Solved

So near and yet so far!

Posted on 2011-03-01
34
1,119 Views
Last Modified: 2012-05-11
It really has been a long slog setting up my first Exchange 2010 server in co-existance with a fully working Exchange 2007 server and the situation I am at is that it is all up and running sucessfully with SP1 installed and an external SSlL certificate from Entrust being used that has the following domain names on it kingsmail4.kings-ely.cambs.sch.uk and the internal name of kingsmail4 and internal access via OWA is fine as I have moved a mailbox over for testing and using https://kingsmail4/owa the user is logged straight on so all brilliant so far. If I am to use this server in the future I need to allow external access for users and this is where it all grinds to a halt as I just cannot access my test account through Forefront as it just fails repeatedly. I get the Form screen up and I have used the Forefront Wizard to create a rule and also have sucessfully created a web listener using the same Entrust Certificate and indeed this shows up as fine in the Outlook Web App but authentication fails to pass through to the mail server and it says it cannot authenticate to Forefront. The Forefront server is a full member of the domain so I am really at a loss how to proceed next as there is not a lot out there. Any help would be greatfully received as I am so close to deploying and yet without external access it is of no use Regards

Steve Dunlin
0
Comment
Question by:SteveDunlin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 12
  • 8
34 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35006504
Are you creating a publishing rule on forefront for Exchange 2010 OWA and if so, what do you have under the authentication delegation?

Have you turned of Forms Based Authentication on the Exchange 2010 CAS server?
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 35006540
does the request get to forefront at all?  Look in the logs and see the real time tracking when you try and connect externally.
i assume you have set external dns to point to the right ip, with the domain matching the certifiacte.  What error do you get?
what authentication did you set in the listener?
0
 

Author Comment

by:SteveDunlin
ID: 35006972
I have turned off Forms based authentication on the CAS yes and Forefront is set to Basic Authentication on the rule and HTML Authentication and active directory on the Web Listener
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:SteveDunlin
ID: 35007010
I have had a colleague check externally as I have myself and you hit the Forefront TMG and I know there are no issues with incorrect IP addresses or DNS as it is published externally for me by Virgin
The issue is something to do with authenticatio. You can check the site yourself if you use https://kingsmail4.kings-ely.cambs.sch.uk/owa 
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35007019
And what authentication methods do you have set on the OWA virtual directory listed under Server Configuration > Client Access ?
What happens when you click Test Rule on the Exchange rule in forefront?
0
 

Author Comment

by:SteveDunlin
ID: 35007105
The Test rule all shows as sucessfull apart from ping and the Server Config in Client Access is set to Integrated and Basic
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35007115
can you browse to OWA from the FTMG server itself?
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 35007140
Checking my config, I have basic authentication on the OWA virtual directory.  
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35007151
I have Basic and Integrated on 2 that I have checked.
This allows internal users to browse to OWA without password prompts.
0
 

Author Comment

by:SteveDunlin
ID: 35007178
Yes by having basic and integrated set my test user logs on without being prompted for credentials so the CAS server internally is doing exactly what it should. I cannot browse from my Forefront server to my mail server
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 35007213
i know you said the tmg is in the domain but do you have a firewall in between them? can you ping it by name or ip?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35007227
you need a rule to allow HTTPS trafic from localhost (FTMG) to CAS server.
0
 

Author Comment

by:SteveDunlin
ID: 35007656
OK thought the rule might do the trick but still the same Have tested from an external at our prep school and it still fails authentication and says "You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again."  Shame as I had not tried that Steve
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 35008033
Can you ping the CAS from TMG by name and IP?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35008045
how are you entering the username? Are you using DOMAIN\username?
0
 

Author Comment

by:SteveDunlin
ID: 35008083
yes I am entering domain\username  Ignore last message that said you cannot logon to Forefront as that was me ommitting to type the password in. If I type the pasword in I get no error mesage but it just fails to log in
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35008115
but you can now get to OWA from the FTMG server?

You say you get no error, does the password screen re-appear? If so does it still have the forefront footer?
 forefrontfooter.jpgIf not then you haven't disabled forms based authentication on the Exchange CAS Server, or if you have you haven't reset IIS by running IISRESET from a command prompt
0
 

Author Comment

by:SteveDunlin
ID: 35008199
No I cannot get to OWA from the Forefront server. You can see yourself at https://kingsmail4.kings-ely.cambs.sch.uk/owa  From the screen I enter domain\username and the password and press return and nothing happens it just stays as the screen you included above with the Forefront Footer so you hit Forefront externally but for some reason authentication is not passed to the CAS
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35008209
from the actual FTMG server, using either the console or a remote desktop session you need to be able to browse to the CAS server and login.
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 35008305
so, if you can't get to the cas from the tmg then is there a firewall between them and can you ping the cas from the tmg?
0
 

Author Comment

by:SteveDunlin
ID: 35015327
Good morning -  I thought a break was needed after all of your help yesterday which I was really greatful for. I did not quite follow the remote desktop session and console part as I did not know what you meant by console. However the remote desktop through up something interesting and also I disc overed something else unusual but have not researched further yet. If I do a remote desktop session using Kingsmail4 it fails to connect with an error message of "The connection cannot be completed because the remote computer that was reached is not the one you specified"  However if I use the IP address of Kingsmail4 it works. The other strange issue I came across was when I created a network share on Kingsmail4 (I wanted to copy Certs accross from it) when I tried to map the drive from Forefront it gave an error "The mapped Network Drive could not be created because the following error has occured: Logon Failure: The target account name is incorrect"  However mapping the drive from elsewhere, including my other Forefront Server is always sucessful. I am not sure yet of the significance of this nor the reason but I will research further this morning!  Regards  Steve
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 35015497
Morning,

Console just means going to the physical login screen,either by standing in front of it or remote controlling it using vnc, dameware etc.  remote desktop connects to a terminal service session, which isn;t the same thing.

I would thouroughly check you DNS settings to make sure there weren't erroneous entries.  It was I was trying to establish yesterday with the ping question. After checking the DNS entries make sure that you can ping the CAS server from the TMG server, both by IP and by name.  

If DNS looks ok and the TMG still cannot ping by name then check the IP settings on the TMG and try ipconfig /flushdns to clear the TMG's DNS cache and try pinging again.  Let us know how you get on.
0
 

Author Comment

by:SteveDunlin
ID: 35015685
Thanks and I have flushed the cache already but something interesting as I have another Forefront server with an almost identical setup that publishes my Exchange 2007 server (sucessfully I quickly add!) and when I ping kingsmail4 from there it returns it's internal ip address 192.  etc When I ping kingsmail4 from the TMG it replies with its external IP address as it turns kingsmail4 in to it's FQDN of kingsmail4.kings-ely.cambs.sch.uk so not totally unexpected as the external facing card of Forefront connects directly to the Virgin DNS Servers. Both TMG's have identical type network card setups so not sure why one resolves internally and yet the one I have issues with does not, nor it's significance at this stage I have checked DNS on my 3 DC's and there are no erroneous entries for Kingsmail4 in forward or reverse lookups and WINS is fine - very perplexing!  Regards  Steve
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35015695
remote desktop can connect to the console session by using either the /admin or /console switch depending on the version of the remote desktop client/windows.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35015709
Steve, which grid are you connected to or are you on your own service away from the Broadband Consortiums?

The FTMF Server does it have DNS specified on both NIC's? If so is it correct?  Is the FTMG server your router or do you have another device in between the WAN NIC and the Internet Connection?
0
 

Author Comment

by:SteveDunlin
ID: 35015742
We have a dedicated 30MB Ethernet on a leased line via a CISCO Router directly in to their network so it is not ADSL, an the external facing network cards on the TMG's connect to this and I point them at their DNS Servers. The internal facing network cards on the TMG connect to a switch with internal traffic and IP's on it. We have a single domain so no segments or internal firewalls or routing
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35015759
Sorry I was refering to a broadband consortium, which most schools in the UK use.  I have 3 on the SWGfL circuit.

0
 

Author Comment

by:SteveDunlin
ID: 35015773
No we go direct via Virgin on a leased 30MB Ethernet as we are a private school so both TMG's connect directly on to this Ethernet via their external facing NIC's within the TMG's
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35015777
What do the logs say when you try to access the OWA from the console on the FTMG server?
0
 
LVL 4

Accepted Solution

by:
loki_loki earned 500 total points
ID: 35015793
presumably your internal nic has internal dns servers set on it?

can you can change the referneces to the CAS server in the rule\listener config to the IP address, not the name  of the CAS and see if you can get to OWA then?
0
 

Author Comment

by:SteveDunlin
ID: 35015805
Yes my internal NICS point to my DC DNS servers I will try what you suggest - thanks!
0
 
LVL 4

Expert Comment

by:loki_loki
ID: 35015878
As i think about the other things to check are,

DNS suffixes and search list are entered correctly.

Also the primary DNS suffix in Systems Properties>Computer Name>Change>More is entered correctly.  Should be ok for a domain joined server but mine is stand alone so needed it entering manually.

If you can ping by IP can you ping by FQDN?
0
 

Author Comment

by:SteveDunlin
ID: 35015883
Well I have to say that on my web listener I changed the references as suggested to the IP address and it is now working externally!  I also have just noticed that the suggestion has come from loki so I have declare that as the solution but I am eternally greatful for all of the help from demazter as you have been brilliant and very helpful throughout Many thanks to both of you  Steve
0
 

Author Closing Comment

by:SteveDunlin
ID: 35015889
It worked immediately I tried it
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month6 days, 14 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question