Forefront TMG with Exchange 2013 Issues (Network Steve Forum)

Forefront TMG with Exchange 2013 Issues

I am dealing with an Exchange 2007 to 2013 Migration. The migration is moving along smoothly but I'm having an issue dealing with the Forefront TMG server (Ver 7.0.9193.500) the client has handling OWA and Activesync. They are using self signed certs as well. OWA seems to work fine through the Forefront server. However ActiveSync is not working. I had to create the internally signed cert with the local server name in the CN for Windows XP workstations to communicate with the server. The only issue I'm seeing an error when testing the publishing rule. I get "Category: Destination Server Certification error, Error details: 0x80090322 - The Target principal name is incorrect. I'm not sure what else the issue

June 29th, 2013 6:02pm

Hi,

You should use internal CA certificate or external CA certificate having, self signed certificate won't be trusted by client computers. WP8 must be trusting external CA by default, while you have to install root CA cert into WP8 device ...if you'll be using internal CA.

Regards..

Himanshu Rana

Free Windows Admin Tool Kit Click here and download it now

June 29th, 2013 6:17pm

I'm aware of that, I don't have any choice, I need to use self signed. Other phones that have the root cert installed already still cannot connect to the Exchange server.

June 29th, 2013 6:18pm

Self signed you mean internal CA certificate ...rght?

Could you please let me know the SAN entries in the certificate you are using in activesync publishing rule?

Make sure you have configured basic authentication.

regards..

Free Windows Admin Tool Kit Click here and download it now

June 29th, 2013 6:47pm

I'm using basic authentication, and yes I meant internally signed. The CN on the cert is the internal server name. The external server name is a alternate name.

June 29th, 2013 6:48pm

please test using https://www.testexchangeconnectivity.com/ and post the results of activesync test. Also Please verify if your outlook client on computer can perform autodiscovery?

Free Windows Admin Tool Kit Click here and download it now

June 29th, 2013 6:58pm

The autodiscover DNS record does not exist so I have to do everything manually. I installed the root cert on my WP8 device but I still get the same error. The only issue the testexchangeconnectivity site has is that it doesn't trust the cert because it's internally s

June 29th, 2013 7:01pm

Made a change to the firewall policy rule for activesync on forefront and now I'm getting error 86000C0A on my phone, I had to enable inheritance on the AD account I was using and now my phone is working. Just waiting to hear if it's working for other

Free Windows Admin Tool Kit Click here and download it now

June 29th, 2013 7:12pm

Internal cert should work, if they have proper SAN names. Please provide more information of the environment-

1. External name of server

2. Internal name of server. (If using CAS array, then name must be of CAS array)

3. both name included in cert?

4. how tmg rule is configured ?

5. please check logs in TMG

June 29th, 2013 7:26pm

ok great....good to hear its working!

Free Windows Admin Tool Kit Click here and download it now

June 29th, 2013 7:36pm

So besides the account issues I had, the resolution in Forefront was to go to the Firewall Policy properties and go to the "To" tab. Under where it says "This rule applies to this published site" I changed the name there from the old Exchange server to the name of the new CAS server and applied the changes. After that it started working properly.

June 30th, 2013 12:49am

This topic is archived. No further replies will be accepted.