Form Based Authentication Internal and External with Exchange 2010

Dear Experts,
I have published  OWA Exchange 2010 through TMG. Publishing OWA within TMG with FBA requires enable Basic Authentication for the owa (Default Web Site) virtual directory in Exchange and disable FBA.

Is there workaround to have Form Based Authentication at the same time for internal and external users without creating any additional virtual directory.
Who is Participating?
GRGraybanConnect With a Mentor Commented:
Yes, turn on forms based authentication on the exchange server and on tmg, leave forms based off. Set authentication on TMG to "No Delegation, but client may authenticate directly."
Raj-GTSystems EngineerCommented:
I haven't used TMG in a while now, but I think you can modify your OWA listener to listen on the internal interface and use split-DNS to send OWA requests from inside the network to it.

Hope this helps.
cciedreamerAuthor Commented:
Thanks I will give a try.
Need 1 clear 1 thing I am using 3rd Party Certificate on our exchange server. The public name included in the certificate is

I exported the certificate to TMG server. I created the rule on TMG. But in the rule I mentioned the public name and I created public dns record

Is this going to work. Only for test our purposes. Once I do final implementation I'll mention the public name

Thanks for the clarification
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

I have not tried that scenario. I suspect your Exchange servers are in production and I assume you have another gateway into your OWA. Thus the test1 cert. I am sure you will get a cert error. I am not sure you will be able to bypass it. All you can do is try. If it does not work....

My recomendation would be to wait till after hours and do a quick change on the dns and point it to the new TMG. Make sure you lower the TTL or flush your DNS caches.
Raj-GTConnect With a Mentor Systems EngineerCommented:

Just so that you are aware, enabling "No Delegation, but client may authenticate directly" option would disable the pre-authentication by TMG and pass all auth responsibilities to the Exchange server. It would still work, but using the same listener internally and externally would be the more secure option.

GRGraybanConnect With a Mentor Commented:
That brings up a good point. If there is a split DNS, give the internal DNS A record the External IP address and internal users will be directed out of the firewall and back in through TMG. Then you could keep forms based autheintication turned on in TMG.

This is the only way internal users could get form based since they do not normally het the TMG for any internal services.
cciedreamerAuthor Commented:
Thanks  GRGrayban and Raj-GT

Split DNS is also good option, but at this I am intending to choose No Delegation, but client may authenticate directly

I appreciate your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.