Publishing Exchange services through TMG to multiple CAS servers


I've been looking endlessly (it seems) at related threads, but so far I've not been able to find one that explicitly answers my situation. Any help would be much appreciated.

We have a single TMG 2010 server sitting in a DMZ, used for publishing the usual suspects (OWA, ECP, EWS, AS, RPC, Autodiscover etc). At the same site, there are two client access/hub transport servers with 3 mailbox servers. At a different site (same domain), we have another 2 client access/hub transport servers and another 3 mailbox servers. Hopefully the diagram below will help understanding... (file is also attached, as embedding doesn't appear to be working for me).
Basic Overview of TMG placement
The issue that I'm having is that not all published services are working for all users. As an example, if I set both CAS servers at site B to 'drained' in TMG (forcing it to use site A CAS only), then Outlook Anywhere fails to work for users with a mailbox hosted at site B. However, OWA, ECP, EWS still work...

If I set both CAS servers at site A to 'drained', then Outlook Anywhere doesn’t work for someone who’s mailbox is located at site A. Again, OWA etc are fine (though appear to take a long time to load?).

So – my guess is that CAS-CAS proxying is the issue?

At this point, I have the following questions:

1.      Because all client access servers are behind the TMG box, am I right in thinking that none of the 4 client access servers are classed as ‘Internet-Facing’, and therefore have the External URL left blank?

2.      The Internal URL of the client access servers at site A is the FQDN for the HLB at site A (i.e.https://a-casnlb.domain.local/owa). The Internal URL of the client access servers at site B is the FQDN for the HLB at site B (i.e.https://b-casnlb.domain.local/owa). Is this correct?

I should also point out that Autodiscover externally doesn’t work when tested through Microsoft’s Remote Connectivity Analyser. However, if I run the Auto-Configuration test within Outlook, it does eventually work. The RCA throws up the error “Failed POST Request. HTTP 401 Unauthorised response was received.”

Internal Autodiscovery works fine.

All Exchange servers are SP3 with RU2. TMG 2010 is also up to date (inc roll ups). All servers are virtual (Hyper-V).

Happy to answer any further questions!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

HoricePlantAuthor Commented:
F.A.O. Moderators.... I've tried embedding an image (47Kb), and also attaching the file, but neither seem to work. I've been through the EE help, but have followed the instructions correctly (or at least I think I have!). Any ideas?
Jamie McKillopIT ManagerCommented:

You need to drop the /owa on internal hostnames of the CAS servers. Also, you need to ensure you have an SSL certificate that matches the hostname. If you are using .local you probably don't.

HoricePlantAuthor Commented:
Unfortunately that didn't work.

Moderators - give the lack of response, could I ask for a points refund please.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HoricePlantAuthor Commented:
No resolution found.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.