Publish Exchange 2010 with TMG (Forefront Threat Management Gateway)

Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 1/4 OWA)

Keep in mind to do it this way you need to have the following

  1. At least 2 External IPs listed on the external NIC (in order to have both forms based auth for OWA\ECP and Basic for OA,EWS,EAS
  2. A multi-name trusted Certificate with all applicable names (For more information) –This is critical!
  3. TGM can authenticate with AD already (either domain joined or authentication configured)

Start By preparing the exchange server

  1. Configure Exchange 2010 for basic authentication
    1. Run the following on the CAS server that will be published
      • Set-OwaVirtualDirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
      • set-WebServicesVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
      • set-EcpVirtualdirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
      • set-OabVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
      • set-ActiveSyncVirtualDirectory -id <CasServer>\* -BasicAuthentication $true
  2. Copy the 3rd party certificate to the TMG server.
    1. Click Start –> Run –> Type MMC
    2. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
    3. Click Personal –> certificates
    4. Right Click on 3rd party certificate and click all tasks –> export
    5. Click Next –> Yes, Export Private Key –> Base-64 –> next –> Browse for file location.
    6. Next-> finish
    7. Copy certificate file to the TMG server
    8. Click Start –> Run –> Type MMC
    9. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
    10. Click Personal –> Right Click certificates –> all task –> import –> next –> select file –> next –> next finish
  3. Configure OWA Rule on TMG
    1. Open Forefront TMG
    2. Click on image
    3. In the Action Pane under Task click  image
    4. Give the rule a Name ill name mine “2010 OWA”
    5. image
    6. Next –> Next
    7. image
    8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
    9. image
    10. The external name is what you use to access OWA (Also needs to be on the cert)
    11. image
    12. Click new to make a new Listener
    13. image
    14. Name it whatever you want, I named Mine FBA because I am going to use it for Forms Based auth for OWA.
    15. image
    16. Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
    17. image
    18. Select the certificate you imported earlier
    19. image
    20. Use Form Authentication
    21. image
    22. You can configure SSO if you have other sites that will use this listener
    23. image
    24. Click –> Next –> Finish –> Select the Listener.
    25. image
    26. image
    27. image 
      You CANNOT use “all users” here you need to have authenticated users or another group that requires authentication or your will not get prompted for auth. and get a 500.24 in browser
    28. Finish
    29. Now OWA is published!
  4. Now on to EWS\Outlook Anywhere


Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

1. OWA
2. EWS\Outlook anywhere
3. Active sync

30 thoughts on “Publish Exchange 2010 with TMG (Forefront Threat Management Gateway)

  1. Pingback: Publish Exchange 2010 with TMG (cont) « Troubleshooting Exchange

  2. Pingback: Publish Exchange 2010 with TMG (cont) « Troubleshooting Exchange

  3. Pingback: Publish Exchange 2010 with TMG (cont) « Troubleshooting Exchange

  4. Pingback: You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG « Troubleshooting Exchange

  5. Pingback: Publishing Exchange through TMG Back-endFront-end configuration « Troubleshooting Exchange

  6. Pingback: Walkthrough Series: Threat Management Gateway Exchange publishing « Troubleshooting Exchange

  7. thanks alot

    can you explain how to do this with self-signed certificate & the TMG is back end (behind HW firewall)

    check this please

    • First off I nevr recomend having a self signed cert on the edge where the client is connecting…. when you do it increases the administrative work 80% because it requires you import it to the trusted root on all clients.

      From the exchange to tmg self signed is all good, all you need to do is export the cert you are using on exchange and import to the trusted root cert store on the tmg.

      I will post steps on how to export / import a der so its trusted

  8. Problem with SP1 ?
    this line fails
    set-ActiveSyncVirtualDirectory -id fileserver2\* -BasicAuthentication $true
    ie :
    [PS] C:\Windows\system32>set-ActiveSyncVirtualDirectory -id \* -BasicAuthentication $true

    A positional parameter cannot be found that accepts argument ‘-BasicAuthentication’.
    + CategoryInfo : InvalidArgument: (:) [Set-ActiveSyncVirtualDirectory], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ActiveSyncVirtualDirectory

    • Not specifically but you should be able to do a standard web publishing rule, if you want it to share the listener with exchange you would need basic auth on that vdir (hmm that could be a challenge) you could also just add /remote to the owa rule path….

      Another option would be to not do any auth on the listener or rule and just push that to sbs..

      The /remote has me thinking I will take a look at that in my lab.

  9. Pingback: Publish all exchange roles on one TMG listener « Troubleshooting Exchange

  10. how about the external dns, if i have internal dns and external dns ? what record should i create ? just the owa published(tmg) ?

    • if your only publishing owa you need a record in both location that you can use to get to owa.
      2 examples
      1. Split DNS –
      – External = =
      – Internal = =
      2. Two seperate DNS domains
      – External = =
      – Internal = mail.mydomain.local =

  11. Since you are required to have 2 NIC cards for the listeners, how would this work if you only had 1 public IP address… port 443 would only be able to forward to one of the 2 NICs.? (Also our 3rd party certificate is only for It would seem I can only realistically choose the services for one of the listeners and not the other.

    I like how Exchange 2010 chooses the authentication method based on the folder you are navigating to i.e. /OWA (for forms) Autodiscover or Rpc, and not just the FQDN of the website address.

    Overall good articles


  12. Pingback: (Archive)(Exchange) ForeFront TMGによるOWAの公開方法 « 気まぐれBLOGちゃん

  13. i am not super concerned about the FBA, so i have one basic listener. i am able to publish OWA using your article (and changing the path so opens — that little tidbit cost me a lot of 403 headaches). but when i try to publish EAS, it won’t authenticate. in fact i see kerberos traffic in the ISA logs with RST packets. does EAS require kerberos, and if so, shouldn’t i have to configure the TMG service to run as a domain account with appropriate SPNs instead of running as the local Network Service?

    • You need to ensure that the EAS virtual directory is set to basic auth on your CAS. You can set that in IIS or power shell.

      By default it is windows (kerberos) and will not work with FBA or Basic.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s