Exchange 2010 Publishing via TMG 2010 DMZ 1 NIC

Posted on 2011-10-25
Last Modified: 2012-05-12
Hi All

I have a forefront 2010 box sitting in my DMZ this uses a 172.x.x.x address.

Outside -> Cisco ASA -> TMG 2010 DMZ -> Same Cisco ASA -> Internal

Essentially a 3 leg with TMG in the DMZ

I have successfully setup and tested OWA/ActiveSync externally no problem.

Getting ExRCA failed to obtain an Autodiscover XML response. I can see
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).

The problem I am having is setting up auto discover/OA as I can only setup one type of Authentication on my HTTPS listener and only the 1 HTTPS listener.

Any ideas on how to get around this.

This is also preventing my autodiscover from working.

Question by:MediaMon
    LVL 5

    Expert Comment

    are you sure that you published autodiscover through tmg ?

    Author Comment


    I actually can't as I can only use one HTTPS listener. I have a listener that listens for which is my OWA. So I am not sure how I can add autodiscover to this as well.

    LVL 5

    Expert Comment

    create a new publishing rule with internal site name from anywhere to your cas servers using the same https listener and with public domain name and in paths tab ensure that the following are in place

    Accepted Solution

    Thanks I have done that.

    So now when I externally hit

    I get the TMG login screen looks like it using forms based Authetication (as that is what my HTTPS listener is configured too as I need it for OWA), once i enter my details I get.

    <?xml version="1.0" encoding="utf-8" ?>
    <Autodiscover xmlns="">
    <Error Time="10:25:52.1190436" Id="624335843">
    <Message>Invalid Request</Message>
    <DebugData />

    The rule looks ok but still getting the same result from ExRCA

    ExRCA is attempting to retrieve an XML Autodiscover response from URL for user

    ExRCA failed to obtain an Autodiscover XML response.

    Additional Details

    An HTTP 403 error was received because ISA Server denied the specified URL.

    Its complete madness That Autodiscover has to be published externally for my Internal clients to work !!

    Thanks test Result

    Author Closing Comment

    No solution provided

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
    Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now