TMG publishing exchnage 2013
-
Friday, January 18, 2013 9:21 AM
Hi all,
I have just setup exchange 2013 and am trying to publish OWA, EAS and Outlook anywhere via TMG 2010 fully patched on server 2008r2.
TMG is setup as back firewall, the edge has its own firewall.
It goes like this:
Internet
|
Edge firewall (NAT)
|
DMZ (192.168.xxx.0/24) - perimeter
|
TMG (dual nic, one in DMZ and one in LAN)
|
LAN (172.23.xxx.0/24) Exchange 2013 servers (2 x servers running all services setup as DAG)
The routing between perimeter and lan is a route and not NAT, OWA on the exchange boxes is basic auth and this simply worked out of the box (I get the forefront form and then direct into OWA), no changes needed, but I cant get EAS or Outlook anywhere to work.
When I test using exchange connectivity analyser for EAS, it fails on the options command - the error clearly shows the internal URL of one of the exchange servers but the port number has been changed to 444.
On the exchange box there is a exchange backend website and this is bound to port 444, but the real client access is using the default website and is bound to port 443 with the correct certs setup.
Anyone have any ideas?
All Replies
-
Friday, January 18, 2013 9:53 AM
Autodiscover info from internal outlook client (replaced domains):
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Administrator</DisplayName>
<LegacyDN>/o=OUGroup x/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=cdf78fbf7bb44c33925803ca06a69326-Admin</LegacyDN>
<AutoDiscoverSMTPAddress>Administrator@externaldomain.COM</AutoDiscoverSMTPAddress>
<DeploymentId>6e1ffce1-3605-4da8-92c1-eed5027fff88</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<MicrosoftOnline>False</MicrosoftOnline>
<Protocol>
<Type>EXCH</Type>
<Server>6233ca16-5193-4aca-ac95-2f89a989d1cc@externaldomain.com</Server>
<ServerDN>/o=OUGroup x/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=6233ca16-5193-4aca-ac95-2f89a989d1cc@externaldomain.com</ServerDN>
<ServerVersion>73C08204</ServerVersion>
<MdbDN>/o=OUGroup x/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=6233ca16-5193-4aca-ac95-2f89a989d1cc@externaldomain.com/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>EXCHANGE01.internaldomain.LOCAL</PublicFolderServer>
<AD>DC01.internaldomain.LOCAL</AD>
<ASUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://exchange01.internaldomain.local/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=internaldomain.LOCAL</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=internaldomain.LOCAL</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-extinstall>
<OOFUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://exchange01.internaldomain.local/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://exchange01.internaldomain.local/OAB/df4d086a-6d15-4c6b-a6c1-ed0d1a5f8327/</OABUrl>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>owa.externaldomain.com</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://owa.externaldomain.com/ews/exchange.asmx</ASUrl>
<EwsUrl>https://owa.externaldomain.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://owa.externaldomain.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://owa.externaldomain.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=internaldomain.LOCAL</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=internaldomain.LOCAL</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-extinstall>
<OOFUrl>https://owa.externaldomain.com/ews/exchange.asmx</OOFUrl>
<UMUrl>https://owa.externaldomain.com/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://owa.externaldomain.com/OAB/df4d086a-6d15-4c6b-a6c1-ed0d1a5f8327/</OABUrl>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<EwsPartnerUrl>https://owa.externaldomain.com/ews/exchange.asmx</EwsPartnerUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Ntlm, WindowsIntegrated">https://exchange01.internaldomain.local/owa/</OWAUrl>
<OWAUrl AuthenticationMethod="Basic, Ntlm, WindowsIntegrated">https://exchange02.internaldomain.local/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://owa.externaldomain.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://owa.externaldomain.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>exchange02.internaldomain.local</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://exchange01.internaldomain.local/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=internaldomain.LOCAL</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=internaldomain.LOCAL</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-extinstall>
<OOFUrl>https://exchange01.internaldomain.local/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://exchange01.internaldomain.local/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://exchange01.internaldomain.local/OAB/df4d086a-6d15-4c6b-a6c1-ed0d1a5f8327/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>owa.externaldomain.com</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://owa.externaldomain.com/ews/exchange.asmx</ASUrl>
<EwsUrl>https://owa.externaldomain.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://owa.externaldomain.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://owa.externaldomain.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=internaldomain.LOCAL</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=internaldomain.LOCAL</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=internaldomain.LOCAL</EcpUrl-extinstall>
<OOFUrl>https://owa.externaldomain.com/ews/exchange.asmx</OOFUrl>
<UMUrl>https://owa.externaldomain.com/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://owa.externaldomain.com/OAB/df4d086a-6d15-4c6b-a6c1-ed0d1a5f8327/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<AlternativeMailbox>
<Type>Delegate</Type>
<DisplayName>Support</DisplayName>
<SmtpAddress>Support@externaldomain.COM</SmtpAddress>
</AlternativeMailbox>
<AlternativeMailbox>
<Type>Delegate</Type>
<DisplayName>Office</DisplayName>
<SmtpAddress>Office@externaldomain.COM</SmtpAddress>
</AlternativeMailbox>
<AlternativeMailbox>
<Type>Delegate</Type>
<DisplayName>Sales</DisplayName>
<SmtpAddress>sales@externaldomain.COM</SmtpAddress>
</AlternativeMailbox>
</Account>
</Response>
</Autodiscover> -
Friday, January 18, 2013 12:03 PM
Also worth noting is I can complete the web publishing rule test, which comes back fine (other than unauthorised message on each service but that's just because no user is supplied on the test I assume).
When I test its clearly showing port 443, but when I check with external exchange analyser tool its showing the internal URL with port 444 selected.
-
Monday, January 21, 2013 6:08 AMModerator
Hi,
Thank you for the post.
“On the exchange box there is a exchange backend website and this is bound to port 444”- how do you create the Exchange publishing rule? Can you access Exchange site from internal? What is live logging tell when external user access the Exchange service?
Regards,
Nick Gu - MSFT
-
Monday, January 21, 2013 8:06 AM
Hi,
OWA is working fine for internal users, its setup for basic and integrated auth so once the internal domain is added to intranet sites zone the page just loads (windows auth).
On the publishing rule, the exchange farm is selected same as the working OWA rule and the internal domain name is owa.internaldomain.local (this host record points to both exchange servers in DNS).
TMG live logging shows the connection as allowed but with a message of unauthorised, also there is no mention of port 444 in the rule or in logging, only when I try testing it with the external exchange connectivity analyser.
-
Tuesday, January 22, 2013 1:12 PM
ok wow I feel a tad silly now, I was testing with the administrator account which I have just remembered (or was reminded of by someone, I prefer the first ;) ) is denied access to EAS!
Big DOH!
-
Friday, January 25, 2013 2:42 AMModerator
Hi,
Thank you for the update.
Please read this whitepaper to publish EAS and outlook anywhere, http://go.microsoft.com/fwlink/?LinkId=197136.
Regards,
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, January 28, 2013 1:31 AM
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Wednesday, January 30, 2013 1:41 AM
.png)
