Can you believe it I finally got this done! This process can be used for Exchange 2007 or 2010.
This is a basic walkthrough on getting OWA published through a TMG Front-end\Back-end scenario.
Well lets get started!
First we have to establish the basic configuration
The lab will be configured as shown
First Obviously we need physical connectivity as defined.
- 2 TMG servers with 2 NICs each
- Each with a NIC on the DMZ network.
- The Frontend connected to the ISP
- The Backend connected to the LAN
Backend server
- Configure NICs
- DMZ NIC = IP: 192.168.1.2/24, Gateway: 192.168.1.1, , DNS: Null
- Inter NIC = IP: 192.168.2.1/24 Gateway: Null, DNS: 192.168.2.10 (Internal Domain DNS)
- Join to domain
- Install TMG
- Configuration
- Getting Started Wizard
- Configure Network Settings
- Next
- Next
- Important: Choose Private at the Bottom so the BE can route.
-
- Finish
- Configure System Settings
- I make sure mine is connected to the domain (just makes permissions easier)
- Define Deployment options
- This is a preference but for this Lab I disable all updates or NIS updates
- Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
-
-
-
-
- This one can make troubleshooting difficult if configured any other way
-
-
- Network Rule Creation
- Edit the Internal to Perimeter Rule
-
-
- Firewall Rule Creation
-
-
-
-
-
-
-
-
-
-
-
-
Front-end server
- Configure NICs
- DMZ NIC = IP: 192.168.1.1/24, Gateway: 192.168.1.1, , DNS: 192.168.2.10 (Internal Domain DNS)
- Inter NIC = IP: ISP assigned Gateway: ISP assigned, DNS: null
- Install TMG
- Configuration
- Getting Started Wizard
- Configure Network Settings
- Next
-
- Be sure to add the additional route for the LAN network behind the back-end server.
This also adds the internal LAN network to the Internal Network object(networking\networks), and adds a static route for the Internal network as well (Networking\routing tab)
- In my case I have a dynamic IP in my lab, but this would be your ISP provided IP
-
- At this point you should have routing connectivity to the domain.
- Configure System Settings
- I make sure mine is connected to the domain (just makes permissions easier)
You can join the domain here
- Define Deployment options
- This is a preference but for this Lab I disable all updates or NIS updates
- Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
-
-
-
-
- This one can make troubleshooting difficult if configured any other way
-
-
- Publishing Rules (Same as previous Posts, sample here see other posts for more details)
-
- This is a basic auth listener that will work for OWA\EAS\OLA but doesn’t include forms
-
-
-
-
- Make sure this Name is accessible from the FE server (the name also needs to be on the trusted certificate on the exchange server)
-
-
-
-
-
-
-
-
-
- This may change based on your scenario
-
- Finish
- Apply Changes and Test!!!
Note: I also like to create a test Rule that I leave disabled unless I need to determine if I have a Firewall rule issue or Network issue.
Here is another reference for the same process in a slightly different scenario
http://araihan.wordpress.com/2010/06/17/how-to-configure-back-to-back-firewall-with-perimeter-dmz-topology-step-by-step-guide/