none
Exchange 2010 RPC over TMG RRS feed

  • Question

  • If a test rule shows me that I am unable to reach paths:

    /OAB/

    /ews/

    but outlookanywhere still works on a client connecting from outside world (internet), should I be concerned?


    bostjanc

    Thursday, May 17, 2012 1:32 PM

Answers

  • Running the command:

    Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true

    shows me a warning that I should set RequireSSL. Is this necessary?


    bostjanc

    AFAIK, this should not be necessary. We have no errors with Exchange 2010 / TMG 2010. The output her shows this:

    [PS] C:\>Get-OabVirtualDirectory | List Name, BasicAuthentication, RequireSSL

    Name                : OAB (Default Web Site)
    BasicAuthentication : True
    RequireSSL          : False

    Name                : OAB (Default Web Site)
    BasicAuthentication : True
    RequireSSL          : False


    MCTS: Messaging | MCSE: S+M

    • Marked as answer by B_C_R Friday, May 18, 2012 8:37 AM
    Friday, May 18, 2012 8:36 AM

All replies

  • Well first question to you would be to find out if the clients can properly download the offline address book (OAB). When the test fails on TMG ( I assume), what error are you getting?


    Thank you, Ibrahim Benna MCSA+Messaging, MCSE+Messaging,MCITP, MCT, MVP "Did you backup your Information Store Today?!"

    Thursday, May 17, 2012 1:39 PM
  • For both paths I receive the same error:

    Error details: The authentication delegation method defined in the rule does not match the authentication method selected for the published directory on the server hosting the site. Publishing rule authentication delegation method: Basic. Published server authentication methods: NTLM, Negotiate.
    Action: You can change the authentication method on the published server or change the authentication delegation method in the publishing rule.

    RPC rule has

    /autodiscover/ path which is fine

    /ews/ not good

    /oab/ not good

    /rpc/ good

    Should I use another rule for /ews/ and /oab/? Create another listener? Cause I'm using the same listener as for the owa and activesync rule?


    bostjanc

    Thursday, May 17, 2012 1:43 PM
  • Authentication delegation on the rule RPC is set as: basic authentication

    And on the listener side:

    HTML form authentication

    LDAP (active directory)


    bostjanc

    Thursday, May 17, 2012 1:45 PM
  • Ok if I try to open OAB from internal user I receieve a forbidden error message.

    Is this got to do anything with not moving OAB from 2007 to 2010 yet? I have just selected replication and not moved the OAB yet.


    bostjanc

    Thursday, May 17, 2012 1:58 PM
  • If a test rule shows me that I am unable to reach paths:

    /OAB/

    /ews/

    but outlookanywhere still works on a client connecting from outside world (internet), should I be concerned?

    Since /rpc is published correctly then Outlook Anywhere clients will be able to work but you will have issues with OAB and Exchange Web Services.

    Error details: The authentication delegation method defined in the rule does not match the authentication method selected for the published directory on the server hosting the site. Publishing rule authentication delegation method: Basic. Published server authentication methods: NTLM, Negotiate.
    Action: You can change the authentication method on the published server or change the authentication delegation method in the publishing rule.

    The problem is that the method of authentication use by the TMG server to access the CAS servers is not the same as the one set for these virtual. For that, please start by checking that and make it the same.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Thursday, May 17, 2012 6:47 PM
  • Mr X.

    Thank you for your reply.

    If I quote your words:

    "The problem is that the method of authentication use by the TMG server to access the CAS servers is not the same as the one set for these virtual. For that, please start by checking that and make it the same"

    If I check on Exchange 2010/Server Configuration/Client Access/Outlook Anywhere TAB I see Client authentication method is selected Basic Authentication.

    Where should I look for OAB and EWS for kind of authentication is set on Exchange? A little help please.


    bostjanc

    Friday, May 18, 2012 7:43 AM
  • Seems like you have overlooked that you must set the authentication property for the OAB and EWS virtual directories to include Basic as an option since you are using Basic authentication.

    Examples:

    Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true
    Set-WebServicesVirtualDirectory RED-CAS-1\* -BasicAuthentication:$true

    For more information, see:

    Greg Taylor, Senior Program Manager, Exchange Server
    Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010
    http://www.microsoft.com/en-us/download/details.aspx?id=8946


    MCTS: Messaging | MCSE: S+M

    Friday, May 18, 2012 8:02 AM
  • Running the command:

    Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true

    shows me a warning that I should set RequireSSL. Is this necessary?


    bostjanc

    Friday, May 18, 2012 8:08 AM
  • And if I wish to set up Require SSL how do I do it on Exchange (which powershell command please?) and should I need to do anything more on TGM?

    Does setting authentication requires restart of IIS?


    bostjanc


    • Edited by B_C_R Friday, May 18, 2012 8:11 AM
    Friday, May 18, 2012 8:11 AM
  • Running the command:

    Set-OabVirtualDirectory red-cas-1\* -BasicAuthentication:$true

    shows me a warning that I should set RequireSSL. Is this necessary?


    bostjanc

    AFAIK, this should not be necessary. We have no errors with Exchange 2010 / TMG 2010. The output her shows this:

    [PS] C:\>Get-OabVirtualDirectory | List Name, BasicAuthentication, RequireSSL

    Name                : OAB (Default Web Site)
    BasicAuthentication : True
    RequireSSL          : False

    Name                : OAB (Default Web Site)
    BasicAuthentication : True
    RequireSSL          : False


    MCTS: Messaging | MCSE: S+M

    • Marked as answer by B_C_R Friday, May 18, 2012 8:37 AM
    Friday, May 18, 2012 8:36 AM
  • I know it is an older question but for reference and future searchers...

    Default Client Access server IIS authentication and SSL settings

    Virtual directory

    Authentication method

    SSL settings

    Management method

    Default Web site

      • Anonymous
      • Required

    IIS ,management console

    aspnet_client

      • Anonymous authentication
      • SSL required
      • Requires 128-bit encryption

    IIS management console

    Autodiscover

      • Anonymous authentication
      • Basic authentication
      • Windows authentication
      • SSL required
      • Require 128-bit encryption

    Exchange Management Shell (Shell)

    ecp

      • Anonymous authentication
      • Basic authentication
      • SSL required
      • Requires 128-bit encryption

    Exchange Management Console (EMC) or Shell

    EWS

      • Anonymous authentication
      • Windows authentication
      • SSL required
      • Requires 128-bit encryption

    Shell

    Microsoft-Server-ActiveSync

      • Basic authentication
      • SSL required
      • Requires 128-bit encryption

    EMC or Shell

    OAB

      • Windows authentication
      • Not required

    EMC or Shell

    owa

      • Basic
      • SSL required
      • Requires 128-bit encryption

    EMC or Shell

    Powershell

      • Anonymous authentication
      • Not required

    Shell

    Rpc

      • Basic authentication
      • Windows authentication
      • SSL required
      • Requires 128-bit encryption

    Shell

    Set-OutlookAnywhere -Identity 'CASSRV\Rpc (Default Web Site)'

    -IISAuthenticationMethods Basic,NTLM

     

    RpcWithCert

    By default, all authentication methods are disabled

      • Required

     

     

    See more on http://technet.microsoft.com/en-us/library/gg247612.aspx


    Dusan Kosaric

    Monday, October 1, 2012 5:36 AM