HAllo: I have a two legged TMG box -- one leg to the LAN and another to NATed to a firewall which is then internet facing i have used "Back end Firewall" template - TMG 2010 SP1 with a roll-up update and hosted on Windows 2008 RII SP1; configured behind a Cisco Router/Firewall. My exchange is - 2003 SPII (one as the mailbox server and another configured as the front end box) I have followed this:http://blog.meigh.eu/2010/03/15/publishing-outlook-web-access-with-microsoft-forefront-tmg.aspx but am unable to get owa working internally i get the IIS error while externally i get "page cannot be displayed". It's just embarrasing -- really with all the experience of ISA 2004 and 2006 and am unable to crack TMG 2010 -- by the way i find zero clear documentation on the internet relatating to this situation.I will gladly appreciate your assistance please! ----- NguriNguriJN

Hi Nguri, I can find some web link which might help you. http://www.isaserver.org/tutorials/publishing-outlook-web-access-microsoft-forefront-tmg.html http://social.technet.microsoft.com/Forums/en-US/ForefrontedgePub/thread/9d68c06f-ba3d-4628-9dd4-95f934b21ac8 Anil

Does OWA work if you go directly to the site via IP, bypassing the TMG? When you Test your OWA Rule on the TMG, do you get any errors?

Hallo Horton: OWA does not work either via IP nor by the FQDN -- however on the LAN as well as on the TMG (bypassing TMG - i assume you mean that the browser does not use the TMG as the proxy) am able to get the log in screen -- but once i log in i get an error "Under Construction" -- this i get whether i user the IP of the published FBA box or the FQDN of the OWA site ...i.e. https://mail.domain.com/ or the FBA internal IP https://192.168.1.7/ public IP https://x.x.x.x/ does not work -- internet explorer cannot display page. By the way -- once the publishing is complete on TMG and i run the test -- all come out clean and green! NguriJN

I would forget about the TMG's and work on getting OWA up first. Review your OWA configuration on the Front-ends and in IIS.

Does OWA work if you go directly to the site via IP, bypassing the TMG? When you Test your OWA Rule on the TMG, do you get any errors?

I would forget about the TMG's and work on getting OWA up first. Review your OWA configuration on the Front-ends and in IIS.

Hallo Horton: I heeded to your sentiments of getting owa up and my frustrations led to a thread by Andersson http://www.testlabs.se/blog/2010/07/27/how-to-publish-owaactivesyncoutlook-anywhere-exchange-2010-with-microsoft-forefront-tmg-2/ combined the thoughts of preperations of FE and BE http://isaserver.org/tutorials/rpchttppart1.html upto http://isaserver.org/tutorials/rpchttppart3.html and counterchecked permissions http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html and the results - you guessed are a) test rules on TMG for OWA rules 1. https://owa.domain.com:443/exchange/ – results green — details–>HTTP response: 401 Unauthorized 2. https://owa.domain.com:443/exchweb/ — results green — details–> HTTP response: 200 OK 3. https://owa.domain.com:443/public/ — results green — details –>HTTP response: 401 Unauthorized 4. pathping to FE.domain.com — good! a - 1: when i test OWA internally --> internal — i get the log in screen atleast — but once i put the username and password: i get the error “page cannot be displayed”. a-2: test of OWA externally --> i get a log in page, i log in and get an error "under construction". Some facts: I have done a split dns rule in the AD DNS and have an A record owa.domain.com (same as certificate for OWA) pointing to FE's IP I have further gone to the TMG box and created an entry in the host file FE's IP pointing to owa.domain.com -- you know what ... somethis is just not right and am not sure where am going so -- so wrong! NguriJN

Again, forget about the TMG's. Get OWA working first, before that is working it's useless to troubleshoot the TMGs.

Again, forget about the TMG's. Get OWA working first, before that is working it's useless to troubleshoot the TMGs.

Hallo Horton: Kindly note that am currently able to http://exchangemailboxserver/exchange and get into OWA and work; this is not my goal -- i need to have OWA accessible over the internet and this is why i need to have it published through TMG. Am i missing something here? NguriJN

Sorry you stated: a - 1: when i test OWA internally --> internal — i get the log in screen atleast — but once i put the username and password: i get the error “page cannot be displayed”. Which I assumed meant you couldn't access OWA internally or externally. In you Publishing Rule what is listed on the following tabs: 1. Public Name 2. Paths The Pubic tab lists the external DNS name of the OWA site correct?

Public name: mail.domain.com (as per certificate publishing and this points/ resolves to the Exchange FE Server) Paths /public/* /Exchweb/* /Exchange/* yes you are right -- the dns name above (as per internal certificate) is also exactly as is and is (published on our external (ISP) DNS servers and is availably reached as follows a) if you ping externally (from the internet) mail.domain.com it resolves to the public IP that is also NATed on the external firewall to TMG's "external leg" b) on TMG as well as in the -- if i ping mail.domain.com (OWA site) it resolves to the exchange FE's IP address on which TMG's internal leg belongs to -- i.e. same network. Horton: There's something about TMG that i plainly just fail to understand -- for the sake of this discussion though your suggestion was that we work on OWA only... I can get email (inbound and outbound) going through -- very well ON CONDITION that the INBOUND email DOES not have any attachments -- any mail with attachment NEVER GETS delivered internally....yet same rules on ISA 2006 on the same exchange FE work seamlessly.... Question: just what am I not doing :-( NguriJN

Sir: My issue is on Exchange 2003 FE and NOT Exchange 2007. the configurations and setups are extremely different please -- please! NguriJN

Hello John, This is my two cents, I am not an expert on TMG but I have very similar environment, I used to have the Exchange FrontEnd server accessible by a Cisco appliance, which worked okay, but when I moved the setup to the TMG I could not make it work, I published Exchange FrontEnd to the TMG and I could not pass beyond the form based authentication, after login I used to get a 500 error. But once I changed the target to the Exchange backend server it worked as it was supposed to. I am guessing the frontend was manipulated to work with the Cisco appliance (automatic redirection to the correct URL) and when I tried with TMG the redirection did not work, the backend did not have any alteration and that is why I guess it worked without problem. Now I am looking to publish Exchange to be access by mobile phones using TMG. AdminQuest

Hallo AdminQuest: this is a major relief -- this week i had scheduled to actually format the server and revert to Win2K3 RII and ISA 2006! I'll try this and revert to you-- oh how i pray that it works! I thank you for your time! -- JohnNguriJN