How to exchange free/busy-information without going via MS Federation Gateway?

I want to exchange free/busy-information between 2 Exchange 2010-sites so that Outlook-users at each site can see free/busy-information for users at the remote site. I know that federation services via MS Federation Gateway can be used for this, but I want to set this up directly between the sites, NOT going via the MS gateway.

How can this be done? All trafikk between the 2 sites is tunneled and necessary ports can be opened in the firewalls. I am not looking for trust between the AD-domains, I only want to exchange free/busy-information.
Who is Participating?
Hi Thoree,

I believe this is how Exchange 2010 is only designed to work this way I'm afraid. I must say that it does work beautifully, MS Federation gateway would act as the trusting broken and information of the two organisations is strictly between the two.

The following except will help identify what is actually going on...

The Usage of the Microsoft broker service is cost-free. Building up an own Federation Gateway is recently not possible

How free/busy sharing works in detail

1.     The user makes an free/busy request and insert the smtp-address of the other company's person in Outlook 2010 or Outlook Web App.  This address is not shown in its own companies GAL - he has to know it.
2.     The Client Access Service of his own organization then looks up to Active Directory and discovers that for this target domain is a federation configured. CAS gets the Endpoint information about the partner's organization.
3.     The CAS Server now requests a token from Microsoft's Federation Gateway which validates that the sender's organization is trusted by the target organization. MFG signs the token and encrypts it with the public key of the target organization.
4.     The token has to be received newly every time a user makes a new request. It is not stored on the client side.
5.     The token received from MFG is specific for the requesting user and the target organization. That means it is only for this purpose and must be requested again at the next free/busy request.
6.     The token is received by the source CAS server and then the free/busy request is is sent to the CAS Server of the other company's published web service.
7.     After receiving the token the CAS Server at the partner's side validates if the senders organization is in his trust list. Further on the CAS server validates if free/busy sharing is configured at organizational or users level. If all policy validations are checked the availability service gets the requested information from the users mailbox and the answer is sent back to the client.
8.     All communication is encrypted. Data are stored neither in the cloud nor in the requesting organization. It is really an "online" access.

For further reading:

Hope this helps answer your question.
thoreeAuthor Commented:

Thanks for your quick answer. I have tried to use the MS Federation Gateway, but I have some problems. Maybe you can help me:-)

* The federation-mechanism is using autodiscover to access the remote site. But how should autodiscover be set up at each end-point regarding authentication? Do I need to set up autodiscover with no authentication? When I run get-federationinformation against the remote site (and vica versa) the output says that autodiscover requires authentication.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Please run the 6th test (Outlook Autodiscover) on and validate with a test user, do not use administrator, or a user with domain admin rights.

Review the findings and ensure that both ends pass.

Your certificate also needs to be MS Gateway friendly. See the following link for compatible certificates:

Also ensure that you have the necessary TXT records setup too, for futher reading please see this link:

Let me know how you get on.
thoreeAuthor Commented:
I have run the test, some of the tests pass, but som tests fails, please see the attachment.

When I run get-federationinformation I cannot specify an username, how can  this command then access the remote host via autodiscover?

Would implementation of GALSync also give this functionality?

thoreeAuthor Commented:
Hi again,

Now the tests passed without errors against my site, I had to change some authentication-settings. My certificate is not on the "valid"-list, but still the test passes, can I then use the excisting certificate?

I will now ask my partner to run the tests against the remote site.
There is no harm and in fact any secure certificate would work, however it would not be a supported configuration in the eyes of Microsoft. Should you experience any problems in future, this will be the first point they would ask you to correct.
thoreeAuthor Commented:
ok, thanks,

It is still one thing I do not understand. When my partner runs get-federationinformation against my domain it fails and says something about that the autodiscover-site requires authentication. In I specify an user-account to be used in the test, but the get-federationinformation does not have a parameter for username. Am I missing something?

Here is part of the output my partnet get:

VERBOSE: [12:30:25.521 GMT] Get-FederationInformation : The discovery process returned the following results:

Type=Failure;Url=;Exception=Discovery for domain
failed.;Details=(Type=Failure;Url=;Exception=The request
failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web
server is denied. Contact the server administrator.  ).;);
If two AD sites are trusted you DO NOT NEED federation services to provide free/busy shared calendaring data.
You can configure cross-forest access to the Availability server using the Add-ADPermission and Add-AvailabilityAddressSpace cmdlets.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.