I seem to be having issues with Lync EWS connectivity. I am using TMG to publish exchange. Internal and external EWS url's are the same. I can access https://mail.domain.com/ews/exchange.asmx internally just fine(I think there is a windows authentication popup), and Lync connects to EWS. But from the internet the EWS url brings me first to a TMG authentication page. Once I authenticate it directs me to https://mail.domain.com/ews/Services.wsdl just like internally, but Lync fails to connect. Do I need to publish EWS with a separate TMG rule using a different listener to require no authentication? How is EWS supposed to be published? I've tried the Lync specific forums but there is no enough activity on them. Please help.

No separate publishing rule, it piggy backs of the Outlook Anywhere rule. Is Outlook Anywhere working? Did you use the whitepaper below? Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010 http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022&displaylang=enJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hey, I just read through the entire TMG section in that document. Our rules and configuration look identical except we don't have autodiscover.domain.com on our certificate, DNS or used anywhere else. I don't see it being a problem though since we use mail.domain.com/autodiscover/autodiscover.xml. Would it be a problem? Outlook anywhere doesn't appear to work. When I run the autoconfiguration with an external client this is what I see in the log: Srv Record lookup for domain.com starting Autodiscover URL redirection to https://mail.domain.com/autodiscover/autodiscover.xml Autodiscover to https://mail.domain.com/autodiscover/autodiscover.xml starting Autodiscover to https://mail.domain.com/autodiscover/autodiscover.xml Failed (0x80070057) When I try to browse to https://mail.domain.com/autodiscover/autodiscover.xml I get the TMG authentication prompt and then the text (text contains a 600 Invalid Request" but I hear that's normal.

On the client that you tested Outlook Anywhere on, was it a domain joined client? Were you creating a new profile externally through autodiscover or were you using an existing profile and just trying to connect from outside? Reason is if Autodiscover does not work externally you can't create a profile. Only clients that had their profiles setup inside the network first will work (unless you do a workaround) Go to https://testexchangeconnectivity.com/ and run the outlook anywhere test and post the diagnostic.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Machine did not have an existing outlook profile configured in the domain. When i use my machine and open outlook on the internet it connects to exchange just fine. I ran the autodiscover test at https://testexchangeconnectivity.com/ and it completed successfully. However, this behavior seems random, as I just set up a test machine, domain joined, and configured outlook. Then I moved it to an internet connection and did Test Oulook Autoconfiguration and it still fails to determine settings with the same log above. However, the client will still make a connection to exchange. I'm a bit confused. Should I try to create a different TMG listener for OutlookAnywhere? Although i'm not sure how that would work because I would need it to listen on the same IP/port as the one for OWA, right?

Hi Tpullins, Sure, you are right. I would suggest that you could let the CERT contains the autodiscover.domian.com. And follow the DOC to publish the autodiscover service for outlook anywhere. Some information for you: http://technet.microsoft.com/en-us/library/bb124251.aspx Per my known, LYNC server would also use it. Regards! GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I honestly don't think it's a cert issue. I think it's an authentication issue at this point. Is it supported to use the same listener for my OutlookAnywhere rule as the OWA rule? That is how I'm currently doing it and I have Form Based Authentication on my listener. However I've seen guides from people that recommend using HTTP Basic authentication on a separate listener for OutlookAnywhere/EWS/Autodiscover. I would also like to direct you to my thread here on the Lync forums: http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/232ff25f-8b66-47ea-b9ea-033185ef7afc

Hi tpullins, Hope you have done some research from the above link I referred. Per my known, depending on whether you've configured the Autodiscover service on a separate site, the Autodiscover service URL will be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml, But, per your description, " Autodiscover to https://mail.domain.com/autodiscover/autodiscover.xml starting" So, it is different between them, I would suggest that you could follow the DOC. Or, you could do some tests to confirm what is right? Regards! Gavin Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Yes, ours is https://mail.domain.com/autodiscover/autodiscover.xml so I suppose using another listener would not work. I think it's just a matter of finding an authentication method on TMG that will work for both OWA and Autodiscover with Lync.

Hi tpullins, Per my known, the outlook anywhere would automatically detect and use https://domain.com/autodiscover/autodiscover.xml. not the https://mail.domain.com/autodiscover/autodiscover.xml . was the domain.com contained in the CERT? About how to set the authentication method, we could follow the DOC, good luck. Regards! GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It tries several different methods, even with https://mail.domain.com/autodiscover/autodiscover.xml which works fine. But ultimately I think there is a security problem on TMG.