White Paper

Publishing Exchange Server 2010 with Forefront UAG and Forefront TMG
Standard Publishing Scenarios
Greg Taylor, Senior Program Manager, Exchange Server Date: November 2010

Contents
................................................................................................................................... 1 White Paper Publishing Exchange Server 2010 with Forefront UAG and Forefront TMG.................1 Standard Publishing Scenarios...................................................................................1 Contents..................................................................................................................... 2 Executive Summary................................................................................................2 Choosing Between Forefront TMG or Forefront UAG................................................4 Basic Forefront TMG and/or Forefront UAG Concepts..............................................5 Common to both Forefront TMG and Forefront UAG.............................................5 Forefront TMG Concepts.......................................................................................6 Forefront UAG Concepts.......................................................................................8 Exchange Publishing Scenarios...............................................................................9 Publishing Outlook Web App, Outlook Anywhere, and Exchange ActiveSync Using Forefront TMG.............................................................................................9 Publishing Outlook Web App, Outlook Anywhere, and Exchange ActiveSync Using Forefront UAG...........................................................................................45 Appendix.................................................................................................................. 86 Using Alternative Authorization and Access Providers.......................................86 Additional Information...........................................................................................92 Legal Notice...........................................................................................................92

Executive Summary
By allowing remote access to Microsoft Exchange to users who are based outside the safety of the corporate network, an organization enables its employees to take 2

full advantage of the technology their company provides. Remote access lets employees use many devices to communicate with their peers and customers from any place and at any time. Allowing access to corporate resources from any location, perhaps using devices that are not controlled by the organization, presents additional risk to the security of the data and services being accessed. Therefore it's critical to take measures to ensure that the data is being accessed securely, which means implementing technologies such as certificates, firewalls, enforcing pre-authentication, and device or endpoint validation. The key concept to understand is that applying security to any solution is a multi-layered task that includes identifying the threats, reducing the attack surface area, removing unnecessary access points, and enforcing authentication. The casual attacker will usually give up after a few failed attempts to access a resource. When you publish Exchange, Microsoft offers two software-based options: Microsoft Forefront Threat Management Gateway 2010 (Forefront TMG) and Microsoft Forefront Unified Access Gateway 2010 (Forefront UAG). Both options offer publishing wizards and security features to provide secure access to Exchange when it's accessed from outside the safety of the corporate network. There are other ways to publish Exchange besides using Forefront TMG or Forefront UAG. This technical guide isn’t intended to provide the only information you use for a complex organization or one with special security constraints. Instead, it’s intended only as a walkthrough to help you publish Exchange on both these platforms, using basic configuration options. If you have a large organization, it’s likely that you’ll need additional applications or have to factor in additional security considerations. Such applications and security considerations are beyond the scope of this document. This white paper provides detailed information about publishing Microsoft Exchange Server 2010 using Forefront TMG or Forefront UAG, including how to choose between them for different scenarios, and provides specific steps you can take to configure Forefront TMG and Forefront UAG to publish Exchange 2010. Document Reviewers: Jim Harrison Michel Biton Ross Smith IV Fernando Cima Ramon Infante

3

etc. the first step in choosing which product to use is deciding what features you need or think you may need. use Forefront TMG to protect Internet access for your internal users. Thoroughly clean up the client following an Outlook Forefro nt TMG Forefron t UAG                  4 . updates. Both Forefront TMG and Forefront UAG can securely publish Exchange to the Internet. So. Outlook Web App. Exchange Related Deployment Scenario or Feature Publish Microsoft Office Outlook Web App and the Exchange Control Panel (ECP) using forms-based authentication Publish Outlook Anywhere using Basic or NTLM authentication Publish Microsoft Exchange ActiveSync using Basic authentication Provide load balancing for HTTP-based protocol accessing from the Internet Support two-factor authentication for Outlook Web App Support two-factor authentication for Exchange ActiveSync Provide certificate-based authentication for Exchange ActiveSync. Some deployments may actually use both Forefront TMG and Forefront UAG to satisfy specific requirements. but each offers some features or supports scenarios that the other does not. For example. and use Forefront TMG to provide certificate-based authentication to your mobile device-enabled workforce. you might use Forefront UAG to provide a unified portal experience for your inbound Web-based client access.Choosing Between Forefront TMG or Forefront UAG Your first decision when planning to publish Exchange using Forefront TMG or Forefront UAG is to determine which of the two products best fits the needs of the deployment. and ECP Perform mail hygiene for Exchange with installation of the Edge Transport server role and Microsoft Forefront Protection 2010 for Exchange Server Protect and filter Internet access for internal users from malware and other Web-based threats Provide support for scaled up Outlook Anywhere deployments by using multiple source IP addresses Check a client computer accessing Outlook Web App for presence of approved antivirus software.

Even if a deployment currently contains just one Client Access server. such as all the Client Access servers in one Active Directory site. Adding servers to an existing farm in a publishing rule in Forefront TMG is much easier than converting publishing rules to publish a farm of servers. Kerberos V5. KCD and protocol transition allows Forefront TMG or Forefront UAG to take user credentials in Basic. therefore. For more information. Domain Joining Forefront TMG/Forefront UAG or Leaving in a Workgroup In most organizations. ‘constrained’. This service ticket is only for the destination service required and.Web App session with settings configurable by the admin It’s recommended that you review the information at the Forefront Threat Management Gateway 2010: Home Page and the Forefront Unified Access Gateway 2010: Home Page. and then present the service ticket to the Client Access server in order to access the users mailbox. Farm A farm is a collection of published servers. Basic Forefront TMG and/or Forefront UAG Concepts It's important to understand some key concepts and terminology used in Forefront TMG and Forefront UAG. There are many detailed documents available describing how KCD and protocol transition function. NTLM. Negotiate. Forefront UAG treats all published servers as a farm and makes the additional or removal of servers simple. it's usually a good idea to plan and build a farm of one server. see the Protocol Transition with Constrained Delegation Technical Supplement. the decision whether to domain join the server hosting Forefront TMG/Forefront UAG to your production domain may be one of the more contentious parts of the deployment. then request or translate that into a Kerberos service ticket on the user’s behalf from Active Directory. Common to both Forefront TMG and Forefront UAG These concepts or terms are used in both Forefront TMG and Forefront UAG and may also be used in other products or scenarios. Kerberos Constrained Delegation Kerberos constrained delegation (KCD) is a Windows extension to the MIT-created authentication protocol. 5 . or Kerberos certificate or form. In an Exchange publishing scenario.

Listeners do have other configuration options such as cookie management. forms-based authentication for Outlook Web App and Basic authentication for Outlook Anywhere and Exchange ActiveSync. RSA SecurID. the guidance is clear. see Debunking the Myth that the ISA Firewall Should Not be a Domain Member. but that's done only to protect the host system and for the underlying functionality it provides to Forefront UAG. A certificate. 6 . For an impartial view on whether to domain join Forefront TMG. using Kerberos Constrained Delegation to communicate to Exchange. Because Forefront UAG is not a firewall. Windows Integrated. For example. and it provides other benefits. it should be placed behind some other device that acts as a firewall on the corporate network. and those steps are contained in the appendix of this guide. see Domain and workgroup requirements. For more information about identifying your infrastructure design requirements. it allows easy use of Active Directory groups and user objects in publishing rules to restrict access. Forefront TMG deployments are more complex to discuss because Forefront TMG is considered a firewall and can protect the network edge.For Forefront UAG deployments. Also. Common examples are Basic. and forms-based authentication. it's recommended that Forefront UAG be domain joined to make authentication simple and flexible. Forefront TMG Concepts These concepts or terms are specific to Forefront TMG. the listener determines where the public DNS records that relate to Exchange services should point. The simple scenario walkthroughs discussed within this article assume Forefront TMG and Forefront UAG are domain joined to the production forest that contains the Exchange resources being accessed. it can use Active Directory as an authorization and authentication source through the LDAP or RADIUS protocols. but from an Exchange publishing standpoint. Even if Forefront TMG is not domain joined. An authentication method. and the authentication choices the user will have. Listener A listener is an object in Forefront TMG that ties together several other objects: • • • At least one IP address. transport and port. the certificate used for Secure Sockets Layer (SSL) for those connections. Domain joining Forefront TMG offers many advantages: it allows certificate based authentication to be used at Forefront TMG. Forefront TMG is installed on the Forefront UAG computer during installation. Some additional configuration is required.

and how it's authenticated. if TMG is configured to use Basic authentication delegation to an Exchange server. Authentication Delegation Authentication Delegation is configured on a publishing rule and specifies how Forefront TMG will authenticate to the server it's publishing. This enables you to serve specific users from different Exchange farms. The schedule during which the rule is available The rule can be set to only respond and process requests at certain hours of the day. Forefront TMG can delegate credentials to Exchange by using Basic or NTLM authentication. A request for /oaw is not processed by the rule meant for use by Outlook Web App. /rpc etc) must have Basic authentication enabled on them. Examples of rules and conditions are as follows: • The paths requested by the client For example. For example. 7 . However.Publishing Rule A publishing rule ties a listener. as described later in this white paper. /owa or /autodiscover. an Outlook Web App client authenticates to Forefront TMG using forms-based authentication. The permission of the user to access the rule Forefront TMG can allow or deny access based on the user object itself or groups that user is a member of. during a migration process. Forefront TMG can delegate authentication using a different method than the client used to authenticate to Forefront TMG. Forefront TMG has many options in each publishing rule that specify whether Forefront TMG will actually apply that specific rule and whether the request meets the conditions of the rule. the corresponding virtual directories on Exchange (/owa. In addition. where the connection is accepted. For example. For more information. • • Having such control over each rule lets an administrator apply very fine-grained conditions to their publishing of Exchange through Forefront TMG. to the conditions that determine access limitations. for example. the rule specifies the destination requests that pass the conditions of the rule should be sent to. you can use separate rules for different user groups. For example. or even KCD. The method specified by the Authentication Delegation dialog on the publishing rule must match an authentication method allowed by the Client Access server that Forefront TMG is publishing. see About authentication in Web publishing.

This can be useful in a certificate-based authentication scenario.Forefront TMG also offers two options: to allow the user to authenticate directly to the Web server itself (No delegation. to connect to the trunk’s portal home page or applications over HTTP or HTTPS. As soon as the user authenticates to the portal. Trunk A Forefront UAG portal trunk is a transfer channel that allows clients. This is known as single sign-on (SSO). but client may authenticate directly. they can seamlessly access all applications in the portal without having to re-authenticate. a Web browsers. but client may authenticate directly) or to completely prevent delegation (No delegation. or endpoints. Personal computers. or if you want to use a custom. Portal A portal is a Web site created by Forefront UAG to provide access to applications published in a trunk. where Forefront TMG is not domain joined. and mobile devices are all endpoints to Forefront UAG. No delegation. allows the client to authenticate directly to the client access server. 8 . Forefront UAG Concepts These concepts or terms are specific to Forefront UAG. and client cannot authenticate directly). Endpoint An endpoint is a Forefront UAG term for a client computer or application. forms-based authentication solution on the Client Access server and not enforce any authentication at Forefront TMG. The first of these choices.

Publishing Outlook Web App. for example ‘internal’ and ‘external’. Both are pre-authenticated at Forefront TMG. Outlook Anywhere. or Forefront UAG to meet simple publishing scenarios. This makes configuring them in Forefront TMG much easier. Forefront TMG. We will use forms-based authentication at Forefront TMG for Outlook Web App and Basic authentication for Outlook Anywhere and Exchange ActiveSync. and Exchange ActiveSync Using Forefront TMG In this walkthrough we will configure Forefront TMG to publish Exchange Server 2010 to the Internet. It's good practice to name each network adapter in the Forefront TMG server according to the network it's connected to. Forefront TMG 2010 installed onto a Windows Server 2008 (SP2 or R2) domain-joined computer that has two network interfaces: one facing the internal network and one facing the public network. The Forefront TMG installation wizards make installing and configuring Forefront TMG for basic access simple. Forefront TMG will publish a farm of Client Access servers in one Active Directory site. In this walkthrough Forefront TMG has been joined to the same 9 . and additional steps may be required for your specific deployment.Exchange Publishing Scenarios This section shows the steps that are required to configure Exchange. These scenarios are intended as guidance only. The following diagram outlines the topology. E ha e xc ng A tive ync c s T 43 CP 4 HT T PS Bs A a ic uth T 43 CP 4 HT T PS Bs A a ic uth R PC O utlook A nywhe re T MG CA S S rve e rs Ma ilbox S rve e rs O WA Server and software prerequisites The following are prerequisites for the configuration and should already be configured: • • Exchange 2010 deployed into one (or more) Active Directory sites.

That is. the same domain name exists both inside and outside the company network in DNS. If Forefront TMG is not a domain member. or the Common Name. The domain name used for this walkthrough is fabrikam.com name as the first name on the certificate. A host record. Whatever choices are made about the issuer of the certificates. Active Directory–integrated certification authority. or if the certificates were not issued from an Active Directory–integrated CA. The certificate will only contain the names required by Forefront TMG to publish Exchange. For the purposes of this walkthrough. 10 . see White Paper: Exchange 2007 Client Access and SSL.com.fabrikam.fabrikam. and Forefront TMG is a domain member.com. If the certificates the Client Access server uses are from an internal Active Directory–integrated CA. mail. has been created in external DNS to allow Outlook Anywhere and Exchange ActiveSync clients from outside the network to reach the Autodiscover service. Creating a certificate with just the names required by Forefront TMG avoids publishing a certificate with unnecessary FQDNs to the Internet. the certificate is not the same certificate as the one from the CA. or mail. also known as the principal name. This is important when the certificate is used to provide Outlook Anywhere. and Exchange ActiveSync. For detailed information on how to plan certificates. The certificate lists the mail. see White Paper: Exchange 2007 Autodiscover Service. The certificate includes autodiscover. perhaps an internal. However for this walkthrough. the Forefront TMG server must trust the CA that issued the certificates that are used by the Client Access server. it's assumed the planning exercise has resulted in the following configuration: • Split DNS is configured. • • • • You should be aware that the certificate used on Forefront TMG can be from a thirdparty certification authority (CA) and the certificate used internally can be from a different CA. has been created to enable Exchange to be published to the Internet.domain as a Client Access server to enable Active Directory to provide authentication and authorization without any additional configuration. certificates are used on the server that publishes Exchange. All clients use this name to reach Outlook Web App. although the certificate used on Forefront TMG will be from an internal authority. the choice is usually automatic. AutoDiscover. For more information. Outlook Anywhere. A host record. then the certificate chain must be installed on the Forefront TMG local computer's Trusted Roots Store.com as a Subject Alternative Name (SAN) attribute on the certificate. Certificate Prerequisites In order to help secure traffic crossing the Internet SSL.fabrikam.

if there is one. only the certificate installed on Forefront TMG. If you are using an internal CA to generate certificates. you should resolve it before you try to continue. Configuration Steps 11 . If not. If the SSL tunnel ends on Forefront TMG (as it must for Web publishing). If the computer is a member of the domain where the Active Directory–integrated CA was installed. The client must always trust the CA that issued the certificate used by the server in an SSL conversation. this is usually automatic. the computer requesting access to resources. Notice that it's not necessary that the client trust the CA that issued the certificate installed on the Client Access server. If the Forefront TMG server then re-encrypts that traffic to Client Access servers inside another SSL tunnel. In each case. Outlook Anywhere and Exchange ActiveSync clients do not usually provide this option and so will not connect. the certificate is untrusted. the client computer may have to browse to the Certificate Services Web site. It's easy to check whether a computer or device trusts the certificate installed on the server by using a browser to connect to a published service on that server. If you see this warning. the Forefront TMG server must then trust the CA that issued the certificate installed on the Client Access server. If a certificate warning pop-up window appears with just the first of the three checks performed failing.It's also very important that the client that is trying to access Exchange through Forefront TMG trust the CA that issued the certificate used by Forefront TMG. the computer that has the resources. you might have to install that root certificate on your client computer or mobile device in order to enable it to connect to Forefront TMG. the client must trust the CA that issued the certificate installed in that Forefront TMG Web listener. you can just click Yes as shown in the screenshot to continue. and the other is the server. one computer is the client. If you are working in Outlook Web App. or copy it from a computer that has the root certificate so that it can be trusted.

Using either the Exchange Management Shell or Exchange Management Console. The certificate request can be generated anywhere and then imported to Forefront TMG.fabrikam.fabrikam. 12 . The following steps are included in this walkthrough document: • • • • • • • Creating and installing the SSL certificate onto the Forefront TMG server Creating a listener Creating a Web farm Creating publishing rules Creating DNS records Configuring authentication on the Client Access server Testing the configuration Creating and Installing the SSL Certificate on the Forefront TMG Server Forefront TMG requires a certificate be used to secure communications with clients. then export it to a file. create a certificate request for a certificate with the names mail.fabrikam. This walkthrough will generate the certificate on the Client Access server.com and autodiscover. The client configuration requires that the certificate be created by using these names. The wizard can be used to generate certificate requests for either internal or third-party CAs.com and autodiscover. The Exchange certificate wizard in Exchange makes it very easy to put the correct names on the certificate.fabrikam.com. mail. and then install it to the local computer certificate store on Forefront TMG. in this walkthrough we use the certificate wizard in Exchange to generate the certificate on a Client Access server inside the network. copy it to Forefront TMG.There are multiple steps required to configure Forefront TMG to publish Exchange 2010. Creating the Certificate Request 1.com.

com -PrivateKeyExportable $True) NOTE: You must use PrivateKeyExportable to allow the certificate to be exported from the Client Access server and imported to another computer. NOTE: It's important at this point not to assign this certificate to any Exchange services because this certificate will be used on Forefront TMG.Using the Exchange Management Shell: Set-Content -path "C:\mail_fabrikam_com" -Value (NewExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US. right-click the pending certificate request in the Exchange Management Console (EMC) and select ‘Complete Pending Request’.com. autodiscover. specifying the file the CA provided to complete the request.fabrikam. Safe handling of certificates that contain private key material. ou=IT. 2. When you receive the resulting file from the CA. s=Washington. l=Redmond. 3. 13 . is necessary to ensure they are not misused. not on the Client Access server.fabrikam. you can use the Import-ExchangeCertificate cmdlet.com" -DomainName mail.fabrikam. Use the resulting request file to request a Web Server certificate at the certification authority you have chosen. such as those generated by using this process. cn=mail. Or. o=Fabrikam.

When you are prompted for the choice of management location. and then click OK. 10.cer to *. select Computer account. open a blank Management Microsoft Management Console (MMC) by clicking Start. is trusted to the root. 6. Right-click the Personal container. specifying a password as required. Right-click the certificate in EMC or use the Export-ExchangeCertificate cmdlet to export the certificate to a .As soon as the certificate is imported. and then select All tasks > Import. Add/Remove Snap-in.pfx. 7. Click File. double-click the certificate to make sure that it opens. Transfer the resulting . 14 . 9.4. click Finish. 5. 11.pfx file to the Forefront TMG server. and then click Personal. Expand the Certificates (Local Computer) node.pfx file. 8. You may have to change the file type that the Wizard is searching for from *. and then add the Certificates Snap-in. On the Forefront TMG server.Use the Wizard to locate and import the file that you transferred from the Client Access server. Run and typing mmc followed by Enter. and that the certificate shows you have the private key for the certificate.

15 . Leaving a certificate there. when it isn't used by Exchange. 1. with its private key. But if that certificate is accidentally assigned to services or is taken and used elsewhere. Creating a Listener In these steps we will configure a single Web listener on the Forefront TMG server and bind the certificate we created to that listener. and then select New Web Listener. won't do any harm.Now you can choose to remove the certificate from Client Access server if you no longer need it. A listener is a Forefront TMG object that associates a combination of an IP address (the external-facing network adapter of Forefront TMG).12. a certificate (mail.com).fabrikam. On the Firewall Policy node. a port (TCP 443 for https). Open the Forefront TMG management console. and an authentication provider (Active Directory for this domain-joined Forefront TMG computer). on the right side of the console. click the Toolbox tab. 2. Right-click the Web Listener network object. it could cause problems.

click to select the ‘External’ network. you could do so here by selecting the ‘Internal’ network object also and making sure that DNS is configured appropriately. and then click Next. as Forefront TMG will be listening to requests from clients on the external interface. On the Web Listener IP Addresses page. Take the default option to make sure clients connect using HTTPS. This enables you to scope the listener to one specific IP address. and then click Next. Provide a name that describes the object that you are creating. 16 . the Select IP Addresses button becomes available. When you select an object. 5. for example Exchange Listener. If you want to point all internal clients to Forefront TMG and provide a common experience for both internal and external clients. or to a group of IP addresses if your Forefront TMG server has multiple external or internal IP addresses.3. 4.

On the Authentication Settings page of the wizard. or the Validity is not shown as Valid. On the Listener SSL Certificates page of the wizard.6. check the certificate import steps that you completed earlier. 17 . This provides forms-based authentication to Outlook Web App but also provides Basic authentication to Outlook Anywhere and Exchange ActiveSync. click the Select Certificate button to display the certificate picker and select the certificate you installed earlier. If the certificate is not listed. click the drop-down arrow and select HTML Form Authentication. 7.

this check box and field are very important for migration from Microsoft Exchange Server 2003 and Exchange 2007 to Exchange 2010. as discussed later in this document. You can create the farm as a part of the publishing rule wizard. Creating a Web Farm In these steps we will create a Web farm. 9. Exchange 2010 Client Access servers in our walkthrough. this walkthrough will create each one separately. This involves specifying the servers by name and specifying the method Forefront TMG uses to ensure they are available for use (health checking). You should configure a farm and a farm-publishing rule even if you only deploy one Client Access server at first. 18 . you can add them to the farm and avoid any policy reconfiguration. That is. and then click Finish to complete the Web Listener wizard. If you then deploy additional Client Access servers.com. we will specify the server or servers that Forefront TMG is publishing. and then click Next. 10.Click Next. Some application specific settings are applied automatically when you do this. Although not strictly necessary for the topology and scenario that this walkthrough provides. On the Single Sign On Settings page. but as they are separate objects and can be configured independently.8. because this setting allows Forefront TMG to do the single sign-on (SSO) redirection for Exchange 2003 and Exchange 2007 users when they try to log on to Exchange 2010. enter fabrikam.

19 . You can search Active Directory for the Client Access servers and easily populate the field without having to know the IP addresses of the servers themselves. Now one advantage of Forefront TMG being a domain member is clear.1. on the right side of the console. Click Next. Right-click the Server Farms object. and then click Add to add servers to the farm. click the Toolbox tab. 3. CAS 2010 Farm in this example. Open the Forefront TMG management console. select New Server Farm. and then give the farm a meaningful name. On the Firewall Policy node. 2.

b. The default. If this process is successful. 20 . At the Server Farm Connectivity Monitoring screen the default selection is to send an HTTP GET request to the Client Access server to check whether Internet Information Services (IIS) is responding. Send an HTTP/HTTPS request: Forefront TMG will create a connection on the port defined in the publishing rule “Bridging” tab and issue an HTTP GET request. although the lack of authentication does not affect the verifier.4. providing a more accurate picture of the farm member’s health. If Forefront TMG receives a response to this request. This default option allows Forefront TMG to issue HTTP requests to the farm members. Notice that connectivity verifiers cannot authenticate to the servers. Send a Ping request: Forefront TMG will send ICMP Echo Requests to the farm members to determine their availability. an HTTP GET request to the root of the Web server (HTTP://*/). The default choice presented when you run this wizard on its own won't enable the verifier to work correctly when publishing Exchange. c. This results in the server being marked as down. Forefront TMG will tear down the session and consider the server to be available. The available health check options provide server availability as follows: a. A response from the server that is not part of the “server error” set as defined in RFC-2616 (5xx response codes) or any 4xx response other than 401 or 407 will be interpreted as a “success” state. the server is considered available. Being prompted for authentication shows that the server is responding. Establish a TCP connection: Forefront TMG will create a connection to the farm member on the port specified. will result in an HTTP 403 Forbidden response because SSL is required to access the resource.

although you may choose to substitute /OWA/ for /RPC/ or /Microsoft-Server-ActiveSync/ if you are only publishing one specific protocol. as this walkthrough does. This results in a 401 Unauthorized response and marks the server as available. and not as part of an Exchange Publishing wizard. 21 . Forefront TMG sets the verifier to use HTTPS GET to a path of /OWA/ (HTTPS://*/OWA/). you should modify the default settings as shown here.When the Web Farm wizard is invoked as part of a publishing rule wizard for Exchange. Therefore. if you create the Web farm on its own.

It's also important to understand that the Exchange Web publishing rule wizard will be run three times: for Outlook Web App. Forefront TMG can correctly set up the paths each use and the load balancing each will use (cookie for Outlook Web App. testing the /OWA/ path. what paths are valid in the URL. and a farm with the same Client Access server for Outlook Anywhere. You should not modify one rule to accommodate all three clients. such as /OWA/ or /RPC/. the farm. So you might configure a farm with two Client Access servers for OWA. These farms and verifiers can contain the same servers. might lead you to configure farms with application-specific verification URLs for each application you are publishing. 22 . Then. The following table summarizes the tests and their relative test functionality. the users who can access the resource. and Exchange ActiveSync. It's not necessary that a certificate with the FQDN being tested (the FQDN of each server in the farm) be installed on the Client Access server. and more. Test Netwo rk Serve r Servic e PIN G  TC P   HTTP /S    Understanding that Forefront TMG can test for the health of a specific application endpoint. click Finish to complete the New Server Farm wizard and apply the changes to Forefront TMG.This setting results in the connectivity verifier making an HTTPS GET request to each member of the farm. testing the /RPC/ path. all three will use the same listener and farm. these tasks are split out here to make them distinct from one another so that they can each be independently configured. However. Creating Publishing Rules A publishing rule ties together the listener. Outlook Anywhere. However. IP based for Outlook Anywhere and Exchange ActiveSync). specifically directed at the /owa virtual directory. You can create both the listener and the farm when the publishing rule is created. You should also know that publishing rules for Exchange that are created without using the Exchange Publishing wizard are unsupported. You should create three separate rules to make sure that the configuration is optimal. When you have configured the verifiers you need.

In the Forefront TMG console. 2. and then click Next. click Exchange Web Client Access Publishing Rule. right-click the Firewall Policy node. and then give it a meaningful name. click New. For this step-by-step example. click Publish a server farm of load balanced Web servers. 3. and then click Next. Click Next. 23 . we will configure the Outlook Web App publishing rule. On the Publishing Type page.1. select the Outlook Web Access (Outlook Web App) check box. From the drop-down list select the version of Exchange we are publishing.

fabrikam. but not that it resolves to a load balancer. If the name cannot be resolved in DNS by Forefront TMG. and correctly balance the load between the Client Access servers configured in the farm. leave the default option. Because split DNS has been configured. On the Server Connection Security page. although it typically will if a load balancer is used inside the organization. 5. the rule 24 . enter the name internal users use to access Outlook Web App. If Forefront TMG can resolve this to just one host. it's important that Forefront TMG be able to resolve the name in this field. On the Internal Publishing Details page. and then click Next.com.4. the publishing rule will work correctly. this is mail. Use SSL.

On the Public Name Details page. On the Select Web Listener page. 8.fabrikam.will still work. On the Specify Server Farm page of the wizard. mail. and then select the listener you configured earlier. However. click the drop-down list. 25 . 7. and then select the farm created earlier. Again.com. click the drop-down list. 6. this usually results in many event log errors and some decrease in performance. enter the name external users will use to access Outlook Web App.

Forefront TMG cannot delegate credentials correctly to a Client Access server if the Client Access server has forms-based authentication configured. Making sure that the correct authentication scheme is configured on the Client Access server is covered later this section. and then. and then have to enter their credentials again. the user will see forms-based authentication generated by the Client Access server. what authentication method Forefront TMG should use when presenting the credentials to the Client Access server. The Authentication Delegation page is frequently one of the more confusing pages of the wizard for those who are not Forefront TMG experts. Therefore. This page asks whether Forefront TMG should authenticate to the Client Access server on behalf of the user or let the user authenticate directly. This means that the corresponding virtual directory on the target Client Access server must also support that form of authentication. the most likely choices are Basic or NTLM. or Exchange ActiveSync deployment. if the default setting of FBA authentication is enabled on the Client Access server. 26 . If Forefront TMG is configured to use Basic authentication then the Outlook Web App virtual directory on the target Client Access server must also have Basic authentication enabled. For a simple Outlook Web App. if Forefront TMG does delegate credentials.9. delegation will fail. Outlook Anywhere.

Add an additional IP address and an additional Outlook Web App Web site to the Client Access server. and then use DNS to ensure users inside and outside the network connect to the correct Web site. and apply the changes to Forefront TMG. However. to limit access. the default.NOTE: If the goal of the deployment is to have FBA for both internal and external users. select the No delegation.On the User Sets page of the wizard. but client may authenticate directly option. This means that Forefront TMG is not performing forms-based authentication at all. for example. All Authenticated Users. you have the following options: • • Point internal users to the internal interface of Forefront TMG and use Forefront TMG FBA. is sufficient if you want to enable all users who successfully authenticate to access the resource. if you use Active Directory groups. using the same parameters as for Outlook Web App. 27 . Complete the same wizard again for Exchange ActiveSync. On the Authentication Delegation page of the wizard in Forefront TMG. 11.Finish the wizard. • 10. you can select those groups on this page. Leave FBA enabled on the Client Access server.

add autodiscover. when the rule is complete and before you apply the changes to Forefront TMG.fabrikam. This puts both Exchange ActiveSync and the Autodiscover service on the same publishing rule. The AutoDiscover path is used to provide the Autodiscover service to both Outlook Anywhere and Exchange ActiveSync clients. and other paths that are not required.com to the list of names on the Public Name tab of the rule properties. and then selecting Basic authentication for the delegation method. Run the Outlook Anywhere publishing wizard and.Complete the wizard again for Outlook Anywhere. /oab/*. open the properties dialog for the rule that you just created. and then add the Autodiscover namespace to the Public Names tab of the rule as shown. If you want to use Exchange ActiveSync but not Outlook Anywhere and also want to provide Autodiscover service functionality to those Exchange ActiveSync clients. As shown. selecting the box to Publish additional folders on the Exchange Server for Outlook 2007 client. you can do one of the following: • Add the /Autodiscover/* path of the Exchange ActiveSync rule that you have created. But. • Apply these settings to Forefront TMG. the Autodiscover path is contained in the Outlook Anywhere rule. make sure that the Public names tab of the rule is correct. By default. Again. when complete. remove the /rpc/*. 28 .

Forefront TMG will be delegating credentials to the Client Access server by using Basic authentication. After all changes are made. and then verify that event ID 3006 has been logged and shows the appropriate registry keys are set. Enable Outlook Anywhere on each published Client Access server.Creating DNS Records In external DNS create two A records for mail and the Autodiscover service in the fabrikam. So. must be configured to support Basic authentication. selecting Basic authentication as the Client authentication method. 29 . the owa and ECP virtual directories. You can use the EMC to open the owa and ECP virtual directories and set the authentication to Basic. Configuring Authentication on the Client Access Server As mentioned earlier. run iisreset on each Client Access server configured.com DNS zone. pointing at the external IP address of the listener you configured earlier. Then run iisreset on each Client Access server you have changed. which use FBA by default.

com/OAB b) Set the external URL for the Exchange Web Services virtual directory to https://mail.asmx. You should run these on each server in the Active Directory site you are publishing. It is assumed that the OAB is already enabled for Web-publishing. Set-ActivesyncVirtualDirectory red-cas-1\* -externalurl https://mail. Set-WebServicesVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.If this is the first time Outlook Anywhere has been enabled.asmx c) Set the external URL for the Exchange ActiveSync virtual directory to allow the Autodiscover service to provide devices with the correct value.fabrikam.fabrikam. If it's not. one more step is required so that Exchange ActiveSync can use the Autodiscover service.com/EWS/Exchange. Set-OABVirtualDirectory RED-CAS-1\* -ExternalURL https://mail.fabrikam. several more steps are required to ensure that users outside Forefront TMG can fully use Outlook.com/EWS/Exchange. replacing the server host name as appropriate.com/Microsoft-Server-Activesync d) Set the authentication property for the OAB and Exchange Web Services virtual directories to include Basic as an option if you are using Basic delegation on the publishing rule. Also.fabrikam. Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true Set-WebServicesVirtualDirectory RED-CAS-1\* -BasicAuthentication:$true 30 . a) Set the external URL for the offline address book (OAB) virtual directory. see Configure Offline Address Book Distribution Properties.

in this example. Try to access an Exchange 2010 mailbox by using the domain\username format and password.com and ensure the device can successfully synchronize with a mailbox. 2. At the foot of the page. 1. Configure a mobile device to automatically configure a profile.com/OWA. Testing Outlook Anywhere and the Autodiscover service 31 .fabrikam. https://mail. The Outlook Web App sign-in page is displayed. the words Secured by Microsoft Forefront Threat Management Gateway 2010 are displayed. the mailbox will be displayed. 3. or manually set the server as mail. 1. 4. Open a browser and browse to the URL Outlook Web App is published to. Testing Exchange ActiveSync The next test determines whether a mobile device is able to synchronize to an Exchange mailbox. indicating this form was generated by Forefront TMG.Testing the Configuration Testing Outlook Web App The first test determines whether a user connected to the Internet can log on to an Exchange 2010 mailbox using Outlook Web App through Forefront TMG. If the attempt was successful.fabrikam.

32 . and will try to connect to autodiscover. you have successfully configured Outlook Anywhere and proven that the Autodiscover service is correctly configured. Using a computer outside the corporate network. use this list to validate and confirm your settings. Check the expiration dates and reissue the certificates. the client will not accept their use.1.fabrikam. 2. if it's necessary. is a certificate error.com (assuming the SMTP address of your test user account ends with @fabrikam. Then try to resolve the problem by reissuing the certificate with the correct names and test again. open Outlook and configure a new profile. First make sure all ExternalURL settings are correct and those names are present on the certificate. • Certificates The most common reason one or more of these clients is unable to log on. Expiration Dates f the certificates have expired. Check the following: Trust Does the client trust the issuer of the certificate on Forefront TMG? And does Forefront TMG trust the issuer of the certificate on the Client Access server? Name Mismatch You may receive a pop-up window because the name on the certificate does not match the name the client was expecting to see. The wizard takes advantage of the Autodiscover service.com). or Forefront TMG is unable to publish. If you receive 3 check marks in the Add New Account wizard. Troubleshooting There are many common configuration errors made when publishing Exchange.

Windows Integrated authentication must be enabled on the Client Access server. • 33 . DNS Are the records for mail and Autodiscover in the correct zone. This makes troubleshooting much easier because it's easy to determine which servers are involved in the connection attempt. Eliminate single server issues If you are publishing a farm of Client Access servers. and then right-click the Outlook icon on the taskbar. Use the Test Email AutoConfiguration tool in Outlook Confirm that the Autodiscover service can be contacted and that the URLs returned by Autodiscover are correct. reduce the farm size to just one Client Access server and test again. more specifically. if NTLM delegation was set at Forefront TMG. to the IP address of the listener configured on the Exchange publishing rules. Similarly. see Microsoft Exchange Remote Connectivity Analyzer to test the configuration from the Internet. To use the tool.• Matching Authentication Schemes If Forefront TMG is configured for Basic Delegation then the appropriate virtual directories on the Client Access server should be configured to support Basic authentication. and do they have the correct IP address? The IP should resolve to the external network adapter of Forefront TMG and. • • • Use the Exchange Remote Connectivity Analyzer tool If the environment is Internet-facing. hold down the CTRL key.

Additional Configuration Steps for Exchange 2010 and/or Outlook 2010 Users If you are not publishing Outlook Web App in your environment but do allow the publishing of Outlook Anywhere (and possibly Exchange ActiveSync) and are using Outlook 2010. you will have to make some adjustments to the configuration to allow an Outlook 2010 user to be able to access the Exchange Control Panel (ECP). This requires you to enable Basic authentication on the /ECP virtual directory of all published Client Access servers. In this scenario. Leave Basic only enabled and accept a Basic authentication prompt when the user accesses the ECP. depending on the existing configuration. Or you can modify the existing listener and publishing rule you have configured for publishing Outlook Anywhere. such as voice mail and message tracking information. This requires you to enable Basic authentication on the /ECP virtual directory of all published Client Access servers. it's likely that the existing listener will not be enabled for forms-based authentication because Outlook Anywhere supports only Basic or NTLM authentication at this time. This requires you to enable Basic authentication on the /ECP virtual directory of all published Client Access servers. and Outlook Anywhere will continue to use Basic authentication. but some recommendations are as follows: • If Outlook Anywhere is already configured for Basic authentication you can either: o Enable forms-based authentication on the same listener. o 34 . The ECP is accessed by using a Web browser and is invoked by a link in the Microsoft Office Backstage area of Outlook 2010 or within the properties of a message. The choice between these depends on several factors. In Forefront TMG there are several choices. o • If Outlook Anywhere is configured for NTLM you can either: o Continue to use NTLM authentication and KCD to the Client Access server. This requires you to enable Windows Integrated authentication on the /ECP virtual directory of all published Client Access servers. The ECP will then use FBA. Exchange 2010 users require access to the ECP for certain configuration settings. You can create a new listener and publishing rule for the ECP and then modify it. Add Basic authentication to the listener and expect users to see a Basic authentication pop-up window.

but don't want to allow Outlook Web App access from outside the corporate network. configure FBA.aspx /owa/auth/logoff. you may also have to consider some additional factors: • If you want to use Basic. If you want to allow Outlook Web App access for internal users. you have to disable forms-based authentication on the /ECP virtual directory on the Client Access server. and then publish the ECP using your choice of delegation protocol. see New-EcpVirtualDirectory.aspx /owa/lang. NTLM or KCD delegation to the Client Access server.o Add an additional Web listener to Forefront TMG.owa /owa/languageselection.owa* /owa/14* These paths are in addition to the following paths. which are required by Outlook Anywhere 2010: • • • • /rpc/* /OAB/* /ews/* /AutoDiscover/* 35 . For detailed instructions. If you want to offer FBA for internal users at the same time. Either step will enable you to use different authentication methods. but do want allow all users to access the ECP. you can disable Outlook Web App access per user with the Set-CASMailbox cmdlet. you can either ensure their DNS requests for the ECP service resolve to Forefront TMG (if you are using a forms-based listener) or add a secondary Web site which requires an additional IP address. then you must restrict the resources you publish to allow only those resource’s required by the ECP to be accessed. In addition to the choice you make on authentication. • • To make sure only the ECP can be accessed but not Outlook Web App.owa /owa/auth. This is because the ECP uses the Outlook Web App authentication model and therefore uses some Outlook Web App resources to function. If you do not want to allow any user to access Outlook Web App. the following paths must be allowed by Forefront TMG: • • • • • • • • /ecp/* /owa/auth/logon.aspx /owa/logoff.

some changes are required in Forefront TMG to ensure a smooth migration. in some scenarios. The exact configuration required will depend on the clients and protocols that are used. Accessing a mailbox hosted on Exchange 2003 or Exchange 2007 using Exchange ActiveSync or Outlook Anywhere can be performed through an Exchange 2010 Client Access server. for example. Outlook Web App. As soon as configured. whether the listener uses forms-based authentication. has a built in Single Sign On (SSO) capability when it's deployed alongside Microsoft Exchange Server 2007 in the same Active Directory site or when an Outlook Web App request for a 2003 mailbox is received. Basic or NTLM. However. Two basic approaches can be used when Forefront TMG is being used to publish Exchange. Migration Considerations If you are migrating from an earlier version of Exchange and are following the standard Exchange migration guidance at Upgrade to Exchange 2010 and using an additional ‘legacy’ namespace. the ECP should be able to be accessed. It's always important to remember that the delegation type chosen on the publishing rule matches the method enabled on the Client Access server as described elsewhere in this guide. Or you can rely on 36 . you may choose to provide access through an Exchange 2007 Client Access server to users who have mailboxes on Exchange 2007. You can either configure Forefront TMG to direct traffic to the appropriate version of Exchange for the user requesting access.These are configured on the publishing rule configured similar to that shown here.

Exchange 2007. and is affected by Active Directory replication latency. is very effective. However it relies on group membership being kept up to date. This is the scenario covered during this walkthrough. which relies on configuring groups in Active Directory and associating those groups with specific publishing rules. So forms-based authentication must be disabled on Exchange 2003. and either Basic or Windows Integrated authentication enabled. Using this approach. the standard approach is to move the existing namespace to Exchange 2010.contoso. Forefront TMG should be either configured as a domain member or to use LDAP authentication against Active Directory. for example.fabrikam. Using Forefront TMG Publishing Rules to Direct Traffic Forefront TMG can be configured to automatically route client requests to the correct version of Exchange instead of using the built-in Exchange SSO logic at all.Exchange to either provide access directly to a down level version of Exchange or redirect the user to an appropriate URL.com. 37 .com and legacy. There are several steps required to configure this scenario: • • • • • Ensure the certificates have the correct names. It isn't possible to configure Forefront TMG SSO between mail. It's important to understand that using Forefront TMG in combination with Exchange to perform the SSO requires that both host names be under the same common root. Ensure SSO is enabled on the listener. In either case. which can be hard during a migration. Because Forefront TMG is responsible for authentication to determine which publishing rules will be applied.com. In this scenario. and Exchange 2010.com and legacy. Using Native Exchange SSO Redirection Combined with Forefront TMG Listener SSO You can rely on Exchange to redirect the user to the correct endpoint. ideally. mail.fabrikam.fabrikam. depending on the publishing rule delegation settings. Configure Exchange to provide the redirection URLs. and use the newly created ‘legacy’ namespace to access earlier versions of Exchange. Create a Web farm for the legacy version of Exchange. Create a publishing rule for the legacy version of Exchange. forms-based authentication is still being performed on Forefront TMG.

but use the legacy Exchange 2003 front-end servers or Exchange 2007 Client Access servers as the targets. In this example.Ensure Certificates Have the Correct Names The first step in enabling SSO when you use Forefront TMG is to ensure that the certificate you are using on the Forefront TMG listener has all the names you need to support the scenario. we will add legacy. Create a Web Farm to Publish the Legacy Servers As soon as the certificate is in place on Forefront TMG. Follow the steps that were described earlier. adjust the properties on the listener to use the new certificate instead of the previous one. and then create a Web farm. 38 .com to the certificate and use that FQDN to redirect users who have mailboxes on Exchange 2003 or Exchange 2007 to access their mailbox.fabrikam.

Outlook Web App Migration On Forefront TMG. also make sure that the certificate on the Exchange 2003 front-end servers or Exchange 2007 Client Access servers are valid and have the correct name (legacy.com as the public name clients use to connect. choosing the same listener as used for Exchange 2010. It's common and simplifies the deployment to use the same certificate as used on the Exchange 2010 Client Access servers in your organization.com). make sure that the delegation you select is configured on the /Exchange virtual directory on the Exchange 2003 servers in the farm and on the /owa virtual directory on the Exchange 2007 Client Access server if you are redirecting to Exchange 2007.fabrikam.fabrikam. using legacy. but making sure that you use the Legacy Farm you created in the previous step. create a Publishing rule for the legacy version of Exchange.At this point. 39 . Again.

On Forefront TMG.fabrikam. This is the default. make sure that SSO is enabled for the . 40 .com domain.

com/exchange. This allows all three versions of Exchange to be accessed through a single URL.fabrikam.Configure Exchange 2010 to Provide the Redirection URLs Next. in this case. This is the norm when migrating from Exchange 2003 to Exchange 2007.fabrikam.com/owa If you are migrating from mixed Exchange 2003 / Exchange 2007 to Exchange 2010. 41 .fabrikam. as would be the case if they were an Exchange 2003 user who had bookmarked a page they had used earlier.com/owa and provided with a form to log on with. Set-OwaVirtualDirectory RED-CAS-2007\* -ExternalURL https://legacy.com/exchange. if you are migrating from Exchange 2003 to Exchange 2010. https://mail. and when both the previous commands are executed. In this scenario. set the Exchange 2003 URL property on the owa virtual directory to match the value of the legacy FQDN and URL you are using. you should first make sure that all Exchange 2003 access is through the Exchange 2007 Client Access servers. they will be automatically redirected to https://mail.com/owa. Exchange 2003 users will be redirected to the /exchange virtual directory on the Exchange 2007 Client Access server and Exchange 2007 users will be redirected to the /owa virtual directory on the Exchange 2007 Client Access server.fabrikam. Set-OwaVirtualDirectory RED-CAS-1\* -Exchange2003URL https://legacy.com/exchange If you are migrating from Exchange 2007 to Exchange 2010.fabrikam. https://legacy. make sure that the externalurl parameter on the Exchange 2007 Client Access server owa virtual directory is set correctly. on all the Exchange 2010 Client Access servers being published.fabrikam. Note: If a user tries to browse to https://mail.

com/owa and automatically logged in without any additional prompts for credentials. Exchange ActiveSync Migration Two options exist for providing access to users who have mailboxes on Exchange 2003 or Exchange 2007 and whose mailboxes have not yet been migrated to Exchange 2010.com/owa.com/owa. Test the 2007 configuration by going to https://mail.fabrikam. You should be silently redirected to https://legacy.com. Or.com in external DNS resolves to the same IP address as mail.fabrikam. Test the Exchange 2003 configuration by going to https://mail. In this case. or directly access the mailbox for Exchange 2003 users. It's important to plan your migration so that sufficient Exchange 2010 Client Access servers exist to provide access to all users as soon as you deploy them.fabrikam. and logging on to an Exchange 2007 mailbox.com/Exchange and automatically logged in without any prompts for credentials. do nothing and allow the Exchange 2010 Client Access server to proxy the request internally to Exchange 2007 for Exchange 2007 users. you can decide to publish more than one version of Exchange and rely on Exchange to redirect clients between versions as required. You should be silently redirected to https://legacy. the latter approach only works for: 42 .Ensure DNS is Correct and Test the Configuration Ensure the A record for legacy.fabrikam. First. and logging in to an Exchange 2003 mailbox.fabrikam.fabrikam. However. all access is through Exchange 2010.

Otherwise the device won't be able to reach the legacy endpoint in order to receive the redirection. • Devices that are running Windows Mobile 6.fabrikam. it's recommended that you provide access to all versions of Exchange through an Exchange 2010 Client Access server.fabrikam. The device should reconfigure itself. Exchange 2003. any user who uses a device on Exchange 2007 and connects through an Exchange 2010 Client Access server should receive an HTTP 451 response from the server that includes the new URL. the Exchange 2007 Client Access server will issue another HTTP451 response. The recommended scenario is to move the existing Outlook Anywhere endpoint your clients use to Exchange 2010 and allow the Exchange 2010 Client Access server to proxy connections back to legacy versions of Exchange when it's necessary. so the simplest approach is to publish just Exchange 2010 as the Outlook Anywhere 43 . and the user will reconnect using the newly created publishing rule in Forefront TMG. to correctly set the external URL for the Exchange 2007 Client Access server to the legacy value. or if you cannot make sure that all devices support the HTTP 451 redirect. and the device will again reconfigure itself. For these reasons you must make sure that the legacy namespace is not removed before all devices are updated. If your deployment is fairly small or is between Exchange 2003 and Exchange 2010. Outlook Anywhere Migration Migrating clients who connect by using Outlook Anywhere direct to Exchange 2003 or Exchange 2007 is fairly straightforward.• Users who have mailboxes on Exchange 2007. you have to create a new Publishing Rule in Forefront TMG for Exchange ActiveSync. Just as with Exchange ActiveSync.com/microsoft-server-activesync As soon as this command is complete. your approach depends on the version of clients you want to support and your ability to provision all your Exchange 2010 servers at the beginning of the migration. Then you can use a command.com host name together with a farm of Exchange 2007 Client Access servers as the target for the rule. Set-ActiveSyncVirtualDirectory CAS-2007-01\* -externalurl https://legacy. using the legacy. Exchange 2007 and Exchange 2010 Outlook Anywhere users can access their mailboxes by using Exchange 2010 Client Access server. After the user’s mailbox is migrated to Exchange2010. However. • Devices that support the HTTP 451 redirect mechanism used by Exchange ActiveSync to inform the device which endpoint it should be using.1 or a later version. if you want to publish the Exchange 2007 and Exchange 2010 servers separately in the same Active Directory site. such as the following.

so they do not consider the endpoint the client is trying to reach as valid. with additional Web farms for each version of Exchange. • • The standard recommendation of moving the existing namespace to Exchange 2010 and allowing the Exchange 2010 Client Access server to provide access to all legacy versions of Exchange means very little user impact. you have several things to consider: • Users with mailboxes on Exchange 2010 cannot use Outlook Anywhere via an Exchange 2003 front-end server or a an Exchange 2007 Client Access server. creating a new publishing rule just for Exchange 2010 Outlook Anywhere. Additionally. Outlook 2003 does not use the Autodiscover service to update or change any configuration settings. when Exchange 2010 Client Access server is introduced. Then. and minimal client configuration changes. If you decide you must have separate namespaces for Outlook Anywhere. Supporting this configuration in Forefront TMG just requires additional publishing rules.endpoint. If this is the reason for the additional namespace. the client profile may break and prevent access. it's recommended that you create a new namespace for Exchange 2010 and manually configure pilot users to use those settings if necessary. This will completely avoid the possibility of the Exchange 2007 Autodiscover service returning Exchange 2010 URLs to Outlook clients. as neither of these versions of Exchange understand the RPC Client Access Service component in Exchange 2010. it's recommended that you consider deploying Exchange 2010 in a separate Active Directory site for the pilot phase of the project. and a user’s mailbox were moved between Exchange 2007 and Exchange 2010. when their mailbox is moved to an Exchange 2010 mailbox server. if you were publishing Exchange 2007 and Exchange 2010 using different Outlook Anywhere host names. For example. so if a mailbox is moved between versions of Exchange and different Outlook Anywhere endpoints are used. Outlook 2007 clients sometimes don't correctly update the Outlook Anywhere settings following a move between two Outlook Anywhere–enabled endpoints. One common reason for using two namespaces for Outlook Anywhere may be to allow a pilot deployment of Exchange 2010 alongside an existing Exchange2003 or Exchange 2007 deployment. the client may not correctly update the host name used by Outlook Anywhere. the configuration of the client doesn't have to change either at the beginning of the deployment. or later. 44 . the steps for which are discussed earlier in this walkthrough.

and one facing the public network. Certificate Prerequisites Just like when you configure Forefront TMG. it's assumed the planning exercise has resulted in the following configuration: 45 . see the TechNet Library. and Exchange ActiveSync Using Forefront UAG In this walkthrough we will be configuring Forefront UAG to publish Exchange Server 2010 to the Internet. Outlook Anywhere. Forefront UAG will be publishing a farm of Client Access servers in one Active Directory site. Basic authentication for Outlook Anywhere and Exchange ActiveSync.Publishing Outlook Web App. E ha e xc ng A tive ync c s T 43 CP 4 HT T PS Bs A a ic uth T 43 CP 4 HT T PS Bs A a ic uth R PC O utlook A nywhe re UA G CA S S rve e rs Ma ilbox S rve e rs O WA Server and Software Prerequisites The following prerequisites for the configuration should already have been configured: • • Exchange 2010 deployed in one (or more) Active Directory sites. It's good practice to name each network adapter in the Forefront UAG server according to the network it's connected to. Forefront UAG 2010 installed on a Windows Server R2 domain-joined computer with two network interfaces: one facing the internal network. For the purposes of this walkthrough. For detailed instructions about how to plan certificates. certificates are used on the server publishing Exchange. both authenticated at Forefront UAG. This makes configuring them in Forefront UAG much easier. for example ‘internal’ and ‘external’. including White Paper: Exchange 2007 Client Access and SSL. We will again be using forms-based authentication at Forefront UAG for Outlook Web App. The following diagram outlines the topology. The Forefront UAG installation wizards make installing Forefront UAG simple.

Split DNS is configured, that is the same domain name exists both inside and outside the company network in DNS. The domain name used for this walkthrough is fabrikam.com. A host record—mail—has been created to enable Exchange to be published to the Internet. Mail.fabrikam.com will be the name all clients use to reach Outlook Web App, Outlook Anywhere and Exchange ActiveSync. The certificate lists the mail.fabrikam.com name as the first name on the certificate, also known as the principal name, or the Common Name. This is important when the certificate will be used to provide Outlook Anywhere. A host record—AutoDiscover—has been created in external DNS to allow Outlook Anywhere and Exchange ActiveSync clients from outside the network to reach the Autodiscover service. For more information, see White Paper: Exchange 2007 Autodiscover Service. The certificate will include autodiscover.fabrikam.com as a SAN attribute on the certificate.

You should be aware that the certificate used on Forefront UAG can be from a thirdparty certification authority (CA) and the certificate used internally can be from a different CA, perhaps an internal, Active Directory–integrated certification authority. However for this walkthrough, although the certificate used on Forefront UAG will be from an internal certification authority, the certificate isn't the same certificate as that used on the Client Access server. The certificate will only contain the names required by Forefront UAG to publish Exchange. Creating a certificate with just the names required by Forefront UAG avoids publishing a certificate with unnecessary FQDNs to the Internet. Whatever choices are made about the issuer of the certificates, the Forefront UAG server must trust the certification authority that issued the certificates that are used by the Client Access server it's publishing. If the certificates that the Client Access servers are using are from an internal Active Directory–integrated certification authority, and Forefront UAG is a domain member, this will usually be automatic. If Forefront UAG is not a domain member, or if the certificates were not issued from an Active Directory–integrated CA, then the certificate chain must be installed into the Forefront UAG local computer trusted root certificate store. It's also very important that the client that is trying to access Exchange through Forefront UAG trust the CA that issued the certificate used by Forefront UAG. Notice that it's not necessary that the client trust the CA that issued the certificate installed on the Client Access server, only the certificate installed on Forefront UAG. If the SSL tunnel ends on Forefront UAG (as it must for Web publishing), the client must trust the CA that issued the certificate installed in that Forefront UAG trunk. If the Forefront UAG server then re-encrypts that traffic to Client Access servers inside 46

another SSL tunnel, the Forefront UAG server must then trust the CA that issued the certificate installed on the Client Access server. In each case, one computer is the client, the computer requesting access to resources, and the other is the server, the computer that has the resources. The client must always trust the CA that issued the certificate used by the server in an SSL conversation. If you are using an internal CA to generate certificates then you might have to install that root certificate onto your client computer or mobile device in order to allow it to connect to Forefront UAG. If the computer is a member of the domain where the Active Directory–integrated CA was installed, this is usually automatic. If not, the client computer may have to browse to the Certificate Services Web site if there is one, or copy it from a computer that has the root certificate so that it can be trusted. It's easy to check whether a computer or device trusts the certificate installed on the server. Just use a browser to connect to a published service on that server. If a certificate warning appears with just the first of the three checks performed shown as failing, the certificate is untrusted.

If you are working in Outlook Web App, you can just click Yes as shown in the screenshot to continue. Outlook Anywhere and Exchange ActiveSync clients do not usually provide this option and so will not connect. If you see this warning, you should resolve it before you try to continue. Configuration Steps There are multiple steps required to configure Forefront UAG to publish Exchange 2010. The following steps are included in this walkthrough document: • • Creating and installing the SSL certificate onto the Forefront UAG server Deciding to use a portal to access Outlook Web App

47

• • •

Creating a portal trunk and publishing the first application Publishing additional applications Testing the configuration

Creating and Installing the SSL Certificate on the Forefront UAG Server Forefront UAG requires a certificate be used to secure communications with clients. The client configuration requires that the certificate be created that uses the names mail.fabrikam.com and autodiscover.fabrikam.com. The certificate request can be generated anywhere and then imported to Forefront UAG, in this walkthrough we use the certificate wizard in Exchange to generate the certificate on a Client Access server inside the network, then export it to a file, copy it to Forefront UAG, and then install it to the local computer certificate store on Forefront UAG. The Exchange certificate wizard in Exchange makes it very easy to put the names on the certificate correctly. The wizard can be used to generate certificate requests for either internal or third-party CAs. Creating the Certificate Request 1. By using either the Exchange Management Shell or the Exchange Management Console, you can create a certificate request for a certificate with the names mail.fabrikam.com and autodiscover.fabrikam.com.

Using the Exchange Management Shell: Set-Content -path "C:\mail_fabrikam_com" -Value (NewExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=Washington, l=Redmond, o=Fabrikam, ou=IT, cn=mail.fabrikam.com" -DomainName mail.fabrikam.com, autodiscover.fabrikam.com -PrivateKeyExportable $True) 48

When you receive the resulting file from the CA.Use the Wizard to locate and import the file that you transferred from the Client Access server. You may have to change the file type the Wizard searches for from *.As soon as the certificate is imported. and then select ‘Complete Pending Request’. When You Are Prompted for the choice of management location. Safe handling of certificates that contain private key material. and shows that you have the private key for the certificate. double-click the certificate to ensure that it opens. open a blank MMC by clicking Start and then Run. such as those generated by using this process. is trusted to the root. right-click the pending certificate request in the EMC. 5. 9. 8. Transfer the resulting . specifying the file that the CA provided to complete the request. Use the resulting request file to request a Web Server certificate at the CA you have chosen to use. Add/Remove Snap-in and add the Certificates Snap-in. 3.pfx file. specifying a password as required. 4. Expand the Certificates (Local Computer) node.pfx. 11.pfxfile to the Forefront UAG server. is important to ensure they are not misused.NOTE: The use of ‘PrivateKeyExportable’ is essential to allow the certificate to be exported from the Client Access server and imported to another computer. 10. On the Forefront UAG server.cer to *. Or. it's important not to assign this certificate to any Exchange services because this certificate will be used on Forefront UAG. click Finish and then OK. and then click OK. 2. not on the Client Access server. and then select All tasks > Import. Right-click the certificate in the EMC or use the Export-ExchangeCertificate cmdlet to export the certificate to a . and then click Personal. type mmc. select Computer account. 7. Click File. you can use the Import-ExchangeCertificate cmdlet. 6. Right-click the Personal container. In the Open box. 49 . NOTE: At this point.

50 . Leaving a certificate there.Now you can choose to remove the certificate from the Client Access server if you no longer need it. such as SharePoint. and just present users with forms-based authentication at Forefront UAG and their mailbox once they authenticate. where the user logs on to the Forefront UAG portal.12. But. If you only intend to publish Outlook Web App you may choose not to use a portal. Deciding to Use a Portal Forefront UAG offers two ways to publish a Web-based application such as Outlook Web App to the Internet. won't do any harm. The decision whether to use a portal or not depends on your plans for Forefront UAG and whether you plan to publish additional applications using Forefront UAG. with its private key. creating a portal will enable the user to log on once to the portal and then open other applications within that portal. when it isn't used by Exchange. it could cause problems. or by using the Forefront UAG portal application. If you decide that you may decide to publish additional applications through Forefront UAG. and then clicks an additional button to open Outlook Web App. either directly. if that certificate is accidentally assigned to services or taken and used elsewhere. therefore taking advantage of the SSO capabilities built into Forefront UAG. where the user experience resembles that in Forefront TMG or when the user connects directly to the Client Access server.

click Add. Configuring Authentication and Authorization Servers The first step is telling Forefront UAG which servers to use for authentication and authorization. Open the Forefront UAG management console. and then select Authentication and Authorization Servers. In the resulting dialog box. 2. click the Admin menu.This walkthrough will detail the direct publishing option. 51 . both Outlook Anywhere and Exchange ActiveSync always use Basic or NTLM (Outlook Anywhere only) authentication to Forefront UAG and bypass the portal. Only Outlook Web App is visibly affected when a portal is used. 1. where no portal is first accessed.

52 . It's recommended that this user’s password be set to not expire and that this account be treated as a special security case.3. not subject to the usual password expiration policies. and then select the Include subfolders check box. click Use local Active Directory forest authentication. Finally enter the details of a user account that has access to Active Directory. enter a value for the Server name field that represents the authentication source. Leave the default choice of Active Directory selected.DC=COM. use something similar to DC=FABRIKAM. and enter the base DN in Active Directory where Forefront UAG will look for user objects. To include an entire domain.

4. close the Authentication and Authorization Servers dialog box. assuming you received no errors. click OK and. Select Portal Trunk as the trunk type and check the box stating that you will be publishing Exchange applications via the portal. The wording for this check box suggests we will be using a portal to access Exchange. We will publish Outlook Web App only during this walkthrough. configuring Forefront UAG using this wizard will result in an Outlook Web App user directly accessing Outlook Web App without first logging in to a portal. Click Next at the first page of the Create Trunk Wizard 3. In the Forefront UAG management console. As soon as it is complete. right-click HTTPS connections and select New Trunk 2. However. 53 . Creating a Trunk and Publishing Your First Application The next task in Forefront UAG to complete is creating a trunk and publishing an application. 1.

You cannot use spaces or any non-alphanumeric characters.com in our example. Enter the public host name of the portal. Click Next. 54 . click Add and select the entry that you created earlier. mail. that is. the external network interface of Forefront UAG. and on Step 3 – Authentication. Enter a name for your trunk.fabrikam.4. 5. and make sure that the IP address the trunk will listen to requests on is correct.

Therefore. On Step 7 – Select Exchange Services. On Step 4 – Certificate. On Step 6 – Endpoint Policies. On Step 5 – Endpoint Security. The load-balancing method configured when publishing a farm in this manner is not optimal for Exchange. leave the defaults for now and then click Next 9. if you have already deployed Network Access Protection (NAP) policies on your network.6. Be aware that Endpoint Security policies only apply to Web browser clients and not to clients like Outlook Anywhere or Exchange ActiveSync. 7. 8. select Exchange Server 2010. and then click Next. 55 . you may select them here or else leave the default of Use Forefront UAG access policies. make sure the certificate that you installed earlier is selected. and then click Next. It's recommended that you do not select all the check boxes to select all the Exchange services. it's recommended that you publish Outlook Web App first and return to the wizard for Outlook Anywhere and Exchange ActiveSync following that. and check the box next to Outlook Web Access only.

On Step 10 – Deploying an Application.On Step 9 – Select Endpoint Policies. 12. leave the default options.On Step 8 – Configure Application. and then click Next. and then click Next. 11. enter an Application name–Exchange 2010 OWA in our example.10. click Configure a Farm of application servers. 56 .

(When you run the wizard for Outlook Anywhere and Exchange ActiveSync. Forefront UAG uses the underlying Forefront TMG health monitoring features. and for simplicity.On Step 11 – Load-Balanced Web Servers. 14. and then change the Balance request by setting by clicking Cookie-based affinity. click IP-based affinity. For the purposes of this walkthrough. and marks the server as active if it does. you should review and remove paths you do not require. we have chosen to use Establish a TCP session.13.On Step 12 – Configure Connectivity Verifiers. so all configuration choices you make here are visible in the 57 . choose the type of verifier you wish to use.). which simply tests to see if the server responds to requests on TCP 443. enter the FQDNs of the Client Access servers you will be publishing. In the Paths field.

The default 401 request means Forefront UAG will use Basic authentication to the Client Access server. Connectivity Verifiers section of the console.Forefront TMG management console. much of the detail provided earlier in this document in the Forefront TMG web farm section applies. in the Monitoring. The lower option buttons determine how Forefront UAG will authenticate to the Client Access server. Therefore the Client Access server must have Basic enabled on the /owa virtual directory.Click Next. 58 . 15. and on Step 13 – Authentication. As Forefront TMG is used for connectivity verification. Refer to the earlier section for additional information and information about configuration choices. with the notable difference that Forefront UAG does not create Web Farm objects in TMG. click Add to add the authorization servers that you previously configured to the list.

including OWAEnabled set to false. Click Next.On Step 15 – Exchange Application Authorization. which enables all authenticated users to access Exchange. you can restrict who can access Outlook Web App at Forefront UAG 59 . if a portal is used. if the lower check box is selected. the portal will open Outlook Web app in a new window when it is accessed. This only means that they can try to access Outlook Web App.On Step 14 – Portal Link.16. the default settings will create icons in the portal for Outlook Web App access. Also. Any Outlook Web App policies you created in Exchange still apply. Or. you can leave the default. 17.

Click the Save icon to save the configuration.Click Finish on the final page of the wizard to return to the management console. 60 . 19.by selecting from a list of groups or even restrict access down to the user level by adding individual users to this list. Click the Activate icon to back-up the existing configuration and activate this new configuration. 18.

and then run iisreset on each Client Access server you have changed.If you chose 401 request on Step 13. This allows Forefront UAG to perform inspection of the client computer to make sure it meets the policies specified for the portal. they will see the Outlook Web App signin page. 61 . Now you can test client access to Outlook Web App works from a client connected to same network as the external interface of Forefront UAG When a client first browses to the URL you are publishing. set the authentication to Basic.20.com/owa in our example. The user should accept the default options the different dialog boxes present and. https://mail.fabrikam. the first action is for Forefront UAG to download to the client the Endpoint Component Manager. when complete. use the EMC to open the properties of the owa and ECP virtual directories for each Client Access server being published.

62 .

review the troubleshooting steps later in this document. and navigate to the properties of the trunk you previously created. 63 . If you cannot open Outlook Web App now. click Microsoft Exchange Server (all versions). click Add to open the Welcome to the Add Application Wizard dialog box. In Web list. then return to complete the Outlook Anywhere and Exchange ActiveSync configuration.After Outlook Web App is working. and then click Next. 2. we can add Outlook Anywhere and Exchange ActiveSync to the configuration. Open the Forefront UAG management console. 1. In the Application section of the page.

We keep them together in this walkthrough because. On Step 2 – Select Exchange Services. 4. you can run this wizard once for each protocol. and then select the Outlook Anywhere (RPC over HTTP) and Exchange ActiveSync check boxes. when Outlook Anywhere and Exchange ActiveSync use the same authentication scheme. most of the time. the settings for both are compatible. select a descriptive name for the application 64 . in the Exchange versions list.3. click Microsoft Exchange Server 2010. On Step 3 – Configure Application. If you view the configuration later and decide you want more control over individual settings for Outlook Anywhere and Exchange ActiveSync.

65 .5. and then click Next. 6. On Step 4 – Select Endpoint Policies. leave the defaults for now. select Configure a farm of application servers. On Step 5 – Deploying an Application.

66 . On Step 7 – Configure Connectivity Verifiers.7. On Step 6 – Load-Balanced Web Servers. enter the FQDNs of the servers in the Client Access server array you are publishing. click Establish a TCP connection for the reasons described earlier. 8.

10.Accept the warning message. On Step 8 – Authentication. which effectively states that Outlook Anywhere and Exchange ActiveSync clients cannot use forms-based authentication or the portal and so will use Basic or NTLM authentication. 67 . select the Authorization source you have previously configured.9.

Again. Click Use Basic authentication to change the default Outlook Anywhere Authentication option for both services so that Forefront UAG can delegate credentials to the Client Access server correctly.On the Authorization page of the wizard.On Step 9 – Outlook Anywhere. notice that the default Public Host Name values have been completed. 68 . 14.Click Finish on the wizard completion page.11. 13. as with Outlook Web App.Viewing the management console. either leave the default of allowing all users to connect or click to restrict the service to specific groups or users. Autodiscover and EWS have been put into rules separate from Outlook Anywhere and EAS. any options set within Exchange by using the Set-CASMailbox cmdlet will still apply. 12. you will now see the additional application entries the wizard has created.

and event ID 3006 is logged showing that the appropriate registry keys have been set. one more step is required so that Exchange ActiveSync can 69 . 15. several more steps are required to ensure users outside Forefront UAG can fully use Outlook. After all changes are made. iisreset has been run. the next step is to configure Exchange to correctly allow Basic authentication to be used against the different virtual directories required for Outlook Anywhere and Exchange ActiveSync. clicking Basic authentication as the Client authentication method.Enable Outlook Anywhere on each published Client Access server.When you have activated the configuration. If this is the first time Outlook Anywhere has been enabled. Also.

com/OAB b) Set the external URL for the Exchange Web Services (EWS) virtual directory to https://mail.At this point that you should test this configuration to make sure it works as expected.fabrikam. From an Outlook 2007 or Outlook 2010 client on the external network.com/EWS/Exchange. Set-OABVirtualDirectory RED-CAS-1\* -ExternalURL https://mail. a) Set the external URL for the offline address book (OAB) virtual directory. 17.fabrikam.com exists in DNS.fabrikam. Set-ActivesyncVirtualDirectory red-cas-1\* -externalurl https://mail.com in this example). It's very important to ensure that the Autodiscover service works correctly for an Outlook client because the Autodiscover service provides Outlook with the location of the different Web services it requires for usual operation.fabrikam. try to connect by using a mobile device. Set-WebServicesVirtualDirectory RED-CAS-1\* -ExternalURL https://mail. You should run these on each server in the Active Directory site you are publishing.com/Microsoft-Server-Activesync d) Set the authentication property for the OAB and EWS virtual directories to include Basic as an option if you are using Basic authentication. see Configure Offline Address Book Distribution Properties. by entering the server name (mail.asmx c) Set the external URL for the Exchange ActiveSync virtual directory to allow the Autodiscover service to provide devices with the correct value.use the Autodiscover service. Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true Set-WebServicesVirtualDirectory RED-CAS-1\* -BasicAuthentication:$true 16. It is assumed that the OAB is already enabled for Web-publishing.If Outlook Anywhere works. either with the Autodiscover service configuring the profile or manually. such as Out of Office settings and offline address book downloads. and then try to create a new Outlook profile.fabrikam. Additional Configuration Steps for Exchange 2010 and/or Outlook 2010 Users If you are not publishing Outlook Web App in your environment but do allow the publishing of Outlook Anywhere (and possibly Exchange ActiveSync) and are using 70 . If it's not. replacing the server host name as appropriate. first make sure that an A record for autodiscover.fabrikam. then make sure that Outlook Anywhere is enabled on the Client Access server in the site you are publishing and that all relevant URLs are correct.com/EWS/Exchange.asmx.

Outlook 2010, you will have to make some adjustments to the configuration to allow an Outlook 2010 user to be able to access the Exchange Control Panel (ECP). Exchange 2010 users require access to the ECP for certain configuration settings, such as voice mail and message tracking information. The ECP is accessed by using a Web browser and is invoked by a link in the Microsoft Office Backstage area of Outlook 2010 or within the properties of a message. In Forefront UAG, the recommendation is to publish a new application to the portal in the trunk by using Outlook Web App as the application, and then to modify that configuration to allow the ECP to be accessed. This approach is used to ensure that the URL-analysis logic built in to Forefront UAG is correctly configured. You should also consider the following factors: • If you want to use Basic, NTLM or KCD to authenticate to the Client Access server this requires you to disable forms-based authentication on the /ECP virtual directory on the Client Access server. If you want to offer FBA for internal users at the same time, you can either make sure their DNS requests for the ECP service resolve to Forefront UAG or add a secondary Web site. This allows you to use different authentication methods on each and requires an additional IP address. For more information, see New-EcpVirtualDirectory. If you do not want to allow any user to access Outlook Web App, but do want allow all users to access the ECP, you can disable Outlook Web App access per user by using the Set-CasMailbox cmdlet. If you want to allow Outlook Web App access for internal users, but not allow Outlook Web App access from outside the corporate network, you must restrict the resources that you publish to allow access to only those resources that are required by the ECP. This is because the ECP uses the Outlook Web App authentication model and uses some Outlook Web App resources to function.

To ensure only that the ECP can be accessed via a Forefront UAG application rule, but not Outlook Web App, run the Add Application wizard, selecting Exchange Server 2010 as the generic application and Outlook Web App as the specific application to publish. On Step 6 – Load-Balanced Web Servers, edit the Paths list to ensure that only the following paths are allowed by Forefront UAG to allow access to the ECP but not Outlook Web App: • • • • /ecp/ /owa/auth/logon.aspx /owa/auth/logoff.aspx /owa/logoff.owa 71

• • • •

/owa/auth.owa /owa/languageselection.aspx /owa/lang.owa* /owa/14*

Remove any other paths added by the wizard, such as /owa, /exchange.

One additional step may be required if the trunk is only used for Outlook Anywhere publishing. Changing the setting for the initial internal application that is used by the trunk will make sure that the ECP is opened when the user logs on, not a portal containing one application, the ECP. To do this, in the Initial Internal Application list, click the Application Name you previously created, ECP 2010 in the example shown.

72

When the user takes the link to the ECP, the usual endpoint detection checks run. Then, they will be presented with the Outlook Web App–style sign-in form. When they log in, the ECP should be displayed. Troubleshooting Forefront UAG There are many common configuration errors made when publishing Exchange. Use this list to validate and confirm your settings. • Certificates The most common reason one or more of these clients is unable to log on, or Forefront UAG is unable to publish is because of a certificate error. Check the following: Trust Does the client trust the issuer of the certificate on Forefront UAG? And does Forefront UAG trust the issuer of the certificate on the Client Access server? If you receive a certificate warning message because the certificate is not trusted, resolve the problem by make sure the client possesses the relevant root certificate and test again. Name Mismatch If you receive a warning message because the name on the certificate does not match the name the client was expecting to see, resolve the problem by reissuing the certificate with the correct names and test again. Expiration Dates If the certificates have expired, the client will not accept their use. Check the expiration dates and reissue the certificates if necessary. • Matching Authentication Schemes If Forefront UAG is configured for Basic (or 401 in Forefront UAG terminology), the appropriate virtual 73

more specifically. and then right-click the Outlook icon on the taskbar. reduce the farm size to just one Client Access server and test again. 74 • • . see Microsoft Exchange Remote Connectivity Analyzer to test the configuration from the Internet. • DNS Are the A records for mail and autodiscover in the correct zone? And do they have the correct IP address? The IP should resolve to the external network adapter of Forefront TMG and. Use the Forefront UAG Web Monitor tool You can use this tool to view the state of each member of the farm and look for errors messages in the event log. • • Use the Exchange Remote Connectivity Analyzer tool If the environment is Internet facing. This makes troubleshooting much easier because it's easy to determine which servers are involved in the connection attempt. The Test Email AutoConfiguration tool Use this Outlook tool to confirm that the Autodiscover service can be contacted and that the URLs it returns are correct.directories on the Client Access server should be configured to support Basic authentication. Eliminate single server issues If you are publishing a farm of Client Access servers. to the IP address of the listener configured on the Exchange publishing rules. To use the tool. hold down the CTRL key.

or when an Outlook Web App request for a 2003 mailbox is received. Outlook Web App for example has a built in Single Sign On (SSO) capability when you deploy it alongside Exchange 2007 in the same Active Directory site. and Exchange 2010. try the following approaches to narrow the problem down: Use the Forefront UAG Web Monitor Look for events that relates to the problem and that indicate the rule or filter that is blocking the content by using the Forefront UAG Web Monitor (http://localhost:50002 on the Forefront UAG server). the standard approach is to move the existing external namespace to point to Exchange 2010. Accessing a mailbox hosted on Exchange 2003 or Exchange 2007 using Exchange ActiveSync or Outlook Anywhere can be performed through an Exchange 2010 Client Access server. 75 . Migration Considerations If you are migrating from an earlier version of Exchange and are following the standard Exchange migration guidance at Upgrade to Exchange 2010 are using an additional legacy namespace. However. All access to Exchange ActiveSync and Outlook Anywhere will be through the existing namespace. The exact configuration that is required will depend on the clients and protocols in use.• Check whether Forefront UAG is blocking URLs or content within URLs If you see a message similar to “you have tried to access a restricted URL”. Using Native Exchange SSO Redirection There are several steps required to configure this scenario: 1. It's important to understand that at a basic level. You can disable URL set-checking per application by clicking Evaluate with enforcement on the Web Settings tab of the application being published. and use the newly created ‘legacy’ namespace to access earlier versions of Outlook Web App. Bypass URL set-checking for a particular application This will narrow down the source of the issue. Therefore. It's fairly simple in Forefront UAG to support the Exchange SSO functionality for Outlook Web App within the context of one trunk. it's recommended that you provide access to legacy clients using Outlook Anywhere or Exchange ActiveSync through Exchange 2010. you may choose to provide access through an Exchange 2007 Client Access server to users who have mailboxes on Exchange 2007. some changes are required in Forefront UAG to ensure a smooth migration. although in some scenarios. it's not possible to publish multiple versions of Exchange ActiveSync or Outlook Anywhere through one trunk. Ensure that the certificates have the correct names.

and either Basic or Windows Integrated must be enabled.2. It's important to understand that using the built in Forefront UAG method of SSO requires both versions of Exchange be published on the same trunk. Create a new application for publishing the legacy version of Exchange. Ensure Certificates Have the Correct Names The first step in enabling SSO when using Forefront UAG is to ensure that the certificate you are using on the Forefront UAG trunk has all the names you must have to support the scenario. forms-based authentication on both Exchange 2003/Exchange 2007 and Exchange 2010 must be disabled. Configure Exchange to provide the redirection URLs. depending on the delegation settings. and use that FQDN to redirect users who have mailboxes on Exchange 2003 or Exchange 2007 to access their mailbox. forms-based authentication is still being performed on Forefront UAG. we will add legacy. 3. or Forefront UAG must be configured to delegate forms-based authentication as discussed earlier in this document. Therefore. In this example.com to the certificate. Add a New Application to Publish the Legacy Version of Exchange 76 .fabrikam. In this scenario.

click Add to add the new application. In the Applications section of the trunk you previously created. If you select Exchange 2003. whether you are publishing Exchange 2007or Exchange 2003. it must be added to the portal. 1. click Microsoft Exchange Server 2007. 3. and then click Next at the Welcome screen. In the Web list. 2. you will not be able to select a different host name (legacy) later in the wizard. in the Exchange version list.In order to enable the legacy version of Exchange to be accessed through Forefront UAG. with the new host name and must be configured to publish the legacy Exchange Client Access server or front-end servers. click Microsoft Exchange Server (all versions). On Step 2 – Select Exchange Services. Notice 77 .

On Step 3 – Configure Application.how the ability to select multiple Exchange services is unavailable when publishing legacy versions of Exchange. On Step 5 – Deploying an Application. In the Public host name box. click Configure a farm of application servers. and then click Next. 6. 7. 78 . On Step 4 – Select Endpoint Policies. click Next. name the application. 5. enter the FQDNs of the Exchange 2003 or Exchange 2007 servers that you are publishing. 4. On Step 6 – Load-Balanced Web Servers. change the default value to ‘legacy’ (or the name you are using for the legacy version of Exchange when accessed from outside the network.

10. select Establish a TCP connection. and then click Next. On Step 8 – Authentication.8. make sure that the externalurl parameter on the Exchange 2007 Client Access server OWA virtual directory is set correctly.Finish the wizard. Set-OWAVirtualDirectory RED-CAS-1\* -Exchange2003URL https://legacy. and you will be returned to the Forefront UAG console. In this case. 9.On Step 9 – Portal Link. On Step 7 – Configure Connectivity Verifiers. on all the Exchange 2010 Client Access servers being published. set the Exchange2003 URL property on the owa virtual directory to match the value of the legacy URL you are using. select the authentication server source that you previously defined. and then click Next.On Step 10 – Authorization.Click the Activate Configuration button and prompt to back up the configuration when it is requested. 12. again leave the defaults (or change them if you choose to do this).com/exchange If you are migrating from Exchange 2007 to Exchange2010. and then click Next. leave the defaults. https://legacy. 13. Set-OWAVirtualDirectory RED-CAS-2007\* -ExternalURL https://legacy.fabrikam. if you are migrating from Exchange 2003 to Exchange 2010.com/owa 79 .fabrikam.com/exchange. 11.fabrikam. Configure Exchange 2010 to Provide the Redirection URLs Next. and then click Next.

com/exchange. Basic authentication is enabled by default. Configure Authentication On all the Exchange 2003 and Exchange 2007 front-end or Client Access servers being published by the new application. HTTP.fabrikam.fabrikam. Protocols. Exchange Virtual Server object. as would be the case for an Exchange 2003 user who had bookmarked the page they previously used.com/owa. This is the norm when you migrate from Exchange 2003 to Exchange 2007.com/owa and provided with a form they can use to log in. you should disable forms-based authentication and enable Basic authentication to enable Forefront UAG to delegate credentials correctly. they will be automatically redirected to https://mail. This allows all three versions of Exchange to be accessed through a single URL. then selecting properties and clearing the check box. so no changes other than running iisreset are necessary. Exchange 2003 users will be redirected to the /exchange virtual directory on the Exchange 2007 Client Access server and Exchange 2007 users will be redirected to the /owa virtual directory on the Exchange 2007 Client Access server. Note: If a user tries to browse to https://mail. you can disable forms-based authentication and enable Basic authentication by changing the properties of the four relevant virtual directories. you should first make sure that all Exchange 2003 access is through the Exchange 2007 Client Access servers. On Exchange 2003. and when both the previous commands are executed. 80 . In this scenario. Servers. On Exchange 2007 Client Access servers.fabrikam.If you are migrating from a mixed Exchange 2003 and Exchange 2007 environment to Exchange 2010. Servername. either in the Exchange Management Console or the Exchange Management Shell. you disable forms-based authentication by navigating to the Administrative Group. https://mail.

fabrikam.com in external DNS resolves to the same IP address as mail. Ensure DNS is Correct and Test the Configuration Ensure that the A record for legacy. After making these changes you must run iisreset. You should be silently redirected to https://legacy.com/Exchange and automatically logged in without prompts for credentials.fabrikam.com/exchange or https://mail. Exchange.com/owa and logging on to an Exchange 2007 mailbox.fabrikam.The change from FBA to Basic authentication must be completed on the owa. 81 . and then logging on to an Exchange 2003 mailbox. Exchweb. You should be silently redirected to https://legacy.fabrikam.com. Test the 2007 configuration by navigating to https://mail.fabrikam.fabrikam.fabrikam.com/owa. and Public virtual directories. Test the Exchange 2003 configuration by navigating to https://mail.com/owa and automatically logged on without additional prompts for credentials although you will likely be prompted to accept the new FQDN of the portal as trusted.

Check the box for Evaluate without enforcement. are redirected and logged on but see issues with the images within the session. then click OK and apply the configuration to Forefront UAG. In the Forefront UAG management console. when you log on to Exchange 2003. open the OWA 2003/7 application and navigate to the Web Settings tab. under the Verify URLs check box. You should then be able to access Exchange 2003 mailboxes through Exchange 2007 without any issues.If you access Exchange 2003 through an Exchange 2007 Client Access server and. you should take one additional step. 82 . as shown.

it's generally recommended that you provide all access to Exchange ActiveSync clients through Exchange 2010. It's not possible to publish more than one application providing Exchange ActiveSync within the same trunk. 83 .This issue occurs because the built-in URL filtering mechanism Forefront UAG uses for OWA 2007 does not correctly apply when an Exchange 2003 mailbox is accessed through an Exchange 2007 Client Access server. when publishing Exchange using Forefront UAG and migrating from legacy versions of Exchange to Exchange 2010. Exchange ActiveSync Migration As previously discussed.

So. they do not consider the endpoint the client is trying to reach as valid. 84 • . you may decide—perhaps for pilot and testing reasons—that you do have to publish multiple versions of Outlook Anywhere through Forefront UAG at the same time. and Exchange 2010 users can access their mailboxes by using Exchange 2010 Client Access servers. it's generally recommended that you provide all access to Outlook Anywhere clients through Exchange 2010. and.However. you can do this if you create a new trunk. when publishing Exchange by using Forefront UAG and migrating from legacy versions of Exchange to Exchange 2010. because neither of these versions of Exchange understand the RPC Client Access Service component in Exchange 2010. you have to have separate namespaces for Outlook Anywhere. consider the following: • Users who have mailboxes on Exchange Server 2010 cannot use Outlook Anywhere through an Exchange 2003 front-end server or an Exchange 2007 Client Access server. certificate. with a new IP address. Exchange 2003. and configure the application appropriately. Outlook 2003 does not use the Autodiscover service to update or change any configuration settings. for whatever reason. Therefore. and so on. Exchange 2007. the client profile will break and prevent access. Outlook Anywhere Migration As previously discussed. if a mailbox is moved between versions of Exchange and different Outlook Anywhere endpoints are used. Of course. Of course. the simplest approach is to publish just Exchange 2010 as the Outlook Anywhere endpoint because the configuration of the client does not have to change—either at the beginning of the deployment when the Exchange 2010 Client Access server is introduced or when their mailbox is moved to an Exchange 2010 mailbox server. you can do this if you create a new trunk. and configure the application appropriately. Remember that the recommended scenario for the migration itself is to just move the existing Outlook Anywhere endpoint that your clients use to Exchange 2010. So. However. Just follow the steps described earlier in this walkthrough to create a new trunk and publish a new application. you may decide—perhaps for pilot and testing reasons—that you do have to publish multiple versions of Exchange ActiveSync through Forefront UAG at the same time. It's not possible to publish more than one application providing Outlook Anywhere within the same trunk. with a new IP address. Just follow the steps described earlier in this walkthrough to create a new trunk and publish a new application. and so on. If you decide. certificate. and allow Exchange 2010 Client Access servers to proxy connections back to legacy versions of Exchange when needed.

if you were publishing Exchange 2007 and Exchange 2010 by using different Outlook Anywhere host names. 85 .• Outlook 2007 clients sometimes cannot correctly update the Outlook Anywhere settings following a move between two Outlook Anywhere–enabled endpoints. and a user’s mailbox were moved between Exchange 2007 and Exchange 2010. the client may not correctly update the host name used by Outlook Anywhere. The standard recommendation of moving the existing namespace to Exchange 2010 and allowing Exchange 2010 Client Access servers to access all legacy versions of Exchange means very little user impact and minimal client configuration changes. For example.

But it should also be noted that when Forefront TMG and Forefront UAG are not domain joined. or else use one of the other methods available in Forefront UAG. because of to the way Exchange is highly integrated into Active Directory. please refer to the appropriate online documentation. or Radius OTP on Forefront TMG. using LDAP authentication is fairly easy to configure and enables Forefront TMG/Forefront UAG not only to allow or deny access based on username/passwords.Appendix Using Alternative Authorization and Access Providers If you decide not to join Forefront TMG/Forefront UAG to your Active Directory but you still want to pre-authenticate users. Using Radius as an authentication source does not allow group memberships to be used in publishing rule restrictions. you have to choose some other form of authorization source to enable Forefront TMG/Forefront UAG to determine whether the user should be able to access the resource. using Active Directory domain membership and authentication is recommended. Each listener you configure has settings for the Client Authentication Method (the settings a client uses to authenticate to Forefront TMG) and an Authentication Validation Method (How Forefront TMG will validate the credentials) 86 . through LDAP and through Radius. This guide covers using Forefront TMG and LDAP to access Active Directory. It's recommended that you join Forefront UAG to the Active Directory and place it behind another firewall. Forefront TMG and Forefront UAG offer multiple choices when you are choosing an authorization source. If you want to use Radius. using Active Directory as the final authorization source is essential. Configuring Active Directory as an LDAP source in Forefront TMG Configuring Forefront TMG to use LDAP authentication is performed on a per listener basis. There are different ways to enable Forefront TMG/Forefront UAG to access Active Directory. Therefore. But from an Exchange perspective. most notably certificate-based authentication and the use of KCD. directly through Active Directory membership. some scenarios. are not possible. RSA Secure ID. but also to take advantage of Active Directory groups in publishing/access rules. LDAP Authentication If you decide not to join Forefront TMG or Forefront UAG to your Active Directory.

Clicking the Configure Validation Servers lets you configure the LDAP and Radius Servers Forefront TMG will use. the client will authenticate to the listener using a form. or Basic authentication if the client does not support it. then Active Directory will use LDAP against Active Directory to validate the credentials. Solely for reasons of security. as with Exchange ActiveSync or Outlook Anywhere. The Forefront TMG wizards state this is a 87 .In the example shown. it's recommended that you use LDAPs. The LDAP Server Set dialog lets you specify a group of domain controllers to use for authentication. which requires the domain controller to have a certificate with its own FQDN specified on an installed certificate.

that is. For example.com. The Login Expression settings refer to the way Forefront TMG will match log on attempts to LDAP Server Sets. This was true for earlier versions of Exchange. based on the domain they specified when they tried to log on: Contoso\alias requests going to one DC/GC and Fabrikam\Alias going to another. we recommend that you set the Login Expression to *. which is possible when using LDAP authentication. but is no longer the case as the Client Access server itself handles the password changes from inside the Outlook Web App application. UPN logins are sent as UPNs. domain\alias logins sent as domain\alias. if you were publishing two Exchange organizations using Forefront TMG. You can also do the same with UPN logins.requirement for password changes. using an expression such as *@fabrikam. If you have a single Active Directory and are using LDAP. you could send the authorization request a user makes to two different DCs. 88 . This means that the logon will be sent in the format in which it's received by Forefront TMG.

New.As soon as they are configured. From the Users tab of the publishing rule. authentication should work exactly as if Forefront TMG were using Active Directory directly as a domain member. Click Add. and then select LDAP. Using Groups in Publishing Rules Using a group from Active Directory to restrict who can access a publishing rule is easy to do. 89 . and then give your group a meaningful name. click Add.

90 . Click OK and provide credentials to access Active Directory. and then specify the name of the group–the exact display name as shown in Active Directory.Select the LDAP Server Set That You created when you set up the LDAP source. If you do not match the name exactly you will receive an error at the next step. The group will be validated and populate the dialog list.

and changes to the rule are complete. Then select the group. 91 .Click Next and Finish. Remove any unnecessary groups from the list and apply the changes to Forefront TMG. click Add. and the new group is complete.

ActiveSync. All other trademarks are property of their respective owners. Microsoft. 92 . see the following resources: • • Forefront Unified Access Gateway 2010 Forefront Unified Access Gateway (UAG) For more information about Forefront TMG. Active Directory. may change without notice. Windows. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. © 2010 Microsoft Corporation. Outlook. see the following resources: • • • Microsoft Exchange Server 2010 Exchange Server 2010: Exchange 210 Help Unified Communications Certificate Partners for Exchange Server and for Communications Server For more information about Forefront UAG. see the following resources: • • Forefront Threat Management Gateway 2010 Forefront Threat Management Gateway (TMG) 2010 Legal Notice This document is provided “as-is”. MS-DOS. All rights reserved. No real association or connection is intended or should be inferred. and SharePoint are trademarks of the Microsoft group of companies.Additional Information For more information about Exchange Server. You may copy and use this document for your internal. Windows Server. Some examples depicted herein are provided for illustration only and are fictitious. Forefront. Information and views expressed in this document. reference purposes. You bear the risk of using it. Windows Mobile. including URL and other Internet Web site references.

Sign up to vote on this title
UsefulNot useful