Walkthrough Series: Threat Management Gateway \ Exchange publishing


Since it seems to be a popular series I wanted to consolidate links to all my TMG Publishing articles.

As you may know they are designed to be a very simple walkthrough to get you started, the in no way cover every scenario but it should be enough to get you started.Then once you have it working, backup the config and tweak to your hearts content :), Have fun securing exchange.

  1. OWA
  2. EWS\Outlook anywhere
    Alternate method without pre-auth: using the same listener as OWA
  3. Active sync
  4. SMTP 
  5. Front-End \ Back-end TMG 
  6. Ehlo article and Detailed white Paper From Greg Taylor.
Advertisements

Publishing Exchange through TMG Back-end\Front-end configuration


Can you believe it I finally got this done! This process can be used for Exchange 2007 or 2010.
This is a basic walkthrough on getting OWA published through a TMG Front-end\Back-end scenario.

Well lets get started!
First we have to establish the basic configuration

The lab will be configured as shown

image

First Obviously we need physical connectivity as defined.

  • 2 TMG servers with 2 NICs each
  • Each with a NIC on the DMZ network.
  • The Frontend connected to the ISP
  • The Backend connected to the LAN

Backend server

  1. Configure NICs
    1. DMZ NIC =  IP: 192.168.1.2/24, Gateway: 192.168.1.1, , DNS: Null
    2. Inter NIC = IP: 192.168.2.1/24 Gateway: Null, DNS: 192.168.2.10 (Internal Domain DNS)
  2. Join to domain
  3. Install TMG
  4. Configuration
    1. Getting Started Wizard
      image
    2. Configure Network Settings
      1. Next
        image
      2. Next
        image
      3. Important: Choose Private at the Bottom so the BE can route.
      4. image
      5. Finish
    3. Configure System Settings
      1. I make sure mine is connected to the domain (just makes permissions easier)
        image[65]
    4. Define Deployment options
      1. This is a preference but for this Lab I disable all updates or NIS updates
    5. Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
      1. image
      2. image
      3. image
      4. image
      5. This one can make troubleshooting difficult if configured any other way
        image
      6. image
      7. image
    6. Network Rule Creation
      1. Edit the Internal to Perimeter Rule
        image
      2. image
      3. image
    7. Firewall Rule Creation
      1. image
      2. image
      3. image
      4. image
        image
        image
      5. image
      6. image
      7. imageimage
      8. imageimage
      9. image
      10. image
      11. image
      12. image

Front-end server

  1. Configure NICs
    1. DMZ NIC =  IP: 192.168.1.1/24, Gateway: 192.168.1.1, , DNS: 192.168.2.10 (Internal Domain DNS)
    2. Inter NIC = IP: ISP assigned Gateway: ISP assigned, DNS: null
  2. Install TMG
  3. Configuration
    1. Getting Started Wizard
      image
    2. Configure Network Settings
      1. Next
      2. image
      3. Be sure to add the additional route for the LAN network behind the back-end server.
        This also adds the internal LAN network to the Internal Network object(networking\networks), and adds a static route for the Internal network as well (Networking\routing tab) 
        imageimage
      4. In my case I have a dynamic IP in my lab, but this would be your ISP provided IP
        image
      5. image
      6. At this point you should have routing connectivity to the domain.
    3. Configure System Settings
      1. I make sure mine is connected to the domain (just makes permissions easier)
        image
        You can join the domain here
    4. Define Deployment options
      1. This is a preference but for this Lab I disable all updates or NIS updates
    5. Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
      1. image
      2. image
      3. image
      4. image
      5. This one can make troubleshooting difficult if configured any other way
        image
      6. image
      7. image
    6. Publishing Rules (Same as previous Posts, sample here see other posts for more details)
      1. image
      2. This is a basic auth listener that will work for OWA\EAS\OLA but doesn’t include forms
      3. image
      4. image
      5. image
      6. image
      7. Make sure this Name is accessible from the FE server (the name also needs to be on the trusted certificate on the exchange server)
        image
      8. image
      9. image
      10. image
      11. image
      12. image
      13. image
      14. image
      15. image
      16. image
      17. This may change based on your scenario
        image
      18. image
      19. Finish
    7. Apply Changes and Test!!!

 

Note: I also like to create a test Rule that I leave disabled unless I need to determine if I have a Firewall rule issue or Network issue.
image

Here is another reference for the same process in a slightly different scenario
http://araihan.wordpress.com/2010/06/17/how-to-configure-back-to-back-firewall-with-perimeter-dmz-topology-step-by-step-guide/

Unable to perform search from OWA and Outlook in Online mode


Symptoms

MC900442167[1]

When doing a search in OWA you get …Microsoft Exchange Search unavailable" error bar.

Event Log Error” msexchange search index event id 103 and 104

When you run Test-ExchangeSearch -Identity "Username" and it returns a value of -1 indicates search is not working

Steps to resolve (each is a dedicated step that may resolve)

  1. Reinstall the Exchange Search service from programs and features
  2. From Powershell Run "ResetSearchIndex.ps1 [-force] -all" to rebuild indexes
  3. Manually re-create catalog http://technet.microsoft.com/en-us/library/aa995966(EXCHG.80).aspx
  4. Re-register the DLL “Regsvr32 C:\Program Files\Microsoft\Exchange Server\Bin\MapiProtocolHandlerStub.dll”

Note: Some wait time may be needed when indexing starts before full index and search are complete.

You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG


Inbox_blogSome of you have been able to use my basic quick and dirty walkthrough for publishing Exchange2010 with TMG.

Good news! there is a very detailed whitepaper from Greg Taylor that goes in to much more detail.

Here is a link to the whitepaper as well as the EHLO article.

That being said I am still working on the:
Internet –> TMG FE –> TMG BE –> Exchange Publishing rules and hopefully will have the walkthrough done by the 23rd.

You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG

Failed Move Request


Error:
The queue in ‘Mailbox Database” database already contains a move request for ‘User name’, while AD reports the mailbox as not being moved. It is possible that someone created this move request recently, while targeting a different domain controller, and AD replication did not yet occur. You can examine this move request by running ‘Get-MoveRequestStatistics -MoveRequestQueue ‘Mailbox Database ‘ -MailboxGuid 02egha76-a9e5-430c-brb7-cdegrt15ee1f -IncludeReport | fl’. If you believe this to be an abandoned move request, you can remove it by running ‘Remove-MoveRequest -MoveRequestQueue ‘Mailbox Database’ -MailboxGuid 02egha76-a9e5-430c-brb7-cdegrt15ee1f.

 

If you had a failed move and now when you try to move the mailbox you get the error above, you can follow the direction in the error to resolve.

remove-MoveRequest -MoveRequestQueue ‘Mailbox Database’ -MailboxGuid 02egha76-a9e5-430c-brb7-cdegrt15ee1f

But if like me you had over 100 mailboxes to do that it it may be a little to tedious, easy fix….

make a new mailbox database and move the all users to it, then delete the one that you couldn’t move to.