Dear all, Currently we are going to deploy Exchange 2010 Federation Trust within 2 organizations Let assume: Organization A domain name: aa.com Organization B domain name: bb.com Exchange version: Exchange 2010 SP2 Rollup 3 Both organizations Exchange CAS servers is running behind the Forefront TMG 2010 (all OWA/ Active Sync/ Outlook Anywhere publishing rules are go through from Forefront TMG) with Single SSL Certificate (Multiple Subject Alternative Name) I had did some study, Exchange 2010 federation uses SAML tokensnot user accountsto authenticate against IIS for EWS calls, TMG doesnt know how to validate SAML tokens, so the incoming requests cant be authenticated and passed on to the Exchange Server 2010 Just want to check, normally how we perform federation trust behind the Forefront TMG 2010 within 2 organization? Thanks in advance!

anyone can help about this?

Hello, Do you use multiple web listeners to publish Exchange 2010? If not, you can follow these steps to have a try: <1> Modify the OWA and ECP virtual directories on Exchange 2010 CAS servers to perform FBA, then modify the web listener on our TMG server to disable pre-authentication. <2> Modify the authentication settings for each of the TMG publishing rules for ActiveSync, Outlook anywhere and OWA to set them to no delegation. <3>Revise the Users settings from All Authenticated Users to All Users. <4>You may also need to verify that the authentication settings of your other Exchange virtual directories are valid; many organizations will allow basic authentication between TMG and their CAS servers, but require NTLM or Windows Integrated from external clients to TMG. Thanks, EvanEvan Liu TechNet Community Support

Hi You need to have a rule on the TMGs which allows anonymous traffic to these paths for the autodiscover public name: /ews/mrsproxy.svc /ews/exchange.asmx/wssecurity /autodiscover/autodiscover.svc/wssecurity /autodiscover/autodiscover.svc This rule needs to be above the existing Autodiscover rule so that it is processed first. Steve