Solved

Form Based Authentication Internal and External with Exchange 2010

Posted on 2013-11-05
7
750 Views
Last Modified: 2013-11-15
Dear Experts,
I have published  OWA Exchange 2010 through TMG. Publishing OWA within TMG with FBA requires enable Basic Authentication for the owa (Default Web Site) virtual directory in Exchange and disable FBA.

Is there workaround to have Form Based Authentication at the same time for internal and external users without creating any additional virtual directory.
0
Comment
Question by:cciedreamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 39624222
I haven't used TMG in a while now, but I think you can modify your OWA listener to listen on the internal interface and use split-DNS to send OWA requests from inside the network to it.

Hope this helps.
0
 
LVL 2

Accepted Solution

by:
GRGrayban earned 450 total points
ID: 39625072
Yes, turn on forms based authentication on the exchange server and on tmg, leave forms based off. Set authentication on TMG to "No Delegation, but client may authenticate directly."
0
 
LVL 3

Author Comment

by:cciedreamer
ID: 39625258
Thanks I will give a try.
Need 1 clear 1 thing I am using 3rd Party Certificate on our exchange server. The public name included in the certificate is test.domain.com

I exported the certificate to TMG server. I created the rule on TMG. But in the rule I mentioned the public name test1.domain.com and I created public dns record test1.domain.com.

Is this going to work. Only for test our purposes. Once I do final implementation I'll mention the public name test.domain.com

Thanks for the clarification
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 2

Expert Comment

by:GRGrayban
ID: 39625275
I have not tried that scenario. I suspect your Exchange servers are in production and I assume you have another gateway into your OWA. Thus the test1 cert. I am sure you will get a cert error. I am not sure you will be able to bypass it. All you can do is try. If it does not work....

My recomendation would be to wait till after hours and do a quick change on the dns and point it to the new TMG. Make sure you lower the TTL or flush your DNS caches.
0
 
LVL 14

Assisted Solution

by:Raj-GT
Raj-GT earned 50 total points
ID: 39626730
Samir,

Just so that you are aware, enabling "No Delegation, but client may authenticate directly" option would disable the pre-authentication by TMG and pass all auth responsibilities to the Exchange server. It would still work, but using the same listener internally and externally would be the more secure option.

Thanks,
Raj
0
 
LVL 2

Assisted Solution

by:GRGrayban
GRGrayban earned 450 total points
ID: 39628090
That brings up a good point. If there is a split DNS, give the internal DNS A record the External IP address and internal users will be directed out of the firewall and back in through TMG. Then you could keep forms based autheintication turned on in TMG.

This is the only way internal users could get form based since they do not normally het the TMG for any internal services.
0
 
LVL 3

Author Closing Comment

by:cciedreamer
ID: 39651341
Thanks  GRGrayban and Raj-GT

Split DNS is also good option, but at this I am intending to choose No Delegation, but client may authenticate directly

I appreciate your help.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question