Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange2010 +Forefront TMG

Posted on 2011-03-15
6
Medium Priority
?
1,180 Views
Last Modified: 2012-05-11
Hi I got a difficult problem to solve. I am trying to get active sync to work with this setup. Internet -> Cisco ASA5510 > Forefront TMG (workgroup, DMZ) -> Back to Cisco ASA5510 -> Lan (Exchange 2010)

Well the problem is that i get a HTTP 500 From Forefront TMG on testexchangeconnectivity. If i try to put https://mail.domain.se/microsoft-server-activesync i reaches the forefront TMG web portal. If i try to enter the username configured for active sync it refuses it. Forefront tmg is configured with active sync mail publishing rule and an weblistner with a unified communications certificate that is ok. (this is of course on the exchange server aswell). i have tried getting LDAP to work from the Forefront to the domaincontrollers on the LAN and Telnet shows that port 389 aswell as clobal catalog port is open from the forefront server. It is however not open from the domain controllers to the forefront computer. It really feels like it is some LDAP problem and i cannot manage to get it right.. but i am unsure. Anyone have any experience with a forefront in a workgroup (DMZ)
0
Comment
Question by:ptopservicedesk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:simonlimon
ID: 35138058
i assume you have two ASA's Or are you routing the traffic back to the ASA before it hits the LAN?

Can you try checking the traffic with Logs and Reports, logging tab on the TMG console? What happens with the traffic?

Is the rule configured so that the traffic for the published server appears to have come from TMG and not the Client?
0
 

Author Comment

by:ptopservicedesk
ID: 35138507
Yes that is correct, I actually have two ASA:s but it is configured in an active/passive setup so i route the traffic back to the first firewall. Anyway i managed to get it to work regarding manul setup in active sync. the problem was simply that it couldn´t resolve authenticated users with LDAP, so i changed it to all users and it worked

However now i am trying to get the activsync autodiscover to work and have published the rule outlook anywhere in the forefront tmg with 4 green dots when i try the rule.  However it fails at the step

ExRCA is attempting to retrieve an XML Autodiscover response from URL https://x.iaf.x/AutoDiscover/AutoDiscover.xml for user testtest.test@x.se.
  ExRCA failed to obtain an Autodiscover XML response.
   Tell me more about this issue and how to resolve it
   Additional Details
  An HTTP 403 error was received because ISA Server denied the specified URL.

I have used the previous weblistner for active sync which is configured to use login expression Domainname/*

I have changed the autodiscover url aswell as the EWS url similar to this
Set-WebServicesVirtualDirectory -Identity "ptopsrv04\EWS (Default Web Site)" -InternalUrl
Set-ClientAccessServer -Identity “ptopsrv04” -AutodiscoverServiceInternalUri

i have matched them to mail.domain.se since everything else has that name and the weblistner is still using a uCC cert where autodiscover is a subname
 
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 2000 total points
ID: 35138653
For Autodiscovery you also need an Autodiscover DNS public record registered in your DNS. Also modify the publishing rule on the TMG to allow HTTP domain name of Autodiscover.your.domain besides your owa.your.domain and/or activesync.your.domain.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:simonlimon
ID: 35139581
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-Outlook-Autodiscover-2006-ISA-Firewalls.html

You can try using this tutorial. It is for ISA 2006, but the concept is the same.
0
 
LVL 16

Expert Comment

by:Bruno PACI
ID: 35143363
Hi,

To be able to publish an internal HTTPS server (IIS, OWA, ActiveSync, or any other HTTPS server) TMG must be able to reach the internal HTTPS page without any certificate security alert.

The best way to check that is the following :

1) on the TMG server, ensure that your access rules permit the TMG server to dialog in HTTPS with the internal server. If needed, create a temporay access rule that permit this traffic (from "localhost", to "Internal", allow HTTPS for "All User").
2) From the TMG server, launch IE. Ensure that IE is not configure to use a web proxy.
3) In IE type the URL "HTTPS://myinternalserver/Microsoft-Server-ActiveSync", where "myinternalserver" must excatly match the internal server name you used in the "To" tab of the ActiveSync publishing rule in TMG.

IE should ask for credential or may give an error about unknown page, but YOU SHOULD NOT HAVE A CERTIFICATE SECURITY ALERT !

If you have a certificate security alert then you made a typical misconfiguration : the common name (or one of the alertnate names) of the certificate installed on the internal server must exactly the name you use to reach this internal server from the TMG server.
In some situations where you can not modify the certificate name, you can easily workaround this problem by using the "hosts" file on the TMG server. As an example, let's suppose your internal server has IP address 10.1.2.3 and the certificate on it was created for the name "myserver.mycompany.com", in this case you'll add the line "10.1.2.3   myserver.mycompany.com" in the hosts file on TMG so that the name "myserver.mycompany.com" will be resolve to the internal server IP address. Finally, in the publishing rule, in the "To" tab you will type "myserver.mycompany.com" as the internal server name to publish.

Have a good day.

0
 

Author Comment

by:ptopservicedesk
ID: 35145168
Thanks guys for the help, the thing that was missing this time was the autodiscover.domain.se in the paths folder of the publishing rule. The only name that was stated there before was activesync so now i do not get anymore ISA Faults. Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question