Avatar of teomcam
teomcam
 asked on

Publishing Exchange 2010 on TMG 2010 properly!

Hi,

I have an Exchange Server 2010 on a dedicated box with all roles on it. I also have another box, TMG 2010 server and Exchnage Edge role installed. At the moment OWA working with no problem but ActiveSync and Outlook Anywhere is not working (never worked since the installation). Iphone or other mobile devices not able to connect Exchange services from outside of the organization.
I wanna solve that cronic issue now.

Do I have to publish Active Sync in a seperate rule?
Do I have to publish Outlook Anywhere in a seperate rule?

Your help much appreciated.
ExchangeMicrosoft Forefront ISA Server

Avatar of undefined
Last Comment
teomcam

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Rajkumar Duraisamy

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
teomcam

ASKER
I stuck at the Kerberos.

Time reported by the Microsoft Forefront TMG Firewall Service: 0.000 seconds
Testing https://mail.domain.com:443/Microsoft-Server-ActiveSync/
Category: KCD error
Error details: This Forefront TMG computer doesn't have the required trust for Kerberos Constrained Delegation.
Action: Kerberos Constrained Delegation requires the Forefront TMG computer to be trusted for delegation for any authentication protocol and the Service Principal Name (SPN) used by Forefront TMG must be added to Active Directory. For additional information see http://www.microsoft.com/technet/isa/2006/kcd.mspx.

Open in new window


I went to the given link and there is a statement says
The Active Directory domain in which the ISA Server computer, the published Exchange server (or servers in a server farm), and the domain controller that issues the Kerberos service tickets for constrained delegation reside must be set to the Windows Server 2003 functional level.

At the moment we are on Windows 2003 level no rpoblem with that but next week we have scheduled to raise domain and forest function level to Win 2008 R2!
SOLUTION
Akhater

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
teomcam

ASKER
Yes its domain joined TMG 2010. When I create Active Sync and Outlook Anywhere rules and test the rule its giving error about the Kerberos Contrains. I did delegation under AD-Computer TMG for http for Exchange server but it still giving error. Do I have to do anything at the Exchange Server?
Akhater

this document has everything you need http://www.microsoft.com/en-us/download/details.aspx?id=8946

since it is joined to the domain why are you using KDC ?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
teomcam

ASKER
Yeah I am reading that document since 3 days.

since it is joined to the domain why are you using KDC ?
The document says that!
Akhater

ok then :) do you mind doing it my way ?
teomcam

ASKER
Sorry I must missed. If you meant creating rule for every each of it, yes I did and receiving the same error that I gave above.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
teomcam

ASKER
Found the problem. Actually I was following whitepaper correctly. But there was a glitch on the Test Rule button whihc is known problem according to link below. Since test was failing I wasn't saving the configuratyion and was continuing to the battle :)) Ignored the test rule result and saved ActiveSync work perfectly fine now.


http://blogs.technet.com/b/isablog/archive/2012/04/24/another-behavior-of-the-test-rule-button-in-threat-management-gateway-2010.aspx