Managing Active Directory can get complicated. Often, the native tools for managing AD are just not up to the task. The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.
Course Of The Month
6 days, 11 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How to publish Outlook Anywhere 2007 using TMG 2010 ?
Posted on 2011-03-09
Hi All,
I'm having problem in publishing the Outlook Anywhere on my Exchange Server 2007 SP1 with TMG 2010 Standard
The error log:
In my current setting (see the attached powersheel result)
I have successfully published Exchange Activesync using TMG 2010 externally by using KCD security single Publishing rule and Single Listener (Activesync only because my TMG 2010 only have one NIC attached) and the Exchange Server 2007 CAS is the same machine of course.
I can't add another listener to the publishing rule just for Outlook Anywhere.
Any help and guidance will be greatly appreciated.
Thanks.
I'm having problem in publishing the Outlook Anywhere on my Exchange Server 2007 SP1 with TMG 2010 Standard
The error log:
Checking the IIS configuration for client certificate authentication.
Client certificate authentication was detected.
AdditionalDetails
[b]Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication[/b].
In my current setting (see the attached powersheel result)
I have successfully published Exchange Activesync using TMG 2010 externally by using KCD security single Publishing rule and Single Listener (Activesync only because my TMG 2010 only have one NIC attached) and the Exchange Server 2007 CAS is the same machine of course.
I can't add another listener to the publishing rule just for Outlook Anywhere.
Any help and guidance will be greatly appreciated.
Thanks.
"OutlookAnywhere"
Server Identity SSLOffloading ClientAuthenticationMethod IISAuthenticationMethods
------ -------- ------------- -------------------------- ------------------------
ExCAS02 ExCAS02\Rpc (Default Web Site) True Basic {Basic}
ExCAS03 ExCAS03\Rpc (Default Web Site) True Basic {Basic}
"AutodiscoverVirtualDirectory"
Server Identity InternalUrl ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods BasicAuthentication DigestAuthentication WindowsAuthentication
------ -------- ----------- ----------- ----------------------------- ----------------------------- ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\Autodiscover (Default Web Site) {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated} True False True
ExCAS03 ExCAS03\Autodiscover (Default Web Site) {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated} True False True
ExCAS02-DR ExCAS02-DR\Autodiscover (Default Web Site) {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated} True False True
IIS 7.0 settings
Autodiscover
Authentication Enabled: Basic, Windows
SSL Settings: Require SSL, Require 128-bit SSL
Client Certificates: Ignore
Microsoft-Server-ActiveSync
Authentication Enabled: Windows
SSL Settings: Require SSL, Require 128-bit SSL
Client Certificates: Ignore
Rpc
Authentication Enabled: Basic
SSL Settings: (None checked)
Client Certificates: Ignore
RpcWithCert
Authentication Enabled: (None Enabled)
SSL Settings: Require SSL, Require 128-bit SSL
Client Certificates: Ignore
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
9-
9
18 Comments
Active 2 days ago
open the TMG publishing rule and click on "Test Rule" and see on which virtual directory it is giving you this error
first of all on
Rpc
Authentication Enabled: Basic
SSL Settings: (None checked)
Client Certificates: Ignore
SSL should be set to require SSL try this and run iis reset first
first of all on
Rpc
Authentication Enabled: Basic
SSL Settings: (None checked)
Client Certificates: Ignore
SSL should be set to require SSL try this and run iis reset first
Active 2 days ago
please go to testexchangeconnectivity.c
Active 2 days ago
i also just noticed you have ssl offloading set to true ! Do you have an ssl hardware solution ? if not this should be set to false on your cas servers
implementation due to the security issue as well. Outlook Anywhere cannot be enabled just for select few people, it will be enabled for the whole mailbox users, I just realized that I must use certificate that I generated from the self signed / my domain CA, so I guess that is the reason it failed in the "testexchangeconnectivity.
ssl offloading --> no I use TMG 2010 can that be SSL accelerator ?
ssl offloading --> no I use TMG 2010 can that be SSL accelerator ?
Active 2 days ago
You mean you have your exchange running on self signed certificates ?
nop this cannot be an SSL accelerator turn these off
nop this cannot be an SSL accelerator turn these off
'You mean you have your exchange running on self signed certificates ?"
no my Exchange uses 3rd party trusted SSL SAN certs. but for the people to have access into Activesync I must issue self signed cert.
I wonder if OA can work with this type of security implementation.
oh.. so TMG 2010 is not SSL Offloading device / server ?
OK, I'll uncheck that from my CAS server option.
no my Exchange uses 3rd party trusted SSL SAN certs. but for the people to have access into Activesync I must issue self signed cert.
I wonder if OA can work with this type of security implementation.
oh.. so TMG 2010 is not SSL Offloading device / server ?
OK, I'll uncheck that from my CAS server option.
Active 2 days ago
i still don't get it !
What do you mean by
>>no my Exchange uses 3rd party trusted SSL SAN certs. but for the people to have access into Activesync I must issue self signed cert.<<
you are issuing client certificates for the activesync devices ??
what errors did testexchangeconnectivity give you ?
What do you mean by
>>no my Exchange uses 3rd party trusted SSL SAN certs. but for the people to have access into Activesync I must issue self signed cert.<<
you are issuing client certificates for the activesync devices ??
what errors did testexchangeconnectivity give you ?
Many thanks for the reply Akhater, I have created my user certificate (from the internal CA server in my domain) and imported to the User certificate in the MMC console, however in my PC outlook 2007, when I select the certificate from dropdown it always failed ?
as well as typing DOMAIN\myusername also failed to connect (same as in the website too), I am under the imporession that the websitefailed is of course legitimate error and that is expected since the testexchangeconnectivity.c
as well as typing DOMAIN\myusername also failed to connect (same as in the website too), I am under the imporession that the websitefailed is of course legitimate error and that is expected since the testexchangeconnectivity.c
from my laptop: https://server.domain.com/RPC --> result timed out ? no response back
from the TMG 2010 standard server: https://server.domain.com/RPC --> continuously prompted for credentials and then when I press ESC button, it failed with 401 ?
from the Exchange server CAS role itself: https://server.domain.com/RPC --> Page Cannot be Displayed 404 ?
from the external internet: https://Activesync.domain.com/RPC --> I got prompted for credentials and then You do not have permission to view this directory or page.
from the TMG 2010 standard server: https://server.domain.com/RPC --> continuously prompted for credentials and then when I press ESC button, it failed with 401 ?
from the Exchange server CAS role itself: https://server.domain.com/RPC --> Page Cannot be Displayed 404 ?
from the external internet: https://Activesync.domain.com/RPC --> I got prompted for credentials and then You do not have permission to view this directory or page.
Active 2 days ago
I have to say you lost me !
1. I thought you said that ActiveSync was working
2. in all your config you have given me above where did you set the "require certificates" part ? how are you using these client certificates ? in your config all the virtual direcotries have the client certificate set to ignore
3. testexchangeconnectivity is failing oon which step and what is the error
1. I thought you said that ActiveSync was working
2. in all your config you have given me above where did you set the "require certificates" part ? how are you using these client certificates ? in your config all the virtual direcotries have the client certificate set to ignore
3. testexchangeconnectivity is failing oon which step and what is the error
Akhater, sorry to cause such confusion:
1. yes Activesync is working since last year I deployed and never got into problem, the only problem here is the OA
2."require certificates" part ? --> that is why I don't know where to look for since I'm not the one who setup the Exchange Server and TMG initially (the person has left the company).
3.Test Exchange website failed because in this case it doesn't have the certificate that is issued by my AD-CA to identify me as the user of my company domain, the SSL SAN cert. has been installed successfully for Activesync and to certify the Exchange Servers + my Autodiscover domain.
1. yes Activesync is working since last year I deployed and never got into problem, the only problem here is the OA
2."require certificates" part ? --> that is why I don't know where to look for since I'm not the one who setup the Exchange Server and TMG initially (the person has left the company).
3.Test Exchange website failed because in this case it doesn't have the certificate that is issued by my AD-CA to identify me as the user of my company domain, the SSL SAN cert. has been installed successfully for Activesync and to certify the Exchange Servers + my Autodiscover domain.
Active 2 days ago
and you are totally sure that the activesync will not work without certificate ? with this config I doubt they are being used
you pointed on the IIS config but I see you have 2 CAS servers is it the same on both ?
if you don't mind I have a way to contact me in my profile can you send me a test user / pass so i can do some tests from my side ?
you pointed on the IIS config but I see you have 2 CAS servers is it the same on both ?
if you don't mind I have a way to contact me in my profile can you send me a test user / pass so i can do some tests from my side ?
Hi, sorry for the delay, I was off the office during my weekend.
unfortunately I'm not allowed to disclose that Akhater, but thanks for your willingness to help so far.
so in this case my goal here is impossible since I want to use User generated certificate (User certificate) from Internal CA so that the user can just select the certificate from the drop down list rather than typing the password ?
unfortunately I'm not allowed to disclose that Akhater, but thanks for your willingness to help so far.
so in this case my goal here is impossible since I want to use User generated certificate (User certificate) from Internal CA so that the user can just select the certificate from the drop down list rather than typing the password ?
Active 2 days ago
I didn't say the goal was impossible, I am just trying to figure out how it was achieved since, looking at what you provided, there is no way clients certificates are required
Featured Post
June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts, so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
Outlook for dependable use in a very small business
Â
This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Servers >> Data…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month6 days, 11 hours left to enroll
724 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.