We are using Exchange Server 2007 Standard SP3. OWA and ActiveSync already have been setup and working without any problems through TMG 2010 firewall. The domain where TMG and Exchange have been installed is operating in Windows 2003 mode.
We would like to setup and use Outlook Anywhere with NTLM rather than Basic authentication. NTLM authentication offer one key advantage from an end user perspective, when using a computer that is a member of our domain and logging on with cached credentials the user does not need to re-enter their credentials. I was following white paper -“Publishing Outlook Anywhere Using NTLM Authentication with Forefront TMG or Forefront UAG” http://www.microsoft.com/downloads/en/details.aspx?FamilyID=040b31a0-9a69-4278-9808-e52f08ffaee3
Everything has been setup according to the instruction from the white papers. Our UCC certificate has list of the required subject alternative names (SAN) and has been installed on TMG and Exchange server. As I had mentioned before, clients already are using OWA and ActiveSync with this certificate without any problems.
Outlook Connection Status for the internal users shows successful HTTPS connection but externally outlook is still in the “disconnected” mode.
When I run “Outlook Anywhere (RPC over HTTP)” test on www.testexchangeconnectivity.com I have this error message:
“Testing HTTP Authentication Methods for URL https://mail.company.com/rpc/rpcproxy.dll.
The HTTP authentication test failed.
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL”.
Clicking on the “Test Rule” button for my Outlook Anywhere rule in TMG shows all happy green ticks.
From the TMG logs I can see denied connection with the status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL).
Request: RPC_IN_DATA http://mail.mycompany.com/rpc/rpcproxy.dll?server1.mycompany.com:6001
Protocol: https User: anonymous
Looking at URL above I don’t understand why is http is there but not https. Plus, why user is anonymous?!
I have spent hours trying to find out what I have missed. Please advise me on what needs to be done to make this Outlook Anywhere to work.
Thank you very much in advance.
Hi,
Maybe this could help you did you take a look at it ?
http://security.sakuranohana.fr/2011/01/whitepaper-publier-outlook-anywhere.html
This was written for ISA/Ex2k7 but may help: http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html
Cheers
JJ
To Lionel LEPERLIER:
Thank for your time but the white paper article you’re referring to is the actual white paper article I have mentioned in my post.
Is TMG a member of the Windows Authorization Access Group as discussed here: http://support.microsoft.com/kb/947124
Cheers
JJ
Thanks Jason. I wish I could see your blog when I just started “playing” with Outlook Anywhere. I’m not Exchange or TMG guru so some of those topics you are talking about are a bit hard for me to understand.
At this stage, while I’m still digging through your article the only thing I’m thinking of implementation differences between your scenario and mine is that I’m using ONE certificate (Entrust UC Certificate with 10 SAN names) and not two (or more) like in your scenario. Also you are using third party certificate externally and your own one (from internal Certificate Authority) internally. My understanding was that SSL communication between all points (client-TMG-Exchange) must use the same certificate?! Another thing is that my certificate has SAN name for mail.mycompaty.com but “mail” is not the first SAN name. I know that ISA had a problem with recognising certificates with multiple SAN names but I think it was fixed with SP1. We are using TMG 2010 here, do I still need to recreate certificate to make “mail” to be the first entry in the certificate?! We have “autodiscovery” as a SAN name in our SSL certificate; however we don’t have external DNS entry autodiscovery.mycompany.com just yet. I think this is my problem. I was mistaken with “almost” successful with Microsoft Office Outlook Connectivity Tests (www.testexchangeconnectivity.com) for “Outlook Anywhere”. It didn’t state problem with auto discovery. However, running specific “Outlook Autodiscover” test clearly indicates the problem with autodiscovery.
My plan of action would be to request our ISP DNS admin to create additional entry for autodiscovery.mycompany.com pointing to the same external IP address as mail.mycompaty.com Do you think I still need to request for SSL certificate to be recreated to define certificate common name and first SAN as mail.mycompaty.com or it’s ok to leave it as it is?
Thanks again
While our preference for Outlook Anywhere is NTLM authentication I’m also “playing” with Basic Authentication. As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords. Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!
Thanks Jason. I wish I could see your blog when I just started “playing” with Outlook Anywhere. I’m not Exchange or TMG guru so some of those topics you are talking about are a bit hard for me to understand.
At this stage, while I’m still digging through your article the only thing I’m thinking of implementation differences between your scenario and mine is that I’m using ONE certificate (Entrust UC Certificate with 10 SAN names) and not two (or more) like in your scenario. Also you are using third party certificate externally and your own one (from internal Certificate Authority) internally. My understanding was that SSL communication between all points (client-TMG-Exchange) must use the same certificate?! Another thing is that my certificate has SAN name for mail.mycompaty.com but “mail” is not the first SAN name. I know that ISA had a problem with recognising certificates with multiple SAN names but I think it was fixed with SP1. We are using TMG 2010 here, do I still need to recreate certificate to make “mail” to be the first entry in the certificate?! We have “autodiscovery” as a SAN name in our SSL certificate; however we don’t have external DNS entry autodiscovery.mycompany.com just yet. I think this is my problem. I was mistaken with “almost” successful with Microsoft Office Outlook Connectivity Tests (www.testexchangeconnectivity.com) for “Outlook Anywhere”. It didn’t state problem with auto discovery. However, running specific “Outlook Autodiscover” test clearly indicates the problem with autodiscovery.
My plan of action would be to request our ISP DNS admin to create additional entry for autodiscovery.mycompany.com pointing to the same external IP address as mail.mycompaty.com Do you think I still need to request for SSL certificate to be recreated to define certificate common name and first SAN as mail.mycompaty.com or it’s ok to leave it as it is?
Thanks again
It is best practice to use a public CA cert for TMG and an internal CA cert for Exchange...howerver you can use the same public cert on both Exchange and TMG if you have no internal CA.
I think TMG is a lot more tolerant with regard to the SAN entries and what name is included as the certificate common name, so this shouldn't be an issue (I think).
You will need an autodiscover entry in DNS, as this is used repeatedly by the Outlook Anywhere client to find Exchange services like Offline Address Book, Out of Office etc. However, as per my blog, you will need a dedicated IP address for autodiscover, so this cannot be the same as your IP address for mail.mycompany.com.
Cheers
JJ
While our preference for Outlook Anywhere is NTLM authentication I’m also “playing” with Basic Authentication. As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords. Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!
Why are internal clients using Outlook
While our preference for Outlook Anywhere is NTLM authentication I’m also “playing” with Basic Authentication. As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords. Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!
Why are internal clients using Outlook
Thanks Jason. I wish I could see your blog when I just started “playing” with Outlook Anywhere. I’m not Exchange or TMG guru so some of those topics you are talking about are a bit hard for me to understand.
At this stage, while I’m still digging through your article the only thing I’m thinking of implementation differences between your scenario and mine is that I’m using ONE certificate (Entrust UC Certificate with 10 SAN names) and not two (or more) like in your scenario. Also you are using third party certificate externally and your own one (from internal Certificate Authority) internally. My understanding was that SSL communication between all points (client-TMG-Exchange) must use the same certificate?! Another thing is that my certificate has SAN name for mail.mycompaty.com but “mail” is not the first SAN name. I know that ISA had a problem with recognising certificates with multiple SAN names but I think it was fixed with SP1. We are using TMG 2010 here, do I still need to recreate certificate to make “mail” to be the first entry in the certificate?! We have “autodiscovery” as a SAN name in our SSL certificate; however we don’t have external DNS entry autodiscovery.mycompany.com just yet. I think this is my problem. I was mistaken with “almost” successful with Microsoft Office Outlook Connectivity Tests (www.testexchangeconnectivity.com) for “Outlook Anywhere”. It didn’t state problem with auto discovery. However, running specific “Outlook Autodiscover” test clearly indicates the problem with autodiscovery.
My plan of action would be to request our ISP DNS admin to create additional entry for autodiscovery.mycompany.com pointing to the same external IP address as mail.mycompaty.com Do you think I still need to request for SSL certificate to be recreated to define certificate common name and first SAN as mail.mycompaty.com or it’s ok to leave it as it is?
Thanks again
It is best practice to use a public CA cert for TMG and an internal CA cert for Exchange...howerver you can use the same public cert on both Exchange and TMG if you have no internal CA.I think TMG is a lot more tolerant with regard to the SAN entries and what name is included as the certificate common name, so this shouldn't be an issue (I think).
You will need an autodiscover entry in DNS, as this is used repeatedly by the Outlook Anywhere client to find Exchange services like Offline Address Book, Out of Office etc. However, as per my blog, you will need a dedicated IP address for autodiscover, so this cannot be the same as your IP address for mail.mycompany.com.
Cheers
The web listener used for Outlook Anywhere authentication needs to be enabled for Windows Integrated authentication, consequently it needs to be a dedicated listener as TMG cannot do both Windows and FBA at the same time on the same listener. This means it needs a dedicated IP address (bound to just that listener) and is unlikely to be used by other rules...
If you cannnot dedicate an IP address, you can use a single IP but you will then need to use basic authentication for Outlook Anywhere and NTLM is not an option...
Cheers
JJ
So...
OWA, ActiveSync => mail.mydomain.com => Public IP1 => Web Listener with HTML Forms
Outlook ANywhere => autodiscover.mydomain.com => Public IP2 => Web Listener with HTTP Auth (Integrated)
TMG rules for OWA/ActiveSync use Web Listener with HTML Forms
TMG rules for Outlook Anywhere (and associated autodiscover stuff) use Web Listener with HTTP Auth (Integrated)
Cheers
JJ
Thanks James for your time again. I will go and reconfigure my settings following your advice. It will take few days for that to happen. Mainly because of waiting for our ISP to register “autodiscovery” host name. I’ll come back to you with my progress. Cheers
We have outlook anywhere setup using basic authentication. We would like to change it to use NTLM instead. Do we have to create a new certificate request from exchange for TMG and a new Listener. Or, can we modify the existing Listener to user NTLM instead of basic?
Exchange 2010