Steps to public OWA, ECP, EWS, ActiveSync, OutlookAnywhere (RPC), PowerShell in Microsoft TMG for Exchange 2010
- Setup a Windows 2008R2 in Workgroup environment with
- IP Address = 172.16.1.10/24
- Secondary IP Address = 172.16.1.12/24
- Workgroup = Workgroup
- TMG version = 7.0.7734.100
- Import Public SSL Certificate (PFX) to TMG 2010 Server
- Overview of the Firewall Policy configured in TMG 2010 Server
- URL Redirect – To redirect https://mail.aventislab.info to https://mail.aventislab.info/owa
- EWS – To publish /EWS/* and /PowerShell/* (If you would like to Use Remote PowerShell to Manage Exchange 2010 Server)
- RPC – To publish /rpc/* for Outlook Anywhere
- ActiveSync – To publish /Microsoft-Server-ActiveSync/* for ActiveSync for Mobile Phone Access
- OWA – To publish /public/* , /OWA/, /Exchange/ * , /ecp/* and /autodiscovery/*
Configure the Firewall Policy using Publish Exchange Web Client Access
Please refer to the sections below on the detail configuration of individual Firewall Policy
Configuration of Web Listener
- Create a New Web Listener called WebListener and associated it to the Secondary IP Address = 172.16.1.12/24
- Configuration of Connections
- Select the imported Public SSL Certificate – Certificate
- Disabled the SSO
- Configuration of Forms
- Configuration of Authentication and Select LDAP (Active Directory) since TMG is installed in Workgroup
Publishing Outlook Web Access (OWA)
- Configuration of Action
- Configuration of From – Allow traffic from Anywhere
- Configuration of To – Specific the Public URL for OWA Access, and the IP Address of the Exchange 2010 Server
- Select the WebListener that we created previously
- Configuration of Public Name
- Configuration of Paths
- Select Basic Authentication
- Change the Application Settings – Published Server Logoff URL
- Select All Authenticated Users
Basic Authentication for OWA, ECP, ActiveSync in Exchange 2010 Server
- Ensure that Basic Authentication is enabled for OWA, ECP, EWS, and ActiveSync
#Basic Authentication for OWA
Get-OwaVirtualDirectory | Select Name, BasicAuthentication
Name BasicAuthentication
---- -------------------
owa (Default Web Site)
#Basic Authentication for ECP
Get-EcpVirtualDirectory | Select Name, BasicAuthentication
Name BasicAuthentication
---- -------------------
ecp (Default Web Site) True
#Basic Authentication for ActiveSync
Get-ActiveSyncVirtualDirectory | Select Name, BasicAuthEnabled
Name BasicAuthEnabled
---- ----------------
Microsoft-Server-ActiveSync (Default Web Site) True
#Basic Authentication for Outlook Anywhere
Get-OutlookAnywhere | Select ServerName, ClientAuthenticationMethod
ServerName ClientAuthenticationMethod
---------- --------------------------
TNG-EXCAS Basic
#Basic Authentication for EWS
Get-WebServicesVirtualDirectory | Select Name, BasicAuthentication
Name BasicAuthentication
---- -------------------
EWS (Default Web Site) True
Publishing ActiveSync
Most of the configuration are identical with OWA, except the following
- Only specify mail.aventislab.info
- Internal Path – /Microsoft-Server-ActiveSync/*
- Default Settings for Application Settings
Publishing Outlook Anywhere / RPC
Identical settings with ActiveSync , except the internal path is set to /rpc/*
Publishing EWS & PowerShell
Identical settings with ActiveSync, except
- Path – /EWS/* & /PowerShell/*
- Select No delegation, but client may authenticate directly
- Select All Users
URL Redirect
To redirect http://mail.aventislab.info to https://mail.aventislab.info/owa
Same Settings with EWS & PowerShell, Except the following
- Select Deny and Check Redirect HTTP requests to this web page
- Paths – /
Verify the configuration via https://testconnectivity.microsoft.com
- Exchange ActiveSync – PASS
- Exchange ActiveSync Autodiscover – PASS
- Exchange Web Services synchronization, notification, availability, and Automatic Replies – PASS
- Outlook Connectivity – PASS
- Outlook Autodiscover – PASS
Verify the TMG Backup File with ISAinfo
- Download ISAinfo.zip to view the complete configuration for TMG-Backup
