Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 1/4 OWA)
Keep in mind to do it this way you need to have the following
- At least 2 External IPs listed on the external NIC (in order to have both forms based auth for OWA\ECP and Basic for OA,EWS,EAS
- A multi-name trusted Certificate with all applicable names (For more information) –This is critical!
- TGM can authenticate with AD already (either domain joined or authentication configured)
Start By preparing the exchange server
- Configure Exchange 2010 for basic authentication
- Run the following on the CAS server that will be published
- Set-OwaVirtualDirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
- set-WebServicesVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
- set-EcpVirtualdirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
- set-OabVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
- set-ActiveSyncVirtualDirectory -id <CasServer>\* -BasicAuthentication $true
- Run the following on the CAS server that will be published
- Copy the 3rd party certificate to the TMG server.
- Click Start –> Run –> Type MMC
- Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
- Click Personal –> certificates
- Right Click on 3rd party certificate and click all tasks –> export
- Click Next –> Yes, Export Private Key –> Base-64 –> next –> Browse for file location.
- Next-> finish
- Copy certificate file to the TMG server
- Click Start –> Run –> Type MMC
- Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
- Click Personal –> Right Click certificates –> all task –> import –> next –> select file –> next –> next finish
- Configure OWA Rule on TMG
- Open Forefront TMG
- Click on
- In the Action Pane under Task click
- Give the rule a Name ill name mine “2010 OWA”
- Next –> Next
- Internal Site Name should be your CAS server FQDN (needs to be on the cert)
- The external name is what you use to access OWA (Also needs to be on the cert)
- Click new to make a new Listener
- Name it whatever you want, I named Mine FBA because I am going to use it for Forms Based auth for OWA.
- Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
- Select the certificate you imported earlier
- Use Form Authentication
- You can configure SSO if you have other sites that will use this listener
- Click –> Next –> Finish –> Select the Listener.
You CANNOT use “all users” here you need to have authenticated users or another group that requires authentication or your will not get prompted for auth. and get a 500.24 in browser- Finish
- Now OWA is published!
- Now on to EWS\Outlook Anywhere
Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:
1. OWA
2. EWS\Outlook anywhere
3. Active sync
4. SMTP
Troubleshooting Exchange 
One note, you can use the same listenter on all thses rules IF you are going to use basic auth for all of them and no FBA
Pingback: Publish Exchange 2010 with TMG (cont) « Troubleshooting Exchange
Pingback: Publish Exchange 2010 with TMG (cont) « Troubleshooting Exchange
Pingback: Publish Exchange 2010 with TMG (cont) « Troubleshooting Exchange
Pingback: You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG « Troubleshooting Exchange
Pingback: Publishing Exchange through TMG Back-endFront-end configuration « Troubleshooting Exchange
Pingback: Walkthrough Series: Threat Management Gateway Exchange publishing « Troubleshooting Exchange
Every thing seems to be configured right all tests pastt 100% but iphone still wont resolve autodiscover.
Thanks a lot.
thanks alot
can you explain how to do this with self-signed certificate & the TMG is back end (behind HW firewall)
check this please
First off I nevr recomend having a self signed cert on the edge where the client is connecting…. when you do it increases the administrative work 80% because it requires you import it to the trusted root on all clients.
From the exchange to tmg self signed is all good, all you need to do is export the cert you are using on exchange and import to the trusted root cert store on the tmg.
I will post steps on how to export / import a der so its trusted
Problem with SP1 ?
this line fails
set-ActiveSyncVirtualDirectory -id fileserver2\* -BasicAuthentication $true
ie :
[PS] C:\Windows\system32>set-ActiveSyncVirtualDirectory -id \* -BasicAuthentication $true
A positional parameter cannot be found that accepts argument ‘-BasicAuthentication’.
+ CategoryInfo : InvalidArgument: (:) [Set-ActiveSyncVirtualDirectory], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Set-ActiveSyncVirtualDirectory
Yeah with sp1 the parameter is -BasicAuthEnabled:$true
I probably need to review my whole tmg article to validate sp1. Thanks!
Thanks for the update. Now I need to get SBS2011/remote published too…
Do you have a walkthru ? 🙂
Not specifically but you should be able to do a standard web publishing rule, if you want it to share the listener with exchange you would need basic auth on that vdir (hmm that could be a challenge) you could also just add /remote to the owa rule path….
Another option would be to not do any auth on the listener or rule and just push that to sbs..
The /remote has me thinking I will take a look at that in my lab.
Anyone notice an issue with users being able to add their account to Outlook after this on non domain machines?
External or internal? Adding to existing profile or new?
Pingback: Publish all exchange roles on one TMG listener « Troubleshooting Exchange
after running above commands on CAS server my internal users are also not viewing form based page…. 😦
That’s correct that is because your users are pointing to the exchange that is using the basic auth method.
there are a couple ways to deal with that.
1. change your DNS record to point to the TMG and have the OWA users go through it. ( Pro: your using the existing config, Con: your going out to TMG and back)
2. Add an additional virtual directory that is used to publish with FBA for internal users (Pro: your staying in the network, Con: you have to add the vdir and may have to update after every service pack)
3. you don’t use pre-auth and forward the auth to exchange (Pro: Use FBA internally, it’s the same for both internal and external, Con: your losing all the benefits of doing pre auth as well as SSO if you need it)
A friend and colleague of mine Henrik already has a walkthrough on this so rather than recreating the wheel here is a link to his article.
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part1.html
how about the external dns, if i have internal dns and external dns ? what record should i create ? just the owa published(tmg) ?
if your only publishing owa you need a record in both location that you can use to get to owa.
2 examples
1. Split DNS –
– External = mail.mydomain.com = 222.222.222.222
– Internal = mail.mydomain.com = 192.168.60.50
2. Two seperate DNS domains
– External = mail.mydomain.com = 222.222.222.222
– Internal = mail.mydomain.local = 192.168.60.50
Since you are required to have 2 NIC cards for the listeners, how would this work if you only had 1 public IP address… port 443 would only be able to forward to one of the 2 NICs.? (Also our 3rd party certificate is only for autodiscover.domain.com) It would seem I can only realistically choose the services for one of the listeners and not the other.
I like how Exchange 2010 chooses the authentication method based on the folder you are navigating to i.e. /OWA (for forms) Autodiscover or Rpc, and not just the FQDN of the website address.
Overall good articles
Thanks.
1st you can use this method to use a single listener but it doesnt give you maximum security (part of the solution isnt using pre-auth)
2nd With exchange 2007+ I would recomend you use a multiname cert (they arent that much more expensive these days) and use the names needed.
you “can” use just autodiscover if you resign yourself to the fact that you will have to set ALL of your virtual directories to use autodiscover. as well as tell your users to use autodiscover. for their webmail.
Why are you creating two listeners? You can use one listener to publish everything. You don’t need separate listeners for OWA/ECP and OA/EWS/EAS. They can all use the same listener with HTML Forms Authentication. Please see the Microsoft guide on Publishing Exchange 2010 with TMG 2010 here – http://www.microsoft.com/download/en/confirmation.aspx?id=8946
The reason is because two listeners ALWAYS work, the separate listeners “usually” work.
There is an addendum to this post here: https://exchangemaster.wordpress.com/2011/08/29/publish-all-exchange-roles-on-one-tmg-listener/
Pingback: (Archive)(Exchange) ForeFront TMGによるOWAの公開方法 « 気まぐれBLOGちゃん
i am not super concerned about the FBA, so i have one basic listener. i am able to publish OWA using your article (and changing the path so https://webmail.external.com opens https://webmail.internal.com/owa — that little tidbit cost me a lot of 403 headaches). but when i try to publish EAS, it won’t authenticate. in fact i see kerberos traffic in the ISA logs with RST packets. does EAS require kerberos, and if so, shouldn’t i have to configure the TMG service to run as a domain account with appropriate SPNs instead of running as the local Network Service?
You need to ensure that the EAS virtual directory is set to basic auth on your CAS. You can set that in IIS or power shell.
By default it is windows (kerberos) and will not work with FBA or Basic.
I am really happy to read this website posts which includes lots
of helpful facts, thanks for providing these data.