Comments on: howto://publish OWA through TMG

By: Ian

Ian — Tue, 01 May 2012 04:28:27 +0000

Hi Ed,

Thanks for writing this tutorial, and spending so much time troubleshooting your reader’s issues so long after you wrote the original article.

Cheers,

Ian

By: Ed Fisher

Ed Fisher — Thu, 29 Mar 2012 14:22:32 +0000

1. Is the TMG a domain member?
2. If not, how have you configured it to authenticate to AD? LDAP?
3. Is your local admin account on TMG using the same password as your domain admin?
4. Can you access OWA using the internal URL, using the browser on the TMG?
5. When you try to log on to OWA through the TMG, and it gives you the error you mention above, what error does it show in the TMG logs?

By: Tim

Tim — Thu, 29 Mar 2012 01:38:21 +0000

Followed this, got OWA working. But I can’t seem to login to OWA with any account besides the administrator account. Have created other users in the New user wizard on the Exchange server. The error I get is: “You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again.” Any ideas? Thanks!

By: Jan

Jan — Mon, 12 Mar 2012 10:19:40 +0000

Hi Ed,

I’ve found the flaw in my deny rule.
At the “path” section the internal path was /* and that should be /.
Now the deny and allow rule is working as expected

By: Ed Fisher

Ed Fisher — Fri, 09 Mar 2012 20:30:20 +0000

Ah, but my post is based on a two NIC server that is a domain member. I’m not saying you cannot do it the way you have it, but I am saying that I don’t do single NIC, and haven’t done workgroup with LDAP since ISA 2006, so my guidance won’t be as good as you might wish on this. And the ASA puts another variable into the mix. My first thought is that if the TMG is challenging you for auth, and then you keep getting the prompt but NOT an access denied or account lockout, your TMG is not making LDAP connections to your DCs.
1. Copy LDP.EXE to the TMG server and make sure you can connect to AD from the TMG using that app. LDAP binds usually require an account to authenticate with, so make sure you do that using whatever service account you have setup and not your own domain account.
2. I’m hoping you setup LDAP to use SSL, so make sure you test with LDP using SSL. Your firewall will have to permit TCP 636 from the TMG to the DCs, and 3269 if you are hitting a GC.

By: Andrew

Andrew — Fri, 09 Mar 2012 20:20:47 +0000

No, it is a standalone, single NIC in the DMZ with Edge sitting behind a Cisco ASA firewall.
I am attempting to authenticate via LDAP.
My web listeners and rules are set up using the schema set up in your posts.

By: Ed Fisher

Ed Fisher — Fri, 09 Mar 2012 20:00:59 +0000

Is your TMG a member of your domain?
How are you entering your username? username, domain\username, username@domain?

By: Andrew

Andrew — Fri, 09 Mar 2012 19:09:13 +0000

I keep getting the Login credentials pop up box but it will not accept the username or password.

[PS] C:\Windows\system32>Get-OutlookAnywhere |fl

RunspaceId : 9d9211d3-8e96-4bc4-bd5b-a3a833b57b2b
ServerName : myexchange
SSLOffloading : False
ExternalHostname : webmail.mydomain.com
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}
XropUrl :
MetabasePath : IIS://myexchange.mydomain.local/W3SVC/1/ROOT/Rpc
Path : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : myexchange
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=myexchange,CN=Servers,CN=Exchange Adm
inistrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Mydomain,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity : myexchange\Rpc (Default Web Site)
Guid : c1b2a926-6baf-40e1-8982-5e3d85f4fdd7
ObjectCategory : mydomain.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged : 3/9/2012 11:02:36 AM
WhenCreated : 3/8/2012 2:50:00 PM
WhenChangedUTC : 3/9/2012 7:02:36 PM
WhenCreatedUTC : 3/8/2012 10:50:00 PM
OrganizationId :
OriginatingServer : MyDC2.meritus.local
IsValid : True

By: Ed Fisher

Ed Fisher — Fri, 09 Mar 2012 18:57:35 +0000

Change your authentication method to NTLM and try again to connect to OA from an Outlook client on the internal network.

set-outlookanywhere -identity “myexchange\Rpc (Default Web Site)” -clientauthenticationmethod ntlm [enter]

By: Andrew

Andrew — Fri, 09 Mar 2012 18:56:44 +0000

When I set my deny rule to redirect traffic from webmail.mydomain.com to https://myexchange.mydomain.local/owa,, it redirects me without issue internally.

By: Andrew

Andrew — Fri, 09 Mar 2012 18:41:27 +0000

[PS] C:\Windows\system32>Get-OutlookAnywhere |fl

RunspaceId : 9d9211d3-8e96-4bc4-bd5b-a3a833b57b2b
ServerName : MYEXCHANGE
SSLOffloading : False
ExternalHostname : webmail.mydomain.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Basic}
XropUrl :
MetabasePath : IIS://myexchange.mydomain.local/W3SVC/1/ROOT/Rpc
Path : C:\Windows\System32\RpcProxy
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : myexchange
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MPSOLIVE,CN=Servers,CN=Exchange Adm
inistrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Meritus,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=meritus,DC=local
Identity : myexchange\Rpc (Default Web Site)
Guid : c1b2a926-6baf-40e1-8982-5e3d85f4fdd7
ObjectCategory : mydomain.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged : 3/8/2012 2:50:15 PM
WhenCreated : 3/8/2012 2:50:00 PM
WhenChangedUTC : 3/8/2012 10:50:15 PM
WhenCreatedUTC : 3/8/2012 10:50:00 PM
OrganizationId :
OriginatingServer : MyDC2.meritus.local
IsValid : True

By: Ed Fisher

Ed Fisher — Fri, 09 Mar 2012 18:32:03 +0000

What happens if you set the redirect in your deny rule to explicitly be the https://URL:8443/owa that works directly?

By: Ed Fisher

Ed Fisher — Fri, 09 Mar 2012 18:29:03 +0000

If OA doesn’t work internally, forget about ever getting it to work through TMG until you get it working internally.
On your CAS server open an Exchange Management Shell, and reply with the contents of this command.

get-outlookanywhere | fl [enter]

By: Andrew

Andrew — Fri, 09 Mar 2012 17:17:50 +0000

1. ExRCA Outlook Anywhere Test Results
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.

Testing HTTP Authentication Methods for URL https://webmail.mydomain.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.

Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.

2. Denied Connection MyTMG2010 3/9/2012 9:11:34 AM
Log type: Web Proxy (Reverse)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: Internal (192.168.42.190:55543)
Destination: Local Host (192.168.80.150:443)
Request: RPC_OUT_DATA http://webmail.mydomain.com/rpc/rpcproxy.dll?MyExchange.meritus.local:6004
Filter information: Req ID: 0ebc05ed; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
Additional information
Client agent: MSRPC
Object source: (No source information is available.)
Cache info: 0×8 (Request includes the AUTHORIZATION header.)
Processing time: 1 MIME type:

3. No, OA does not work internally or externally at the moment. I can get it Outlook to connect internally if I manually configure the settings Exchange Proxy Settings

By: Jan

Jan — Fri, 09 Mar 2012 15:17:47 +0000

Hi Ed,

Thanks for your response.

I’m fully aware of the problems with a none standard port. This situation is only temporary and only during the migration from Exch 2007 to Exch 2010. As in our environment there are many users that use mobile phone (active)sync and we do not want to interfere with that setup until we are ready to migrate those users to Exch 2010.
On the default port 443 the Exch 2007 OWA is still active.

In TMG I see Allow connection, but looks like it is stuck in a loop between both the Publishing rules.

Initiated Connection TMG 3/9/2012 4:04:41 PM
Log type: Firewall service
Status: The operation completed successfully.
Source: External (81.243.62.97:56372)
Destination: Local Host (xx.xx.xx.xx:8443)
Protocol: HTTPS – 8443
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 81.243.62.97

Initiated Connection TMG 3/9/2012 4:04:41 PM
Log type: Firewall service
Status: The operation completed successfully.
Source: External (81.243.62.97:56373)
Destination: Local Host (xx.xx.xx.xx:8443)
Protocol: HTTPS – 8443
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 81.243.62.97

Denied Connection TMG 3/9/2012 4:04:41 PM
Log type: Firewall service
Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the Forefront TMG computer.
Rule: None – see Result Code
Source: External (81.243.62.97:56319)
Destination: Local Host (xx.xx.xx.xx:8443)
Protocol: HTTPS – 8443
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 81.243.62.97

Closed Connection TMG 3/9/2012 4:05:49 PM
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Source: External (81.243.62.97:56373)
Destination: Local Host (xx.xx.xx.xx:8443)
Protocol: HTTPS – 8443
Additional information
Number of bytes sent: 92 Number of bytes received: 52
Processing time: 68000ms Original Client IP: 81.243.62.97