Solved

How to publish Outlook Anywhere 2007 using TMG 2010 ?

Posted on 2011-03-09
18
1,233 Views
Last Modified: 2012-05-11
Hi All,

I'm having problem in publishing the Outlook Anywhere on my Exchange Server 2007 SP1 with TMG 2010 Standard

The error log:
Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
	AdditionalDetails
 	[b]Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication[/b].

Open in new window


In my current setting (see the attached powersheel result)

I have successfully published Exchange Activesync using TMG 2010 externally by using KCD security single Publishing rule and Single Listener (Activesync only because my TMG 2010 only have one NIC attached) and the Exchange Server 2007 CAS is the same machine of course.

I can't add another listener to the publishing rule just for Outlook Anywhere.

Any help and guidance will be greatly appreciated.

Thanks.
"OutlookAnywhere"
Server      Identity                           SSLOffloading ClientAuthenticationMethod IISAuthenticationMethods
------      --------                           ------------- -------------------------- ------------------------
ExCAS02 ExCAS02\Rpc (Default Web Site)          True                      Basic {Basic}                 
ExCAS03 ExCAS03\Rpc (Default Web Site)          True                      Basic {Basic}                 

"AutodiscoverVirtualDirectory"
Server      Identity                                    InternalUrl ExternalUrl InternalAuthenticationMethods    ExternalAuthenticationMethods    BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                                    ----------- ----------- -----------------------------    -----------------------------    ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS03 ExCAS03\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS02-DR ExCAS02-DR\Autodiscover (Default Web Site)                           {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True

Open in new window

IIS 7.0 settings

Autodiscover
	Authentication Enabled: Basic, Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Microsoft-Server-ActiveSync
	Authentication Enabled: Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Rpc
	Authentication Enabled: Basic
	SSL Settings: (None checked)
		Client Certificates: Ignore

RpcWithCert
	Authentication Enabled: (None Enabled)
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Open in new window

0
Comment
Question by:jjoz
  • 9
  • 9
18 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 35094581
open the TMG publishing rule and click on "Test Rule" and see on which virtual directory it is giving you this error


first of all on

Rpc
      Authentication Enabled: Basic
      SSL Settings: (None checked)
            Client Certificates: Ignore

SSL should be set to require SSL try this and run iis reset first
0
 
LVL 1

Author Comment

by:jjoz
ID: 35099816
Hi mate, all is good from The Test Rule button, all is green.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35100080
Did you try to set the RPC to directory to require ssl and restart iis ?
0
 
LVL 1

Author Comment

by:jjoz
ID: 35101574
yes done that already and it is still failed. :-|
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35101679
please go to testexchangeconnectivity.com and run an outlook anywhere test and give me the errors please
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35101754
i also just noticed you have ssl offloading set to true ! Do you have an ssl hardware solution ? if not this should be set to false on your cas servers
0
 
LVL 1

Author Comment

by:jjoz
ID: 35101851
implementation due to the security issue as well. Outlook Anywhere cannot be enabled just for select few people, it will be enabled for the whole mailbox users, I just realized that I must use certificate that I generated from the self signed / my domain CA, so I guess that is the reason it failed in the "testexchangeconnectivity.com" ? because that website doesn't have my certificate ? cmiiw ?

ssl offloading  --> no I use TMG 2010 can that be SSL accelerator ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35101903
You mean you have your exchange running on self signed certificates ?

nop this cannot be an SSL accelerator turn these off
0
 
LVL 1

Author Comment

by:jjoz
ID: 35101956
'You mean you have your exchange running on self signed certificates ?"
no my Exchange uses 3rd party trusted SSL SAN certs. but for the people to have access into Activesync I must issue self signed cert.

I wonder if OA can work with this type of security implementation.

oh.. so TMG 2010 is not SSL Offloading device / server ?
OK, I'll uncheck that from my CAS server option.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 49

Expert Comment

by:Akhater
ID: 35101968
i still don't get it !

What do you mean by

>>no my Exchange uses 3rd party trusted SSL SAN certs. but for the people to have access into Activesync I must issue self signed cert.<<

you are issuing client certificates for the activesync devices ??

what errors did testexchangeconnectivity give you ?


0
 
LVL 1

Author Comment

by:jjoz
ID: 35104339
Many thanks for the reply Akhater, I have created my user certificate (from the internal CA server in my domain) and imported to the User certificate in the MMC console, however in my PC outlook 2007, when I select the certificate from dropdown it always failed ?

as well as typing DOMAIN\myusername also failed to connect (same as in the website too), I am under the imporession that the websitefailed is of course legitimate error and that is expected since the testexchangeconnectivity.com doesn't have my username certificate, that is why it failed.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35104594
from my laptop: https://server.domain.com/RPC --> result timed out ? no response back

from the TMG 2010 standard server: https://server.domain.com/RPC --> continuously prompted for credentials and then when I press ESC button, it failed with 401 ?

from the Exchange server CAS role itself: https://server.domain.com/RPC --> Page Cannot be Displayed 404 ?

from the external internet: https://Activesync.domain.com/RPC --> I got prompted for credentials and then You do not have permission to view this directory or page.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35106048
I have to say you lost me !

1. I thought you said that ActiveSync was working
2. in all your config you have given me above where did you set the "require certificates" part ? how are you using these client certificates ? in your config all the virtual direcotries have the client certificate set to ignore
3. testexchangeconnectivity is failing oon which step and what is the error
0
 
LVL 1

Author Comment

by:jjoz
ID: 35106122
Akhater, sorry to cause such confusion:

1. yes Activesync is working since last year I deployed and never got into problem, the only problem here is the OA

2."require certificates" part ? --> that is why I don't know where to look for since I'm not the one who setup the Exchange Server and TMG initially (the person has left the company).

3.Test Exchange website failed because in this case it doesn't have the certificate that is issued by my AD-CA to identify me as the user of my company domain, the SSL  SAN cert. has been installed successfully for Activesync and to certify the Exchange Servers + my Autodiscover domain.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35106129
and you are totally sure that the activesync will not work without certificate ? with this config I doubt they are being used

you pointed on the IIS config but I see you have 2 CAS servers is it the same on both ?

if you don't mind I have a way to contact me in my profile can you send me a test user / pass so i can do some tests from my side ?
0
 
LVL 1

Author Comment

by:jjoz
ID: 35125005
Hi, sorry for the delay, I was off the office during my weekend.

unfortunately I'm not allowed to disclose that Akhater, but thanks for your willingness to help so far.

so in this case my goal here is impossible since I want to use User generated certificate (User certificate) from Internal CA so that the user can just select the certificate from the drop down list rather than typing the password ?
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 500 total points
ID: 35126706
I didn't say the goal was impossible, I am just trying to figure out how it was achieved since, looking at what you provided, there is no way clients certificates are required
0
 
LVL 1

Author Comment

by:jjoz
ID: 35144238
Thanks for your help Akhater, the management has voted to roll back the changes now since the user gets random credentials pop up with Autodiscover issue in the entire world.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Sometimes Outlook might have problems sending a message. There may be various causes- corrupted PST, AV scanner etc. The message, instead of going to the Sent Items folder, sits in the Outbox indefinitely. To remove it you can use a free tool cal…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now