Microsoft TMG with Exchange 2010

  • by

Steps to public OWA, ECP, EWS, ActiveSync, OutlookAnywhere (RPC), PowerShell in Microsoft TMG for Exchange 2010

  1. Setup a Windows 2008R2 in Workgroup environment with
    • IP Address = 172.16.1.10/24
    • Secondary IP Address = 172.16.1.12/24
    • Workgroup = Workgroup
    • TMG version = 7.0.7734.100
  2. Import Public SSL Certificate (PFX) to TMG 2010 Server
  3. Overview of the Firewall Policy configured in TMG 2010 Server
  • URL Redirect – To redirect https://mail.aventislab.info to https://mail.aventislab.info/owa
  • EWS – To publish /EWS/* and /PowerShell/* (If you would like to Use Remote PowerShell to Manage Exchange 2010 Server)
  • RPC – To publish /rpc/* for Outlook Anywhere
  • ActiveSync – To publish /Microsoft-Server-ActiveSync/* for ActiveSync for Mobile Phone Access
  • OWA – To publish /public/* , /OWA/, /Exchange/ * , /ecp/* and /autodiscovery/*

Configure the Firewall Policy using Publish Exchange Web Client Access

Please refer to the sections below on the detail configuration of individual Firewall Policy

Configuration of Web Listener

  1. Create a New Web Listener called WebListener and associated it to the Secondary IP Address = 172.16.1.12/24

  1. Configuration of Connections

  1. Select the imported Public SSL Certificate – Certificate

  1. Disabled the SSO

  1. Configuration of Forms

  1. Configuration of Authentication and Select LDAP (Active Directory) since TMG is installed in Workgroup

Publishing Outlook Web Access (OWA)

  1. Configuration of Action

  1. Configuration of From – Allow traffic from Anywhere

  1. Configuration of To – Specific the Public URL for OWA Access, and the IP Address of the Exchange 2010 Server

  1. Select the WebListener that we created previously

  1. Configuration of Public Name

  1. Configuration of Paths

  1. Select Basic Authentication

  1. Change the Application Settings – Published Server Logoff URL

  1. Select All Authenticated Users

Basic Authentication for OWA, ECP, ActiveSync in Exchange 2010 Server

  1. Ensure that Basic Authentication is enabled for OWA, ECP, EWS, and ActiveSync

#Basic Authentication for OWA 
Get-OwaVirtualDirectory | Select Name, BasicAuthentication

Name                                                                                                BasicAuthentication
----                                                                                                -------------------
owa (Default Web Site)  

#Basic Authentication for ECP 
Get-EcpVirtualDirectory | Select Name, BasicAuthentication

Name                                                                                                BasicAuthentication
----                                                                                                -------------------
ecp (Default Web Site)                                                                                                                                     True

#Basic Authentication for ActiveSync
Get-ActiveSyncVirtualDirectory | Select Name, BasicAuthEnabled

Name                                                                                                   BasicAuthEnabled
----                                                                                                   ----------------
Microsoft-Server-ActiveSync (Default Web Site)                                                                     True

#Basic Authentication for Outlook Anywhere
Get-OutlookAnywhere | Select ServerName, ClientAuthenticationMethod

ServerName                                                                                   ClientAuthenticationMethod
----------                                                                                   --------------------------
TNG-EXCAS                                                                                                         Basic

#Basic Authentication for EWS 
Get-WebServicesVirtualDirectory |  Select Name, BasicAuthentication

Name                                                                                                BasicAuthentication
----                                                                                                -------------------
EWS (Default Web Site)                                                                                             True

Publishing ActiveSync

Most of the configuration are identical with OWA, except the following

  1. Only specify mail.aventislab.info

  1. Internal Path – /Microsoft-Server-ActiveSync/*

  1. Default Settings for Application Settings

Publishing Outlook Anywhere / RPC

Identical settings with ActiveSync , except the internal path is set to /rpc/*

Publishing EWS & PowerShell

Identical settings with ActiveSync, except

  1. Path – /EWS/* & /PowerShell/*

  1. Select No delegation, but client may authenticate directly

  1. Select All Users

URL Redirect

To redirect http://mail.aventislab.info to https://mail.aventislab.info/owa

Same Settings with EWS & PowerShell, Except the following

  1. Select Deny and Check Redirect HTTP requests to this web page

  1. Paths – /

Verify the configuration via https://testconnectivity.microsoft.com

  • Exchange ActiveSync – PASS
  • Exchange ActiveSync Autodiscover – PASS
  • Exchange Web Services synchronization, notification, availability, and Automatic Replies – PASS
  • Outlook Connectivity – PASS
  • Outlook Autodiscover – PASS

Verify the TMG Backup File with ISAinfo

  1. Download ISAinfo.zip to view the complete configuration for TMG-Backup