail4 (I wanted to copy Certs accross from it) when I tried to map the drive from Forefront it gave an error "The mapped Network Drive could not be created because the following error has occured: Logon Failure: The target account name is incorrect"  However mapping the drive from elsewhere, including my other Forefront Server is always sucessful. I am not sure yet of the significance of this nor the reason but I will research further this morning!  Regards  Steve
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
Morning,

Console just means going to the physical login screen,either by standing in front of it or remote controlling it using vnc, dameware etc.  remote desktop connects to a terminal service session, which isn;t the same thing.

I would thouroughly check you DNS settings to make sure there weren't erroneous entries.  It was I was trying to establish yesterday with the ping question. After checking the DNS entries make sure that you can ping the CAS server from the TMG server, both by IP and by name.  

If DNS looks ok and the TMG still cannot ping by name then check the IP settings on the TMG and try ipconfig /flushdns to clear the TMG's DNS cache and try pinging again.  Let us know how you get on.
0
 

Author Comment

by:SteveDunlin
Comment Utility
Thanks and I have flushed the cache already but something interesting as I have another Forefront server with an almost identical setup that publishes my Exchange 2007 server (sucessfully I quickly add!) and when I ping kingsmail4 from there it returns it's internal ip address 192.  etc When I ping kingsmail4 from the TMG it replies with its external IP address as it turns kingsmail4 in to it's FQDN of kingsmail4.kings-ely.cambs.sch.uk so not totally unexpected as the external facing card of Forefront connects directly to the Virgin DNS Servers. Both TMG's have identical type network card setups so not sure why one resolves internally and yet the one I have issues with does not, nor it's significance at this stage I have checked DNS on my 3 DC's and there are no erroneous entries for Kingsmail4 in forward or reverse lookups and WINS is fine - very perplexing!  Regards  Steve
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
remote desktop can connect to the console session by using either the /admin or /console switch depending on the version of the remote desktop client/windows.
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Steve, which grid are you connected to or are you on your own service away from the Broadband Consortiums?

The FTMF Server does it have DNS specified on both NIC's? If so is it correct?  Is the FTMG server your router or do you have another device in between the WAN NIC and the Internet Connection?
0
 

Author Comment

by:SteveDunlin
Comment Utility
We have a dedicated 30MB Ethernet on a leased line via a CISCO Router directly in to their network so it is not ADSL, an the external facing network cards on the TMG's connect to this and I point them at their DNS Servers. The internal facing network cards on the TMG connect to a switch with internal traffic and IP's on it. We have a single domain so no segments or internal firewalls or routing
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Sorry I was refering to a broadband consortium, which most schools in the UK use.  I have 3 on the SWGfL circuit.

0
 

Author Comment

by:SteveDunlin
Comment Utility
No we go direct via Virgin on a leased 30MB Ethernet as we are a private school so both TMG's connect directly on to this Ethernet via their external facing NIC's within the TMG's
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
What do the logs say when you try to access the OWA from the console on the FTMG server?
0
 
LVL 4

Accepted Solution

by:
loki_loki earned 500 total points
Comment Utility
presumably your internal nic has internal dns servers set on it?

can you can change the referneces to the CAS server in the rule\listener config to the IP address, not the name  of the CAS and see if you can get to OWA then?
0
 

Author Comment

by:SteveDunlin
Comment Utility
Yes my internal NICS point to my DC DNS servers I will try what you suggest - thanks!
0
 
LVL 4

Expert Comment

by:loki_loki
Comment Utility
As i think about the other things to check are,

DNS suffixes and search list are entered correctly.

Also the primary DNS suffix in Systems Properties>Computer Name>Change>More is entered correctly.  Should be ok for a domain joined server but mine is stand alone so needed it entering manually.

If you can ping by IP can you ping by FQDN?
0
 

Author Comment

by:SteveDunlin
Comment Utility
Well I have to say that on my web listener I changed the references as suggested to the IP address and it is now working externally!  I also have just noticed that the suggestion has come from loki so I have declare that as the solution but I am eternally greatful for all of the help from demazter as you have been brilliant and very helpful throughout Many thanks to both of you  Steve
0
 

Author Closing Comment

by:SteveDunlin
Comment Utility
It worked immediately I tried it
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now