What are the required internal, public DNS entreis and Certificate SANs in order to receieve e-mails to my exchange clients from different domains and mail service providers? My exchange is working internally and I can send e-mails to any other domains but can't receieve and this is my first time setting up an exchange sever. Any help is appreciated thanksMohammed JH

Hi You need to have an MX record for yourdomainname.com pointing to the public IP (natted?) of your Exchange server. Then you will need to configure yourdomainname.com as an accepted domain in your Organisation and add the address to your users with an Email Address Policy. You didn't state the version of Exchange but this is the relevant article for 2010: http://technet.microsoft.com/en-us/library/bb124423.aspx Cheers, Steve

Thanks for your reply Steve, You need to have an MX record for yourdomainname.com This should be applied on my Public DNS right? pointing to the public IP (natted?) of your Exchange server. Exchange is still internal, I have TMG but will publish once I configured DNS. Then you will need to configure yourdomainname.com as an accepted domain in your Organisation and add the address to your users with an Email Address Policy. I have done this under Organization Configuration\Hub Transport I added my domain to accepted domains and added a policy to e-mail address policies. The filter is for my DC AD users that includes recipient types "Users with exchange Mailboxes". and no conditions ticked. E-mail addresses are %m@mydomain.com. and applied the policy immediately. You didn't state the version of Exchange but this is the relevant article for 2010 It's 2010 yes, thanks a lotMohammed JH

Btw, what should the MX entry look like ? should I create a new connector for it ? I have 3 connectors at the moment ! 1- Client. 2- Default and 3- Relay. My TMG has 3 External IPs and is in the same domain as my exchange. ThanksMohammed JH

No problem. It should be something like mail.yourdomain.com and the type is MX (instead of A which is a host record). This is what Microsoft's MX looks like: microsoft.com. 3311 IN MX 10 mail.messaging.microsoft.com.

Should there be any configuration done for the mail.mydomain.com on Exchange ? like for the connector or anywhere else? I mean from what I understood from you now all I have to do is to configure my Public DNS to have mail.mydomain.com pointing to my TMG's Public IP address ? correct? then I can proceed with publishing Exchange on TMG! Mohammed JH

Adding it as accepted domain is all you need to do. As long as your default receive connector accepts mail from your TMG (which it will - by default all IPs are allowed) then mail should be delivered. You can test this by telnet-ing to your Exchange IP on port 25 and you should get the SMTP banner.

OK Great, so now all I have to do is publish a non web server rule on TMG which allows SMTP server from my Exchange to External network? Correct? I have done all the DNS changes and I can nslookup my mail.domain fine! Mohammed JH

You have a choice with TMG, either publish Mail Servers (it's an option under Tasks) or create an email policy.

In addition, don't forget to inform your ISP to create a reverse DNS record for your domain. Otherwise, people think you're a spammer.

Sorry how to do this ? I have control over my Public DNS.. it would be great if you could exactly tell me what does the entry looks like. and I have actually done all what Steve told me and created a mail server rule on TMG after amending all what i have been asked for but I can't seem to connect to exchange externally. I'm using mail.mydomain.com for this. My mail.mydomain.com FQDN points to my TMg's External IP. I could approved that after running the nslookup command on my PC. and the MX record on Public DNS looks like this. @ IN MX 10 "95.x.x.x" which is my TMG's Public IP. I'm not sure what's else to do now ? the rule I have created on TMG is as following: Action: Allow Smtp server port 25 From Anywhere/External/Internal/Localhost to 192.168.1.x << Exchange Internal IP. - Networks: External : TMG's External IP assigned to mail.mydomain.com on public DNS. Still I can't connect using Outlook. ? Any advice please Mohammed JH

An update, I have tried to telnet my exchange internally for the required ports, SMTP, Pop and IMAP4. and found that SMTP and IMAP are listening but not POP. I re-created the policy on TMG and now it's connecting to my Exchange using the IMAP4 and trying on Pop too. when I get to the point of setting up Exchange on outlook it never finds the mail.mydomain.com and just hangs for few minutes and then says "the name cannot be resolved. the connection to exchange is unavailable. outlookt must be online or connected to complete this action" I'm logging the traffic from my IP where I'm trying to setup Outlook and I can't see any traffic to TMG during this process! Mohammed JH

OK, can we just go back a step. We were talking about getting SMTP to your Exchange server and you created the MX record and rule to allow that. Does this work now - if you "telnet yourdomain.com 25" from the Internet do you get the SMTP banner? Next you are trying to set up Outlook to connect to Exchange, are you trying this externally? You mentioned POP and IMAP, are those the protocols you want to use? The best method for Outlook to connect to Exchange is Outlook Anywhere: http://technet.microsoft.com/en-us/library/bb123741.aspx There are specific TMG rules for POP and IMAP which you will need to create for those protocols to work.

Steve, Thanka so much for your advise! I have created a new receive connector "Internet" and pointed it to mail.mydomain.com but i'm not sure if this is what fixed the problem, I think it might be another reason which is probably due to creating the MX entry on DNS needs sometime to take effect. I was able to nslookup the mail.mydomain.com and get the right IP but not the MX. So I'm able to send and receieve e-mails now. Also I fixed the OWA issue by adding / to the path tab and remove the decline and redirect from the rule I created for OWA. this seems to get https://owa.mydomain.com redirected to https://owa.mydomain.com/owa . I had to change the External URL on OWA default site properites on Exchange as well to match what I used on TMG rule. so it looks like this there now. https://owa.mydomain.com/owa I just have one more question which i'm willing to open another thread for if required but i'd rather get an answer from you. Publishing the Outlook Anywhere seems to be working and underline the username but changes the server name from mail.mydomain.com to "Internal Exchange server's FQDN" and then when the setup finishes I receieve the following message when trying to open outlook with this new profile. "cannot open your default email folders. you must connect to microsoft exchange with the current profile before you can synchronize your folders with your outlook data file(.ost)" Mohammed JH

Hi It's no problem at all. It is normal for the server name to change to the internal hostname - if you click "More Settings" then on the Connection tab click "Exchange Proxy Settings", you should see the public name of your server in the "Use this URL ..." box. If that looks correct then go to this URL to test your OA connectivity: https://www.testexchangeconnectivity.com/

I entered the manual Server name and tested the EWS, Sync, availabilty and AR. I entered mail.mydomain.com, since I don't have autodiscover in my certificate. Exchange Web Services synchronization, notification, availability, and Automatic Replies (OOF). Not all of the tests of Exchange Web Services tasks completed. Test Steps Ensuring that the test mailbox folder is empty and accessible. ExRCA couldn't confirm that the folder is accessible and empty. Additional Details Exception details: Message: The request failed. The remote server returned an error: (401) Unauthorized. Type: Microsoft.Exchange.WebServices.Data.ServiceRequestException Stack trace: at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request) at Microsoft.Exchange.WebServices.Data.MultiResponseServiceRequest`1.Execute() at Microsoft.Exchange.WebServices.Data.ExchangeService.BindToFolder[TFolder](FolderId folderId, PropertySet propertySet) at Microsoft.Exchange.Tools.ExRca.Tests.EnsureEmptyFolderTest.PerformTestReally() Exception details: Message: The remote server returned an error: (401) Unauthorized. Type: System.Net.WebException Stack trace: at System.Net.HttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.EwsHttpWebRequest.Microsoft.Exchange.WebServices.Data.IEwsHttpWebRequest.GetResponse() at Microsoft.Exchange.WebServices.Data.ServiceRequestBase.GetEwsHttpWebResponse(IEwsHttpWebRequest request) Mohammed JH

There's something odd when I publish the Outlook anywhere on TMG and test the rule I don't see the entries below like shown in the image below: the /autodiscover/ /ews/ /oab The only one that shows during the test is /rpc/ Any advise please? Mohammed JH

You need to add those paths to the rule on the Paths tab. Use the format /ews/* etc.

Ok great, I did that and it worked but I had to tweak the authentication method from the IIS on the Exchange server to match the authentication method on TMG and it worked fine. I also added autodiscover on my public dns to point to TMG's Public IP and now after I ran the test again this is what I see. Exchange Web Services synchronization, notification, availability, and Automatic Replies (OOF). Not all of the tests of Exchange Web Services tasks completed. Test Steps ExRCA is attempting to test Autodiscover for mohammedh@mydomain.com. Testing Autodiscover failed. Test Steps Attempting each method of contacting the Autodiscover service. The Autodiscover service couldn't be contacted successfully by any method. Test Steps Attempting to test potential Autodiscover URL https://mydomain.com/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to resolve the host name mydomain.com in DNS. The host name couldn't be resolved. <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl00_ctl00_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label> Additional Details Host mydomain.com couldn't be resolved in DNS InfoNoRecords. Attempting to test potential Autodiscover URL https://autodiscover.mydomain.com/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to resolve the host name autodiscover.mydomain.com in DNS. The host name resolved successfully. Additional Details IP addresses returned: 95.0.52.122 Testing TCP port 443 on host autodiscover.mydomain.com to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks. Test Steps ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.mydomain.com on port 443. ExRCA successfully obtained the remote SSL certificate. Additional Details Remote Certificate Subject: CN=demoexc.mydomain.com, O=Tesas, L=Istanbul, S=Istanbul, C=tr, Issuer: CN=mydomain-domainAD-CA, DC=mydomain, DC=com. Validating the certificate name. Certificate name validation failed. <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl00_ctl01_ctl02_ctl01_tmmArrow">Tell me more about this issue and how to resolve it</label> Additional Details Host name autodiscover.mydomain.com doesn't match any name found on the server certificate CN=demoexc.mydomain.com, O=company, L=Istanbul, S=Istanbul, C=tr. Attempting to contact the Autodiscover service using the HTTP redirect method. The attempt to contact Autodiscover using the HTTP Redirect method failed. Test Steps Attempting to resolve the host name autodiscover.mydomain.com in DNS. The host name resolved successfully. Additional Details IP addresses returned: TMG's public IP Address Testing TCP port 80 on host autodiscover.mydomain.com to ensure it's listening and open. The port was opened successfully. ExRCA is checking the host autodiscover.mydomain.com for an HTTP redirect to the Autodiscover service. ExRCA failed to get an HTTP redirect response for Autodiscover. <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl00_ctl02_ctl02_tmmArrow">Tell me more about this issue and how to resolve it</label> Additional Details An HTTP 403 error was received because ISA Server denied the specified URL. Attempting to contact the Autodiscover service using the DNS SRV redirect method. ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method. Test Steps Attempting to locate SRV record _autodiscover._tcp.mydomain.com in DNS. The Autodiscover SRV record wasn't found in DNS. <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl00_ctl03_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label> Now After I have done all these changes, Outlook open and gave me an alert about the certificate which is attached below, and never connects to Exchange. just keeps saying connecting, connected then then lost connection in a no ending loop. Please help! Thanks. And then I tried to reconfigure outlook to Connect to Microsoft Exchange using HTTP which is an option in the Connection tab settings and I entered in the https:// the owa.mydomain.com and changed the proxy authentication settings to Basic Authentication and got the this message below. Any input is much appreciated. Thanks Mohammed JH

OK, good progress. The problem here is that you need to have a certificate with multiple names on it installed on your Exchange server and used in the listener on the TMG. You can use a cert issued from your internal PKI (if you have one) but that is not recommended. I would recommend you obtain a public unified communications certificate with the names you need, typically: owa.yourdomain.com, autodiscover.yourdomian.com and mail.yourdomain.com. If you don't have split DNS then you may need to include the server FQND on the certificate too. Certificate information: http://support.microsoft.com/kb/929395

Ok so I need to issue a certificate from my DC CA that includes these 3 SANs? and import it to exchange and assign which services ? IMAP only ? then import it to TMG for the listener ? Mohammed JH

I created a new Certificate request from Exchange and issued the certificate fromy my CA and assigned the services IMAP, POP, and SMTP to it. now I lost connection to Voice mail from my Lync Client. Mohammed JH

You actually only needed to enable the certificate for IIS. You can use the enable-exchangecertificate command to change IMAP, POP and SMTP back to the self signed certificate if you need that.

I deleted all the certificates and created one CA with exchange's FQDN in the SAN and assigned the UM service to it and now voice mail is working again. I also created another Certificate with multi SAN as you have mentioned and assigned the IMAP, POP, SMTP and IIS to it. this certificate has the following SANs in it. common SAN is owa.mydomain.com mail.mydmain.com autodiscover.mydomain.com and Exchange's internal FQDN I need to know what does the Outlook Anywhere's FQDN needs to be like? is it mail.mydomain.com ? or exchange.mydomain.com ? I'm really confused about this! and which services do I assign this this certificate to ? ThanksMohammed JH

I have successfully solved the issue by creating a certificate that has the the following SANs with common name mail.mydomain.com Exchange.internalDC.local mail.domain.com domain.com autodiscover.domain.com ExchangeServerName Then I change the OA fqdn to mail.mydomain.com, restarted IIS by the command iisreset /noforce. Created 2 listeners one for OA and another for OWA. Each listeners has a different IP that matches what's assigned to mail.domain.com and autodiscover.domain.com in my public DNS. After that when I setup my account on Outlook, I noticed on TMG log that it's looking for mail.domain.com/autodiscover/autodiscover.xml and mail.domain.com/ews and exchange. while I have all of these setup on autodiscover which is the public name on OA rule with. To solve that I had to add the paths /ews/* /autodiscover/* /rpc/* and /OAB/* to the OWA rule that has mail.domain.com as public name. Now Outlook is setup and working perfectly, Thanks for all the help and sorry for hassle.Mohammed JH