Hi,

Maybe this could help you did you take a look at it ?

http://security.sakuranohana.fr/2011/01/whitepaper-publier-outlook-anywhere.html

This was written for ISA/Ex2k7 but may help: http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

Cheers

JJ

To Lionel LEPERLIER:

Thank for your time but the white paper article you’re referring to is the actual white paper article I have mentioned in my post.

Is TMG a member of the Windows Authorization Access Group as discussed here: http://support.microsoft.com/kb/947124

Cheers

JJ

Thanks Jason. I wish I could see your blog when I just started “playing” with Outlook Anywhere. I’m not Exchange or TMG guru so some of those topics you are talking about are a bit hard for me to understand.

At this stage, while I’m still digging through your article the only thing I’m thinking of implementation differences between your scenario and mine is that I’m using ONE certificate (Entrust UC Certificate with 10 SAN names) and not two (or more) like in your scenario. Also you are using third party certificate externally and your own one (from internal Certificate Authority) internally. My understanding was that SSL communication between all points (client-TMG-Exchange) must use the same certificate?! Another thing is that my certificate has SAN name for mail.mycompaty.com but “mail” is not the first SAN name. I know that ISA had a problem with recognising certificates with multiple SAN names but I think it was fixed with SP1. We are using TMG 2010 here, do I still need to recreate certificate to make “mail” to be the first entry in the certificate?! We have “autodiscovery” as a SAN name in our SSL certificate; however we don’t have external DNS entry autodiscovery.mycompany.com just yet. I think this is my problem. I was mistaken with “almost” successful with Microsoft Office Outlook Connectivity Tests (www.testexchangeconnectivity.com) for “Outlook Anywhere”. It didn’t state problem with auto discovery. However, running specific “Outlook Autodiscover” test clearly indicates the problem with autodiscovery.

My plan of action would be to request our ISP DNS admin to create additional entry for autodiscovery.mycompany.com pointing to the same external IP address as mail.mycompaty.com Do you think I still need to request for SSL certificate to be recreated to define certificate common name and first SAN as mail.mycompaty.com or it’s ok to leave it as it is?

Thanks again

While our preference for Outlook Anywhere is NTLM authentication I’m also “playing” with Basic Authentication. As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords. Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!

Thanks Jason. I wish I could see your blog when I just started “playing” with Outlook Anywhere. I’m not Exchange or TMG guru so some of those topics you are talking about are a bit hard for me to understand.

At this stage, while I’m still digging through your article the only thing I’m thinking of implementation differences between your scenario and mine is that I’m using ONE certificate (Entrust UC Certificate with 10 SAN names) and not two (or more) like in your scenario. Also you are using third party certificate externally and your own one (from internal Certificate Authority) internally. My understanding was that SSL communication between all points (client-TMG-Exchange) must use the same certificate?! Another thing is that my certificate has SAN name for mail.mycompaty.com but “mail” is not the first SAN name. I know that ISA had a problem with recognising certificates with multiple SAN names but I think it was fixed with SP1. We are using TMG 2010 here, do I still need to recreate certificate to make “mail” to be the first entry in the certificate?! We have “autodiscovery” as a SAN name in our SSL certificate; however we don’t have external DNS entry autodiscovery.mycompany.com just yet. I think this is my problem. I was mistaken with “almost” successful with Microsoft Office Outlook Connectivity Tests (www.testexchangeconnectivity.com) for “Outlook Anywhere”. It didn’t state problem with auto discovery. However, running specific “Outlook Autodiscover” test clearly indicates the problem with autodiscovery.

My plan of action would be to request our ISP DNS admin to create additional entry for autodiscovery.mycompany.com pointing to the same external IP address as mail.mycompaty.com Do you think I still need to request for SSL certificate to be recreated to define certificate common name and first SAN as mail.mycompaty.com or it’s ok to leave it as it is?

Thanks again

It is best practice to use a public CA cert for TMG and an internal CA cert for Exchange...howerver you can use the same public cert on both Exchange and TMG if you have no internal CA.

I think TMG is a lot more tolerant with regard to the SAN entries and what name is included as the certificate common name, so this shouldn't be an issue (I think).

You will need an autodiscover entry in DNS, as this is used repeatedly by the Outlook Anywhere client to find Exchange services like Offline Address Book, Out of Office etc. However, as per my blog, you will need a dedicated IP address for autodiscover, so this cannot be the same as your IP address for mail.mycompany.com.

Cheers

JJ

While our preference for Outlook Anywhere is NTLM authentication I’m also “playing” with Basic Authentication. As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords. Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!

While our preference for Outlook Anywhere is NTLM authentication I’m also “playing” with Basic Authentication. As soon as I change Outlook Anywhere authentication to Basic in Exchange in Exchange, Internal Outlook users start complaining that now new windows popping up on their screens asking to type their passwords. Is there any way (while I’m testing) I can “play” with authentication changes for OA in Exchange and not effecting end users?!

Why are internal clients using Outlook

Thanks Jason. I wish I could see your blog when I just started “playing” with Outlook Anywhere. I’m not Exchange or TMG guru so some of those topics you are talking about are a bit hard for me to understand.

At this stage, while I’m still digging through your article the only thing I’m thinking of implementation differences between your scenario and mine is that I’m using ONE certificate (Entrust UC Certificate with 10 SAN names) and not two (or more) like in your scenario. Also you are using third party certificate externally and your own one (from internal Certificate Authority) internally. My understanding was that SSL communication between all points (client-TMG-Exchange) must use the same certificate?! Another thing is that my certificate has SAN name for mail.mycompaty.com but “mail” is not the first SAN name. I know that ISA had a problem with recognising certificates with multiple SAN names but I think it was fixed with SP1. We are using TMG 2010 here, do I still need to recreate certificate to make “mail” to be the first entry in the certificate?! We have “autodiscovery” as a SAN name in our SSL certificate; however we don’t have external DNS entry autodiscovery.mycompany.com just yet. I think this is my problem. I was mistaken with “almost” successful with Microsoft Office Outlook Connectivity Tests (www.testexchangeconnectivity.com) for “Outlook Anywhere”. It didn’t state problem with auto discovery. However, running specific “Outlook Autodiscover” test clearly indicates the problem with autodiscovery.

My plan of action would be to request our ISP DNS admin to create additional entry for autodiscovery.mycompany.com pointing to the same external IP address as mail.mycompaty.com Do you think I still need to request for SSL certificate to be recreated to define certificate common name and first SAN as mail.mycompaty.com or it’s ok to leave it as it is?

Thanks again

It is best practice to use a public CA cert for TMG and an internal CA cert for Exchange...howerver you can use the same public cert on both Exchange and TMG if you have no internal CA.

I think TMG is a lot more tolerant with regard to the SAN entries and what name is included as the certificate common name, so this shouldn't be an issue (I think).

You will need an autodiscover entry in DNS, as this is used repeatedly by the Outlook Anywhere client to find Exchange services like Offline Address Book, Out of Office etc. However, as per my blog, you will need a dedicated IP address for autodiscover, so this cannot be the same as your IP address for mail.mycompany.com.

Cheers

The web listener used for Outlook Anywhere authentication needs to be enabled for Windows Integrated authentication, consequently it needs to be a dedicated listener as TMG cannot do both Windows and FBA at the same time on the same listener. This means it needs a dedicated IP address (bound to just that listener) and is unlikely to be used by other rules...

If you cannnot dedicate an IP address, you can use a single IP but you will then need to use basic authentication for Outlook Anywhere and NTLM is not an option...

Cheers

JJ

So...

OWA, ActiveSync => mail.mydomain.com => Public IP1 => Web Listener with HTML Forms

Outlook ANywhere => autodiscover.mydomain.com => Public IP2 => Web Listener with HTTP Auth (Integrated)

TMG rules for OWA/ActiveSync use Web Listener with HTML Forms

TMG rules for Outlook Anywhere (and associated autodiscover stuff) use Web Listener with HTTP Auth (Integrated)

Cheers

JJ

Thanks James for your time again. I will go and reconfigure my settings following your advice. It will take few days for that to happen. Mainly because of waiting for our ISP to register “autodiscovery” host name. I’ll come back to you with my progress. Cheers

We have outlook anywhere setup using basic authentication. We would like to change it to use NTLM instead. Do we have to create a new certificate request  from exchange for TMG and a new Listener. Or, can we modify the existing Listener to user NTLM instead of basic?

Exchange 2010