Publishing Exchange services through TMG to multiple CAS servers
Hi,
I've been looking endlessly (it seems) at related threads, but so far I've not been able to find one that explicitly answers my situation. Any help would be much appreciated.
We have a single TMG 2010 server sitting in a DMZ, used for publishing the usual suspects (OWA, ECP, EWS, AS, RPC, Autodiscover etc). At the same site, there are two client access/hub transport servers with 3 mailbox servers. At a different site (same domain), we have another 2 client access/hub transport servers and another 3 mailbox servers. Hopefully the diagram below will help understanding... (file is also attached, as embedding doesn't appear to be working for me).
The issue that I'm having is that not all published services are working for all users. As an example, if I set both CAS servers at site B to 'drained' in TMG (forcing it to use site A CAS only), then Outlook Anywhere fails to work for users with a mailbox hosted at site B. However, OWA, ECP, EWS still work...
If I set both CAS servers at site A to 'drained', then Outlook Anywhere doesn’t work for someone who’s mailbox is located at site A. Again, OWA etc are fine (though appear to take a long time to load?).
So – my guess is that CAS-CAS proxying is the issue?
At this point, I have the following questions:
1. Because all client access servers are behind the TMG box, am I right in thinking that none of the 4 client access servers are classed as ‘Internet-Facing’, and therefore have the External URL left blank?
2. The Internal URL of the client access servers at site A is the FQDN for the HLB at site A (i.e.https://a-casnlb.domain.local/owa). The Internal URL of the client access servers at site B is the FQDN for the HLB at site B (i.e.https://b-casnlb.domain.local/owa). Is this correct?
I should also point out that Autodiscover externally doesn’t work when tested through Microsoft’s Remote Connectivity Analyser. However, if I run the Auto-Configuration test within Outlook, it does eventually work. The RCA throws up the error “Failed POST Request. HTTP 401 Unauthorised response was received.”
Internal Autodiscovery works fine.
All Exchange servers are SP3 with RU2. TMG 2010 is also up to date (inc roll ups). All servers are virtual (Hyper-V).
Happy to answer any further questions!
Thanks
Tony
Basic-overview-of-TMG-placement.jpg
I've been looking endlessly (it seems) at related threads, but so far I've not been able to find one that explicitly answers my situation. Any help would be much appreciated.
We have a single TMG 2010 server sitting in a DMZ, used for publishing the usual suspects (OWA, ECP, EWS, AS, RPC, Autodiscover etc). At the same site, there are two client access/hub transport servers with 3 mailbox servers. At a different site (same domain), we have another 2 client access/hub transport servers and another 3 mailbox servers. Hopefully the diagram below will help understanding... (file is also attached, as embedding doesn't appear to be working for me).
The issue that I'm having is that not all published services are working for all users. As an example, if I set both CAS servers at site B to 'drained' in TMG (forcing it to use site A CAS only), then Outlook Anywhere fails to work for users with a mailbox hosted at site B. However, OWA, ECP, EWS still work...
If I set both CAS servers at site A to 'drained', then Outlook Anywhere doesn’t work for someone who’s mailbox is located at site A. Again, OWA etc are fine (though appear to take a long time to load?).
So – my guess is that CAS-CAS proxying is the issue?
At this point, I have the following questions:
1. Because all client access servers are behind the TMG box, am I right in thinking that none of the 4 client access servers are classed as ‘Internet-Facing’, and therefore have the External URL left blank?
2. The Internal URL of the client access servers at site A is the FQDN for the HLB at site A (i.e.https://a-casnlb.domain.local/owa). The Internal URL of the client access servers at site B is the FQDN for the HLB at site B (i.e.https://b-casnlb.domain.local/owa). Is this correct?
I should also point out that Autodiscover externally doesn’t work when tested through Microsoft’s Remote Connectivity Analyser. However, if I run the Auto-Configuration test within Outlook, it does eventually work. The RCA throws up the error “Failed POST Request. HTTP 401 Unauthorised response was received.”
Internal Autodiscovery works fine.
All Exchange servers are SP3 with RU2. TMG 2010 is also up to date (inc roll ups). All servers are virtual (Hyper-V).
Happy to answer any further questions!
Thanks
Tony
Basic-overview-of-TMG-placement.jpg
Hello,
You need to drop the /owa on internal hostnames of the CAS servers. Also, you need to ensure you have an SSL certificate that matches the hostname. If you are using .local you probably don't.
JJ
You need to drop the /owa on internal hostnames of the CAS servers. Also, you need to ensure you have an SSL certificate that matches the hostname. If you are using .local you probably don't.
JJ
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No resolution found.
ASKER
Thanks
Tony