Link to home
Start Free TrialLog in
Avatar of Olevo
OlevoFlag for Australia

asked on

Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG

Hi there,

We are using Exchange Server 2007 Standard SP3. OWA and ActiveSync already have been setup and working without any problems through TMG 2010 firewall. The domain where TMG and Exchange have been installed is operating in Windows 2003 mode.

We would like to setup and use Outlook Anywhere with NTLM rather than Basic authentication. NTLM authentication offer one key advantage from an end user perspective, when using a computer that is a member of our domain and logging on with cached credentials the user does not need to re-enter their credentials. I was following white paper -“Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG or Forefront UAG” http://www.microsoft.com/downloads/en/details.aspx?FamilyID=040b31a0-9a69-4278-9808-e52f08ffaee3

Everything has been setup according to the instruction from the white papers. Our UCC certificate has list of the required subject alternative names (SAN) and has been installed on TMG and Exchange server. As I had mentioned before, clients already are using OWA and ActiveSync with this certificate without any problems.

Outlook Connection Status for the internal users shows successful HTTPS connection but externally outlook is still in the “disconnected” mode.
 
When I run “Outlook Anywhere (RPC over HTTP)” test on www.testexchangeconnectivity.com I have this error message:

“Testing HTTP Authentication Methods for URL https://mail.company.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL”.

Clicking on the “Test Rule” button for my Outlook Anywhere rule in TMG shows all happy green ticks.

From the TMG logs I can see denied connection with the status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Request: RPC_IN_DATA http://mail.mycompany.com/rpc/rpcproxy.dll?server1.mycompany.com:6001
Protocol: https User: anonymous

Looking at URL above I don’t understand why is http is there but not https. Plus, why user is anonymous?!

I have spent hours trying to find out what I have missed. Please advise me on what needs to be done to make this Outlook Anywhere to work.

Thank you very much in advance.
Avatar of Saakar
Saakar
Flag of India image

What about Basic Authentication using Outlook Anywhere does that works??
Avatar of Olevo

ASKER

Tried Basic Auth, windows popup asking to type user name. Typing domain\username or just username works fine inside. Outside, outlook is asking for the user name and doesn't connect.
Just a parallel query:
> did you enabled the SSL Offloading on the "Outlook Anywhere" settings on "Exchange 2007" ?

> Want to remove\un-select the same if we are not really using the "SSL offloading" @ any other hardware box
 
Avatar of 0x6
0x6

You might not get a login prompt with the following settings when using Outlook Anywhere as I don't get prompted with these settings. Please try it with one Outlook client with:
Basic Authentication in TMG (Basic in the publishing rule, HTML Form Authentication in the Listener)
Basic Authentication in Outlook at the following:

Tools--Account Settings--Change--More Settings--Connection--Exchange Proxy Settings--Select both:
On Fast .....
On Slow .....

You can test this with both Basic and NTLM

 User generated image
Avatar of Olevo

ASKER

To e_aravind:
A bit confuse here... Currently SSL offloading is not ticked in my Exchange server. TMG is sitting in front of the Exchange server and I’m guessing that it does handle SSL encryption and decryption. Is that mean that SSL offloading needs to be on?!
NOPEE
we dont need any "SSL Offloading" selected until we are sure if the hardware box is doing the ssl-offloading?

>> http://technet.microsoft.com/en-us/library/bb885060(EXCHG.80).aspx
By any chance do we have the SSLOffloaded key ON @ the CAS server?
Avatar of Olevo

ASKER

SSL offloading is not ticked on in our Exchange server. As soon as I change Outlook Anywhere authentication to Basic in Exchange, Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.
What is the authentication settings on RPC VDir on CAS servers?
If its basic change it to NTLM
Avatar of Olevo

ASKER

saakar_rao:
Authentication method for Rpc virtual directory is set as “Integrated Windows authentication”. Basic authentication is not ticked.

Is I have mentioned before (post ID: 35175112) As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords.  Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!

Hundreds and thousands of companies around the globe are using Microsoft Exchange server. Some of them mgiht hae setup Outlook Anywhere with NTLM rather than Basic authentication. What I don’t understand is that Microsoft or someone else don’t develop simple tools or step by step guides for troubleshooting Outlook Anywhere setup with ISA/TMG firewall. Something like: “make sure that you have this or that before you’ll jump to the next step” Why is setting OWA or ActiveSync with ISA/TMG is simple and easy and Outlook Anywhere is so complex and hard?! Maybe I’m not following the right deployments guides?! Please show me a good one. Everywhere on the internet they talks about setting up OA with basic authentication… Does anyone anywhere is using Outlook Anywhere with NTLM rather than Basic authentication? Could you please share some info on how you did that please.
Would it be possible for you to configure TMG rule to use "No delegation, but client may authenticate directly" and let your CAS server do the authentication
Also check on RPC VDIR in IIS the Require SSL should be checked.
ASKER CERTIFIED SOLUTION
Avatar of Olevo
Olevo
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Olevo

ASKER

Sorry, I was very busy and didn’t have time to go through points assignments. Will do it shortly.
Avatar of Glen Knight
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.