Avatar of bdecast
bdecastFlag for United States of America

asked on 

Forefront TMG blocking OWA access

Hi Experts,

I'm having an issue here that seems simple, I'm just missing something and need your help!

-  Upgrading from Exchange 2003 to Exchange 2010
-  In the process of trying to get an Edge/TMG server up and running so I can move OWA login to it
-  Single NIC environment; TMG/Edge server is sitting in our DMZ
-  Temporarily have the web address on TMG settings and DNS set to newmail.domain.com (so as to not interfere with current OWA)

-  When I go to https://newmail.domain.com/owa, I get the security alert about mismatch on name vs. what's on certificate
-  Logs on TMG show successful initiated HTTPS packets from my machine to TMG server
-  When i proceed, IE throws "page could not be displayed" w/ error "403 forbidden. the server denied the specified URL. (12202)"
-  Then a log entry on TMG states "denied connection" from same source and destination w/ protocol of https and same error code that IE throws .. also that the Default Rule is the reason it's being blocked.

Other Info:
-  We're not using this as an internet proxy for our users, just as a reverse proxy for the Exchange OWA related sites
-  I think i've populated as many access rules needed to allow all traffic through and to the local host:  
Firewall Policy - Allow Traffic - All outbound traffic - from Internal - To Local Host / Allow Web access - HTTP/HTTPS - from Internal - to Internal
Network Rules - Allow Traffic - Route - source All Networks - destination All Networks

I've got a test network/domain setup similar to our production network, and was able to get this working without this many issues.

What am I missing?

Microsoft Forefront ISA ServerExchange

Avatar of undefined
Last Comment
Avatar of Andrew Cliff
Andrew Cliff
Flag of United Kingdom of Great Britain and Northern Ireland image

Avatar of bdecast
Flag of United States of America image


Thanks for the response.  The only differences between what I did and the blogs you posted were that they used the IIS console to generate the cert request, etc.  I just used the EMC for it.  The other difference was that when establishing the listener, they used Windows Active Directory for authentication, i used LDAP and directed to a specific DC in our site.

Unfortunately, after I made this change to the listener authentication, still no dice.  Same result after a reboot of the TMG server as well.
Avatar of bdecast
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of bdecast
Flag of United States of America image


fixed it myself.

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo