How to exchange free/busy-information without going via MS Federation Gateway?

Posted on 2011-04-28
Last Modified: 2012-08-13
I want to exchange free/busy-information between 2 Exchange 2010-sites so that Outlook-users at each site can see free/busy-information for users at the remote site. I know that federation services via MS Federation Gateway can be used for this, but I want to set this up directly between the sites, NOT going via the MS gateway.

How can this be done? All trafikk between the 2 sites is tunneled and necessary ports can be opened in the firewalls. I am not looking for trust between the AD-domains, I only want to exchange free/busy-information.
Question by:thoree
    LVL 18

    Expert Comment

    Hi Thoree,

    I believe this is how Exchange 2010 is only designed to work this way I'm afraid. I must say that it does work beautifully, MS Federation gateway would act as the trusting broken and information of the two organisations is strictly between the two.

    The following except will help identify what is actually going on...

    The Usage of the Microsoft broker service is cost-free. Building up an own Federation Gateway is recently not possible

    How free/busy sharing works in detail

    1.     The user makes an free/busy request and insert the smtp-address of the other company's person in Outlook 2010 or Outlook Web App.  This address is not shown in its own companies GAL - he has to know it.
    2.     The Client Access Service of his own organization then looks up to Active Directory and discovers that for this target domain is a federation configured. CAS gets the Endpoint information about the partner's organization.
    3.     The CAS Server now requests a token from Microsoft's Federation Gateway which validates that the sender's organization is trusted by the target organization. MFG signs the token and encrypts it with the public key of the target organization.
    4.     The token has to be received newly every time a user makes a new request. It is not stored on the client side.
    5.     The token received from MFG is specific for the requesting user and the target organization. That means it is only for this purpose and must be requested again at the next free/busy request.
    6.     The token is received by the source CAS server and then the free/busy request is is sent to the CAS Server of the other company's published web service.
    7.     After receiving the token the CAS Server at the partner's side validates if the senders organization is in his trust list. Further on the CAS server validates if free/busy sharing is configured at organizational or users level. If all policy validations are checked the availability service gets the requested information from the users mailbox and the answer is sent back to the client.
    8.     All communication is encrypted. Data are stored neither in the cloud nor in the requesting organization. It is really an "online" access.

    For further reading:

    Hope this helps answer your question.

    Author Comment


    Thanks for your quick answer. I have tried to use the MS Federation Gateway, but I have some problems. Maybe you can help me:-)

    * The federation-mechanism is using autodiscover to access the remote site. But how should autodiscover be set up at each end-point regarding authentication? Do I need to set up autodiscover with no authentication? When I run get-federationinformation against the remote site (and vica versa) the output says that autodiscover requires authentication.
    LVL 18

    Expert Comment

    Please run the 6th test (Outlook Autodiscover) on and validate with a test user, do not use administrator, or a user with domain admin rights.

    Review the findings and ensure that both ends pass.

    Your certificate also needs to be MS Gateway friendly. See the following link for compatible certificates:

    Also ensure that you have the necessary TXT records setup too, for futher reading please see this link:

    Let me know how you get on.

    Author Comment

    I have run the test, some of the tests pass, but som tests fails, please see the attachment.

    When I run get-federationinformation I cannot specify an username, how can  this command then access the remote host via autodiscover?

    Would implementation of GALSync also give this functionality?


    Author Comment

    Hi again,

    Now the tests passed without errors against my site, I had to change some authentication-settings. My certificate is not on the "valid"-list, but still the test passes, can I then use the excisting certificate?

    I will now ask my partner to run the tests against the remote site.
    LVL 18

    Expert Comment

    There is no harm and in fact any secure certificate would work, however it would not be a supported configuration in the eyes of Microsoft. Should you experience any problems in future, this will be the first point they would ask you to correct.

    Author Comment

    ok, thanks,

    It is still one thing I do not understand. When my partner runs get-federationinformation against my domain it fails and says something about that the autodiscover-site requires authentication. In I specify an user-account to be used in the test, but the get-federationinformation does not have a parameter for username. Am I missing something?

    Here is part of the output my partnet get:

    VERBOSE: [12:30:25.521 GMT] Get-FederationInformation : The discovery process returned the following results:

    Type=Failure;Url=;Exception=Discovery for domain
    failed.;Details=(Type=Failure;Url=;Exception=The request
    failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web
    server is denied. Contact the server administrator.  ).;);
    LVL 18

    Accepted Solution


    Expert Comment

    If two AD sites are trusted you DO NOT NEED federation services to provide free/busy shared calendaring data.
    You can configure cross-forest access to the Availability server using the Add-ADPermission and Add-AvailabilityAddressSpace cmdlets.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why do Marketing keep bothering you?

    Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    This video discusses moving either the default database or any database to a new volume.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now