Hello,
I am trying to following the MS white paper to use IPsec to secure Exchange 2010 Outlook Anywhere via TMG.
However, I am having trouble with getting IPsec configured properly on the TMG server. When I configure the IPsec Connection rule, Exchange site is still accessible without any restrictions.
- I assigned an additional IP to the TMG server and created a new Web Listener
- As a first step to ensure that everything works without IPsec, I have published Exchange on TMG and verified that I can access the server normally using OWA and Outlook Anywhere
- The Root CA have been imported on the TMG servers.
- I then follow the steps to create the Connection Security Rules where endpoint1 is any IP, and endpoint-2 is the IP of the TMG server, and configured it for computer authentication for inbound and outbound
- At this point I believe that the published Exchange site should no longer be accessible since it requires IPsec for HTTPS access to the Web Listener. However, this is not the case. I suspect that it is ignoring the Connection Security Rule that was configured within Windows 2008 R2 and not TMG
The part I am confused with is that the white paper outlines adding the Connection Security Rule in the Windows Firewall advanced security. However, I thought that TMG basically overrides any Windows firewall configuration with the firewall policies within TMG. So is there another way to set this up on TMG without having to configure any IPsec rules on the actual Exchange server.