Solved

Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG

Posted on 2011-03-13
14
2,558 Views
Last Modified: 2012-06-27
Hi there,

We are using Exchange Server 2007 Standard SP3. OWA and ActiveSync already have been setup and working without any problems through TMG 2010 firewall. The domain where TMG and Exchange have been installed is operating in Windows 2003 mode.

We would like to setup and use Outlook Anywhere with NTLM rather than Basic authentication. NTLM authentication offer one key advantage from an end user perspective, when using a computer that is a member of our domain and logging on with cached credentials the user does not need to re-enter their credentials. I was following white paper -“Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG or Forefront UAG” http://www.microsoft.com/downloads/en/details.aspx?FamilyID=040b31a0-9a69-4278-9808-e52f08ffaee3

Everything has been setup according to the instruction from the white papers. Our UCC certificate has list of the required subject alternative names (SAN) and has been installed on TMG and Exchange server. As I had mentioned before, clients already are using OWA and ActiveSync with this certificate without any problems.

Outlook Connection Status for the internal users shows successful HTTPS connection but externally outlook is still in the “disconnected” mode.
 
When I run “Outlook Anywhere (RPC over HTTP)” test on www.testexchangeconnectivity.com I have this error message:

“Testing HTTP Authentication Methods for URL https://mail.company.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL”.

Clicking on the “Test Rule” button for my Outlook Anywhere rule in TMG shows all happy green ticks.

From the TMG logs I can see denied connection with the status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Request: RPC_IN_DATA http://mail.mycompany.com/rpc/rpcproxy.dll?server1.mycompany.com:6001
Protocol: https User: anonymous

Looking at URL above I don’t understand why is http is there but not https. Plus, why user is anonymous?!

I have spent hours trying to find out what I have missed. Please advise me on what needs to be done to make this Outlook Anywhere to work.

Thank you very much in advance.
0
Comment
Question by:Olevo
  • 6
  • 3
  • 2
  • +2
14 Comments
 
LVL 12

Expert Comment

by:Saakar
ID: 35125355
What about Basic Authentication using Outlook Anywhere does that works??
0
 
LVL 1

Author Comment

by:Olevo
ID: 35125687
Tried Basic Auth, windows popup asking to type user name. Typing domain\username or just username works fine inside. Outside, outlook is asking for the user name and doesn't connect.
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 35128520
Just a parallel query:
> did you enabled the SSL Offloading on the "Outlook Anywhere" settings on "Exchange 2007" ?

> Want to remove\un-select the same if we are not really using the "SSL offloading" @ any other hardware box
 
0
 
LVL 4

Expert Comment

by:0x6
ID: 35129792
You might not get a login prompt with the following settings when using Outlook Anywhere as I don't get prompted with these settings. Please try it with one Outlook client with:
Basic Authentication in TMG (Basic in the publishing rule, HTML Form Authentication in the Listener)
Basic Authentication in Outlook at the following:

Tools--Account Settings--Change--More Settings--Connection--Exchange Proxy Settings--Select both:
On Fast .....
On Slow .....

You can test this with both Basic and NTLM

 OA Basic
0
 
LVL 1

Author Comment

by:Olevo
ID: 35134022
To e_aravind:
A bit confuse here... Currently SSL offloading is not ticked in my Exchange server. TMG is sitting in front of the Exchange server and I’m guessing that it does handle SSL encryption and decryption. Is that mean that SSL offloading needs to be on?!
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 35137996
NOPEE
we dont need any "SSL Offloading" selected until we are sure if the hardware box is doing the ssl-offloading?

>> http://technet.microsoft.com/en-us/library/bb885060(EXCHG.80).aspx
By any chance do we have the SSLOffloaded key ON @ the CAS server?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:Olevo
ID: 35175112
SSL offloading is not ticked on in our Exchange server. As soon as I change Outlook Anywhere authentication to Basic in Exchange, Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.
0
 
LVL 12

Expert Comment

by:Saakar
ID: 35179149
What is the authentication settings on RPC VDir on CAS servers?
If its basic change it to NTLM
0
 
LVL 1

Author Comment

by:Olevo
ID: 35195097
saakar_rao:
Authentication method for Rpc virtual directory is set as “Integrated Windows authentication”. Basic authentication is not ticked.

Is I have mentioned before (post ID: 35175112) As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.  Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!

Hundreds and thousands of companies around the globe are using Microsoft Exchange server. Some of them mgiht hae setup Outlook Anywhere with NTLM rather than Basic authentication. What I don’t understand is that Microsoft or someone else don’t develop simple tools or step by step guides for troubleshooting Outlook Anywhere setup with ISA/TMG firewall. Something like: “make sure that you have this or that before you’ll jump to the next step” Why is setting OWA or ActiveSync with ISA/TMG is simple and easy and Outlook Anywhere is so complex and hard?! Maybe I’m not following the right deployments guides?! Please show me a good one. Everywhere on the internet they talks about setting up OA with basic authentication… Does anyone anywhere is using Outlook Anywhere with NTLM rather than Basic authentication? Could you please share some info on how you did that please.
0
 
LVL 12

Expert Comment

by:Saakar
ID: 35217263
Would it be possible for you to configure TMG rule to use "No delegation, but client may authenticate directly" and let your CAS server do the authentication
Also check on RPC VDIR in IIS the Require SSL should be checked.
0
 
LVL 1

Accepted Solution

by:
Olevo earned 0 total points
ID: 35364178
http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

Here is what Jason Jones told me when I asked him about my problem.

“The web listener used for Outlook Anywhere authentication needs to be enabled for Windows Integrated authentication, consequently it needs to be a dedicated listener as TMG cannot do both Windows and FBA at the same time on the same listener. This means it needs a dedicated IP address (bound to just that listener) and is unlikely to be used by other rules...
If you cannot dedicate an IP address, you can use a single IP but you will then need to use basic authentication for Outlook Anywhere and NTLM is not an option...”
0
 
LVL 1

Author Comment

by:Olevo
ID: 35480218
Sorry, I was very busy and didn’t have time to go through points assignments. Will do it shortly.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 37436219
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now