When I run the Test-OutlookWebServices, I get errors when testing the exteranl EWS url, but not the interal one. If I go to https://internaldomain.local/EWS, I get the username/password prompt and it brings me to the XML file. When I go to https://externaldomain.org/ews, I get the following error message from IE: This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage. I checked the EWS vDir and it has integrated authentication set. I'm using a domain joined PC so that shouldn't be a problem, right? Here's the error message output from Test-OutlookWebServices Id : 1013 Type : Error Message : When contacting https://externaldomain.org/EWS/Exchange.asmx received the error The request failed with HTTP status 401: Unauthorized. Id : 1016 Type : Error Message : [EXPR]-Error when contacting the AS service at https://externaldomain.org/EWS/Exchange.asmx. The elapsed time was 15 milliseconds. Any help would be appreciated.

Can you check the NTFS permissions on the EWS directory and see if Authenticated users are in there and have read writes? C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\EWSJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I see Authenticated Users with read access...does it require write access as well?

No write. From inside the network if you type https://externaldomain.org/ews/exchange.asmx are you getting the xml output? Did you get prompted for credentials or it let you right in?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

If I try to access https://externaldomain.org/ews/exchange.asmx from the internal or external network, I get the 401 Unauthorized message. I can access https://internaldomain.local/ews/exchange.asmx internally and that goes through fine.

Are you using any proxy ISA, UAG, TMG? If so you need to set basic on authentication on the EWS virtual directory. Also what version of Exchange 2007 or 2010?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

It's Exchange 2007 and we are using TMG. However, I'm not the one that administered TMG. I'll try basic authentication, but can you explain as to why I need to set basic authentication for this to work when using TMG?

If you're using TMG you're likely doing basic authentication delegation. The TMG does the FBA and does basic delgation to your CAS virtual directories. You can check by looking at the publishing rule in TMG.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi pham0329: If James helps you to solve the problem, please mark his answer.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I just tested EWS again using the Remote Connectivity Tool and the EWS test got green checkmarks! Good. However, running Test-OutlookWebServices still returns the same error. Any idea why I was able to pass the Remote Connectivity Analyzer test but not the Test-OutlookWebServices? EDIT: Nvm, found the solution. If I disable the loopback check, the test passes. I renabled the loopback check and it failed. Guess I'll just live with the above errors as it's not affecting anything.