Comments on: howto://publish OWA through TMG

By: Ed Fisher

Ed Fisher — Mon, 16 Jan 2012 16:09:39 +0000

Hi Tunde,
If you want the simple redir from a user friendly url (http://mail.example.com) to the “real” url (https://mail.example.com/owa) then yes, it should be done at the root of the site, since that is what the user friendly url connects to. Yes that could be one of the problems.
HTH
Ed

By: Tunde

Tunde — Mon, 16 Jan 2012 15:26:39 +0000

Thanks for your response. I’ll double-check those things you mentioned. I didn’t configure the environment, so, there is alot of going back and forth.
Internal users are configured to talk to CAS (cas-array) directly. I believe redirection has to be configured on IIS for the internal redirection to work (correct me if I’m wrong). There is something I notice on the IIS server however, the redirection was done on the folder level (Default-WebSite -> Exchange and Default-Website-ExchWeb) only. No redirection on the root (default web site) itself. Could this be one of the problem as well?

By: Ed Fisher

Ed Fisher — Mon, 16 Jan 2012 14:17:07 +0000

Hi Tunde,
Thanks for the comment, and the follow. As to your questions; if you are using Forms Based Authentication and getting prompted twice, it sounds like SSO is not setup correctly. Check your SPNs and delegated authentication for Kerberos. And are you trying to point your internal users to the TMG instead of directly to your CAS? That would work, if you are using split DNS and have the listener for this publishing rule set up to listen on both the internal and external networks…more details needed if that doesn’t answer your question.
Ed

By: Tunde

Tunde — Sun, 15 Jan 2012 18:59:39 +0000

Hey Ed,
This post is very helpful. Thank you.
A quick question. After you’ve configured this, can you leave authentication on EMC for the client server as FBA or WBA?
Our users are getting double authentication on OWA from outside the network and internal users are not being redirected.

Thanks

By: Ed Fisher

Ed Fisher — Wed, 23 Nov 2011 19:08:50 +0000

I typically like to do redirects on the TMG, so I can fully control it, and I like to use a simple names, so I would publish the URL http://email.summit911.org on the TMG as a DENY and then redirect that to https://mail.summit911.org/owa, which I assume you are using for actually publishing OWA using the TMG.
You just don’t want users to try https://email.summit911.org, since clients can get a little pissy about redirects on secure connections.

By: Aaron

Aaron — Wed, 23 Nov 2011 18:38:46 +0000

Hey Ed,

I have a redirect/certificate question. We use a third party server for spam filtering, which is using our mx record. We made a new dns entry for our tmg/edge server, the record points email.summit911.org to our tmg server. I have an already established godaddy certificate on my mail server which is mail.summit911.org. Would it be better to redirect requests on tmg to point requests for email.summit911.org to mail.summit911.org/owa, or should i make a new certificate for my mail server using email.summit911.org instead of mail.summit911.org?

Would the redirect process be the same as your instructions above? Would i have to change the external url for owa to the email.summit911.org address, or leave it the same and let the redirect push the requests for email.summit911.org to https://mail.summit911.org/owa ?

Aaron

By: Ed Fisher

Ed Fisher — Tue, 18 Oct 2011 23:33:14 +0000

Glad you have things working Toufik!

By: Toufik

Toufik — Tue, 18 Oct 2011 11:12:40 +0000

Hi ED sorry for the late reply i was busy doing other stuff, i did not plan or design their exchange envirement i just inherited a complete failed transition from 2003,2007 to 2010 it was a complete nightmare,got activesync working ,regarding the autodiscover i will not bother as for now gpt too many things to worry bout ,anyway thanks for all ur help i really appreciate it all the best.

Regards

By: Ed Fisher

Ed Fisher — Tue, 11 Oct 2011 17:38:35 +0000

Toufik,
You’ve neither set up your SRV records in DNS, nor correctly published the /autodiscover/* through your TMG.

I cannot comment on how you have your certs and URLs set up since you have obfuscated the domain specific information beyond my ability to glance at and recognise an issue. I can’t say I blame you for that, but that moves this from a simple helping hand that takes me a few minutes to parse and that I’d be willing to give, to a request for consulting services that involves much more time, and which I no longer do.

If you’d like to get some more private assistance, please use the contact form (linked at the top of the page) to reach out to me directly (and privately.) In response I will provide you with the exact data I need. Amazon and/or Starbucks gift cards are both nice tokens of appreciation and lets you set a value you feel my assistance is worth, and makes up for the time I spend helping.

FWIW, if you fix the SRV record and the publishing of autodiscover (instructions are in that TechNet article I linked above) and odds are you’ll be set. That advice is still free.

By: toufik

toufik — Mon, 10 Oct 2011 17:14:10 +0000

Hi ED here is what the testexchangeconnectivity looks:
But let explain our envirement:
we have user@domain.net this our smtp adrress
we have mail.domainlive.net for external urls owa,oab,activesync,
we have two wild card certificates:
*.domai.net
*domainlive.net
what i did is int the internal A Record i added autodiscover.domain.net mapped to the CAS ip.
externally : autodiscover.domain.net mapped to the externall TMG ip As per ur suggestion right.
now the error Host name autodiscover.domain.net doesn’t match any name found on the server certificate, or was it suppose to be autodiscover.domainlive.net which is on the wild card cert in domainlive.net here is the full message hope it make sense to you,i can connect to owa externally without any problmes,Thanks in advnace

ExRCA is attempting to test Autodiscover for user@domain.net. this is
Testing Autodiscover failed.

Test Steps

Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn’t be contacted successfully by any method.

Test Steps

Attempting to test potential Autodiscover URL https://DOMAIN.net/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.

Test Steps

Attempting to resolve the host name DOMAIN.net in DNS.
The host name couldn’t be resolved.
Tell me more about this issue and how to resolve it

Additional Details
Host domain.net couldn’t be resolved in DNS InfoNoRecords.
Attempting to test potential Autodiscover URL https://autodiscover.DOMAIN.net/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.

Test Steps

Attempting to resolve the host name autodiscover.DOMAIN.net in DNS.
The host name resolved successfully.

Additional Details
IP addresses returned: TMG EXTERNAL ADDRESS
Testing TCP port 443 on host autodiscover.DOMAIN.net to ensure it’s listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it’s valid.
The SSL certificate failed one or more certificate validation checks.

Test Steps

ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.DOMAIN.net on port 443.
ExRCA successfully obtained the remote SSL certificate.

Additional Details
Remote Certificate Subject: CN=*.DOMAINlive.net, OU=xx, O=DOMAIN.net, L=xx, S=XX, C=xx, Issuer: CN=DOMAINXXXX-CA, DC=DOMAIN, DC=net.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it

Additional Details
Host name autodiscover.DOMAIN.net doesn’t match any name found on the server certificate CN=*.DOMAINlive.net, OU=KZN, O=DOMAIN.net, L=XXX, S=XX, C=XXXX.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.

Test Steps

Attempting to resolve the host name autodiscover.domain.net in DNS.
The host name resolved successfully.

Additional Details
IP addresses returned: TMG EXTERNAL ADDRESS
Testing TCP port 80 on host autodiscover.DOMAIN.net to ensure it’s listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.DOMAIN.net for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Tell me more about this issue and how to resolve it

Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.

Test Steps

Attempting to locate SRV record _autodiscover._tcp.DOMAIN.net in DNS.
The Autodiscover SRV record wasn’t found in DNS.
Tell me more about this issue and how to resolve it
Thanks in advance

By: Ed Fisher

Ed Fisher — Mon, 10 Oct 2011 15:16:53 +0000

The internal URL’s FQDN should resolve to the CAS server, the external should resolve to the TMG’s external ip.addr. The results you describe from the testexchangeconnectivity.com site sound very much like your publishing rule is not correct. If you can get to the /Exchange using the internal URL you should get a 403, not a 500. /Public is for older public folders, and I hope you don’t care about them. I don’t and have no advice for them. If using the internal URL to /exchange still gives you a 500, your CAS server might have an issue.

By: toufik

toufik — Mon, 10 Oct 2011 12:17:02 +0000

does the internal Autodiscover url must match the external one say internally is autodiscover.doman.net , externally does it has to be the same ,must both of internal and external A Record to be the external TMG IP ?
now when i test the punlishing rule in owa ,the test for owa and ecp run correctly and shows green but for /Exchange/* ,/public/* gives this erros:
Error details: An unexpected response was received from the server. HTTP response: 500 Internal Server Error
Action: Verify that the intended server is published and that virtual directories exist. Ensure that you can browse the published site directly from an internal client computer. any ideas ED , i m really sorry for bugging u a lot

regards

By: Ed Fisher

Ed Fisher — Sun, 09 Oct 2011 22:03:48 +0000

Yes, autodiscover.example.com must resolve to the (external) ip.addr on the TMG that is publishing autodiscover, and of course you rule must be set up to publish the autodiscover path. More work is required than to just publish OWA. See http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8946 for another approach to doing this if you didn't make out well with what I had above.

By: toufik

toufik — Sun, 09 Oct 2011 12:36:34 +0000

Hi Ed hope you will help on this,atuodiscover not working externally when i want to set new account from a joint domain , outlook will not find the autodiscover (only externally).Tested autodiscover connectivity failed as well ,went to technet docs didnt find any good references,we using TMG 2010 ,we do have a host record for autodiscover,does it have to be the external ip of the TMG ? owa works fine np ,internally it s fine as it can find the cas server.we using two Urls but both of them are public routable ,domain.net and domainlive.net which is for all our external url owa,outlook anywhere activesync and all ,the host record for autodiscover is as autodiscover.domain.net but it seems not resolving externally, any guidance please,

Regards

By: toufik

toufik — Fri, 07 Oct 2011 14:45:50 +0000

Thanks Ed for the quick reply , i leave it as it is then much appreciate it

regards