Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1129
  • Last Modified:

So near and yet so far!

It really has been a long slog setting up my first Exchange 2010 server in co-existance with a fully working Exchange 2007 server and the situation I am at is that it is all up and running sucessfully with SP1 installed and an external SSlL certificate from Entrust being used that has the following domain names on it kingsmail4.kings-ely.cambs.sch.uk and the internal name of kingsmail4 and internal access via OWA is fine as I have moved a mailbox over for testing and using https://kingsmail4/owa the user is logged straight on so all brilliant so far. If I am to use this server in the future I need to allow external access for users and this is where it all grinds to a halt as I just cannot access my test account through Forefront as it just fails repeatedly. I get the Form screen up and I have used the Forefront Wizard to create a rule and also have sucessfully created a web listener using the same Entrust Certificate and indeed this shows up as fine in the Outlook Web App but authentication fails to pass through to the mail server and it says it cannot authenticate to Forefront. The Forefront server is a full member of the domain so I am really at a loss how to proceed next as there is not a lot out there. Any help would be greatfully received as I am so close to deploying and yet without external access it is of no use Regards

Steve Dunlin
0
SteveDunlin
Asked:
SteveDunlin
  • 14
  • 12
  • 8
1 Solution
 
Glen KnightCommented:
Are you creating a publishing rule on forefront for Exchange 2010 OWA and if so, what do you have under the authentication delegation?

Have you turned of Forms Based Authentication on the Exchange 2010 CAS server?
0
 
loki_lokiCommented:
does the request get to forefront at all?  Look in the logs and see the real time tracking when you try and connect externally.
i assume you have set external dns to point to the right ip, with the domain matching the certifiacte.  What error do you get?
what authentication did you set in the listener?
0
 
SteveDunlinAuthor Commented:
I have turned off Forms based authentication on the CAS yes and Forefront is set to Basic Authentication on the rule and HTML Authentication and active directory on the Web Listener
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
SteveDunlinAuthor Commented:
I have had a colleague check externally as I have myself and you hit the Forefront TMG and I know there are no issues with incorrect IP addresses or DNS as it is published externally for me by Virgin
The issue is something to do with authenticatio. You can check the site yourself if you use https://kingsmail4.kings-ely.cambs.sch.uk/owa 
0
 
Glen KnightCommented:
And what authentication methods do you have set on the OWA virtual directory listed under Server Configuration > Client Access ?
What happens when you click Test Rule on the Exchange rule in forefront?
0
 
SteveDunlinAuthor Commented:
The Test rule all shows as sucessfull apart from ping and the Server Config in Client Access is set to Integrated and Basic
0
 
Glen KnightCommented:
can you browse to OWA from the FTMG server itself?
0
 
loki_lokiCommented:
Checking my config, I have basic authentication on the OWA virtual directory.  
0
 
Glen KnightCommented:
I have Basic and Integrated on 2 that I have checked.
This allows internal users to browse to OWA without password prompts.
0
 
SteveDunlinAuthor Commented:
Yes by having basic and integrated set my test user logs on without being prompted for credentials so the CAS server internally is doing exactly what it should. I cannot browse from my Forefront server to my mail server
0
 
loki_lokiCommented:
i know you said the tmg is in the domain but do you have a firewall in between them? can you ping it by name or ip?
0
 
Glen KnightCommented:
you need a rule to allow HTTPS trafic from localhost (FTMG) to CAS server.
0
 
SteveDunlinAuthor Commented:
OK thought the rule might do the trick but still the same Have tested from an external at our prep school and it still fails authentication and says "You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again."  Shame as I had not tried that Steve
0
 
loki_lokiCommented:
Can you ping the CAS from TMG by name and IP?
0
 
Glen KnightCommented:
how are you entering the username? Are you using DOMAIN\username?
0
 
SteveDunlinAuthor Commented:
yes I am entering domain\username  Ignore last message that said you cannot logon to Forefront as that was me ommitting to type the password in. If I type the pasword in I get no error mesage but it just fails to log in
0
 
Glen KnightCommented:
but you can now get to OWA from the FTMG server?

You say you get no error, does the password screen re-appear? If so does it still have the forefront footer?
 forefrontfooter.jpgIf not then you haven't disabled forms based authentication on the Exchange CAS Server, or if you have you haven't reset IIS by running IISRESET from a command prompt
0
 
SteveDunlinAuthor Commented:
No I cannot get to OWA from the Forefront server. You can see yourself at https://kingsmail4.kings-ely.cambs.sch.uk/owa  From the screen I enter domain\username and the password and press return and nothing happens it just stays as the screen you included above with the Forefront Footer so you hit Forefront externally but for some reason authentication is not passed to the CAS
0
 
Glen KnightCommented:
from the actual FTMG server, using either the console or a remote desktop session you need to be able to browse to the CAS server and login.
0
 
loki_lokiCommented:
so, if you can't get to the cas from the tmg then is there a firewall between them and can you ping the cas from the tmg?
0
 
SteveDunlinAuthor Commented:
Good morning -  I thought a break was needed after all of your help yesterday which I was really greatful for. I did not quite follow the remote desktop session and console part as I did not know what you meant by console. However the remote desktop through up something interesting and also I disc overed something else unusual but have not researched further yet. If I do a remote desktop session using Kingsmail4 it fails to connect with an error message of "The connection cannot be completed because the remote computer that was reached is not the one you specified"  However if I use the IP address of Kingsmail4 it works. The other strange issue I came across was when I created a network share on Kingsmail4 (I wanted to copy Certs accross from it) when I tried to map the drive from Forefront it gave an error "The mapped Network Drive could not be created because the following error has occured: Logon Failure: The target account name is incorrect"  However mapping the drive from elsewhere, including my other Forefront Server is always sucessful. I am not sure yet of the significance of this nor the reason but I will research further this morning!  Regards  Steve
0
 
loki_lokiCommented:
Morning,

Console just means going to the physical login screen,either by standing in front of it or remote controlling it using vnc, dameware etc.  remote desktop connects to a terminal service session, which isn;t the same thing.

I would thouroughly check you DNS settings to make sure there weren't erroneous entries.  It was I was trying to establish yesterday with the ping question. After checking the DNS entries make sure that you can ping the CAS server from the TMG server, both by IP and by name.  

If DNS looks ok and the TMG still cannot ping by name then check the IP settings on the TMG and try ipconfig /flushdns to clear the TMG's DNS cache and try pinging again.  Let us know how you get on.
0
 
SteveDunlinAuthor Commented:
Thanks and I have flushed the cache already but something interesting as I have another Forefront server with an almost identical setup that publishes my Exchange 2007 server (sucessfully I quickly add!) and when I ping kingsmail4 from there it returns it's internal ip address 192.  etc When I ping kingsmail4 from the TMG it replies with its external IP address as it turns kingsmail4 in to it's FQDN of kingsmail4.kings-ely.cambs.sch.uk so not totally unexpected as the external facing card of Forefront connects directly to the Virgin DNS Servers. Both TMG's have identical type network card setups so not sure why one resolves internally and yet the one I have issues with does not, nor it's significance at this stage I have checked DNS on my 3 DC's and there are no erroneous entries for Kingsmail4 in forward or reverse lookups and WINS is fine - very perplexing!  Regards  Steve
0
 
Glen KnightCommented:
remote desktop can connect to the console session by using either the /admin or /console switch depending on the version of the remote desktop client/windows.
0
 
Glen KnightCommented:
Steve, which grid are you connected to or are you on your own service away from the Broadband Consortiums?

The FTMF Server does it have DNS specified on both NIC's? If so is it correct?  Is the FTMG server your router or do you have another device in between the WAN NIC and the Internet Connection?
0
 
SteveDunlinAuthor Commented:
We have a dedicated 30MB Ethernet on a leased line via a CISCO Router directly in to their network so it is not ADSL, an the external facing network cards on the TMG's connect to this and I point them at their DNS Servers. The internal facing network cards on the TMG connect to a switch with internal traffic and IP's on it. We have a single domain so no segments or internal firewalls or routing
0
 
Glen KnightCommented:
Sorry I was refering to a broadband consortium, which most schools in the UK use.  I have 3 on the SWGfL circuit.

0
 
SteveDunlinAuthor Commented:
No we go direct via Virgin on a leased 30MB Ethernet as we are a private school so both TMG's connect directly on to this Ethernet via their external facing NIC's within the TMG's
0
 
Glen KnightCommented:
What do the logs say when you try to access the OWA from the console on the FTMG server?
0
 
loki_lokiCommented:
presumably your internal nic has internal dns servers set on it?

can you can change the referneces to the CAS server in the rule\listener config to the IP address, not the name  of the CAS and see if you can get to OWA then?
0
 
SteveDunlinAuthor Commented:
Yes my internal NICS point to my DC DNS servers I will try what you suggest - thanks!
0
 
loki_lokiCommented:
As i think about the other things to check are,

DNS suffixes and search list are entered correctly.

Also the primary DNS suffix in Systems Properties>Computer Name>Change>More is entered correctly.  Should be ok for a domain joined server but mine is stand alone so needed it entering manually.

If you can ping by IP can you ping by FQDN?
0
 
SteveDunlinAuthor Commented:
Well I have to say that on my web listener I changed the references as suggested to the IP address and it is now working externally!  I also have just noticed that the suggestion has come from loki so I have declare that as the solution but I am eternally greatful for all of the help from demazter as you have been brilliant and very helpful throughout Many thanks to both of you  Steve
0
 
SteveDunlinAuthor Commented:
It worked immediately I tried it
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 14
  • 12
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now