Exchange 2010 URL and TMG 2010

Similar Messages

• Lync 2010 Edge and TMG

  I have an issue where a large group of users (about 2k) have been 'migrated' into my environment without first migrating their accounts in AD.  Basically, accounts were created internally and they are just connecting to my Lync 2010 and Exchange 2010
  environment through the internet. 
  Problem is, when they leave their current network, they hit my TMG 2010 servers from a single IP address.  This triggered TMGs Flood Mitigation settings and their IP was blocked.  I fixed this by creating an exception for their IP address
  and bumping up the number of allowed tcp and http connections per minute.
  Now, we are still having issues with users that attempt desktop and application sharing.  Their sessions close sporadically. 
  My primary question is, has anyone ever attempted this type of solution before, allowing thousands of users external access from a single IP address through TMG and Lync Edge?  If so is it supported and what type of issues might I need to look
  for?    Does the Edge role also have restrictions on how many connections can be made by a single IP address from the internet?

  Hi Ray,
  I'm pretty sure TMG is generally not the external endpoint publishing the AV/Sharing capabilities unless it is drastically different in your environment (or if TMG is your outer most firewall)
  Usual setup for reverse proxy is :
  Firewall1 (outer most) <---> DMZ <----> Firewall2 (TMG?) ---> Corp
  Firewall 2 publishes web services.
  Edge usually looks like:
  Firewall1 (outer most) <---> DMZ <----> Edge Access/AV/WebConf ---> Corp
  Can you confirm if TMG is your outer-most firewall? If it is then check if your edge has one or multiple IPs. Then check the publishing for those IPs and make sure they adhere to the exception you created. In addition, check the Firewall on the edge server
  itself.
  If TMG is not your outer-most firewall (if Firewall1 is some other device) then please check the intrusion protection on the Firewall1 device and allow for exception in there as well.
  Hope this helps.
  Cheers,
  Max

• Domain functional level 2003 -- 2008 and TMG 2010 (sp2 rollup 2)

  Hi,
  We want to raise our domain and forest functional level from 2003 to 2008. All DC's have been on 2008 or 2008R2 for about two years.
  I cannot find if there is any impact on TMG 2010 sp2 rollup 2. Does anyone know if this will bring any issues?
  Thanks!

  No impact. From a TMG perspective, go ahead.
  Hth, Anders Janson Enfo Zipper

• Autodiscover and TMG 2010

  Hi guys.
  having an issue getting auto discover working with Exchange 2013 and TMG. Every time a client connects, it constantly prompts for a username and password, even though it's actually resolving the internal servers etc.
  Any ideas?

  Hi,
  To understand more about the issue, I'd like to ask the following questions:
  1. Do all your Outlook clients including internal users and external users come across the issue? If the issue happen on all users, I recommend you check the Autodisocver and Outlook Anywhere connectivity:
  Directly access the URL:
  https://autodiscover.domain.com/autodiscover/autodiscover.xml;
  Use ExRCA to check OA connectivity:
  https://testconnectivity.microsoft.com/
  2. How about the result if you cancel the credential without entering the password?
  Thanks,
  Angela Shi
  TechNet Community Support

• Hyper-V 2012 and TMG 2010/NLB

  Hi there,
  I have an issue with TMG 2010 on Hyper-V 2012 - the Setup:
  - Windows 2012 Hyper-V
  - TMG 2010 SP2 Rollup 4 running on W2K8 R2
  TMG 2010 (Array Node1) Network
  Internal Interface: 10.0.0.10/24 (Route to 192.168.11.0/24 over 10.0.0.1)
  IntraArray: 192.168.10.10/24
  Perimeter: 10.0.60.10/24 GW 10.0.60.100
  TMG 2010 (Array Node2) Network
  Internal Interface: 10.0.0.11/24 (Route to 192.168.11.0/24 over 10.0.0.1)
  IntraArray: 192.168.10.11/24
  Perimeter: 10.0.60.11/24 GW 10.0.60.100
  Domain Controllers:
  192.168.11.10
  192.168.11.11
  The NICs of the TMG VMs are configured with the correct VLANs and on the Perimeter Interface as well as on the Internal Interface I activate MAC Address Spoofing.
  Once I activate NLB on the Perimeter Interface all works fine. But NLB on the internal Interface does not work - I see that NLB got configured on Array Node 1 but the second one does not get the config nor is able to sync it´s configuration with Array
  Node 1. ALso the Servers are not able to communicate with the Domain Controllers anymore. Once I deactivate MAC Address Spoofing on the internal Interface and remove NLB the Server are able to speak to the Domain Controllers...
  Any suggestions?

  Hi,
  Can I just confirm you are using TMG console to enable NLB?
  Also did you enable set this reg key on both your TMG servers? You need to make sure MAC Spoofing is enabled too.
  HKLM\System\CurrentControlSet\Services\TCPIP\Parameters
  IPEnableRouter RegDword 1
  after enabling the key you may need to reboot both nodes.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  Blog: http://www.windows-support.co.uk 
  Twitter:   LinkedIn:

• Changing Exchange OWA URL, and MX record

  Hi all,
  We are planning to change our Exchange OWA URL from "https://webmail.saigon.com" to "https://webmail.city.saigon.com"
  My question is Do I need to do anything to the MX record?  The Exchange server name and IP remain the same.  Only the URL get changed for the internal, and external.
  Thanks

  Hi Brichardi,
  Thank you for your question.
  If we want to change Exchange OWA URL from https://webmail.saigon.com into https://webmail.city.saigon.com  for internal and external, we must modify the following items:
  1. MX record
  We could ask to our ISP for help.
  2. Exchange certificates
  We could remove the old exchange certificate and resign a new certificate for Exchange server.
  3. Re-configure virtual directory URL (OWA,OAB,ECP.EWS,ActiveSync,Autodiscover)
  We could refer to the following link:
  https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx 
  If there are any questions regarding this issue, please be free to let me know.
  Best Regard,
  Jim
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Jim Xu
  TechNet Community Support

• Exchange 2013 with TMG 2010 and Go Daddy

  Hi all;
  actually I'm new to exchange server 2013 and I need some help:
  recently I installed exchange 2013 in our domain with contains TMG 2010
  what I need is sending emails out.
  currently I can send emails internaly
  I have static IP and TMG and registered domain in Go daddy.
  could someone help me by steps what to do?
  in TMG?
  in Exchange administration?
  in Go Daddy?what records needed and how?
  and should I do any configurations in my DNS?
  please I'm stuck in this.
  Thanks

  Sorry, my fault. Try these links:
  http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
  http://www.isaserver.org/articles-tutorials/configuration-general/publishing-exchange-2013-outlook-web-app-forefront-threat-management-gateway-tmg-2010.html
  CRM Advisor

• TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

  Hi,
   I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
  My setup is as follows:
  outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
  inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
  password is selected in the publishing rules.
  Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
  I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
  set in AD.
  If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
  and change my password using the correct URL. However if I point my browser at
  http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
  The only recent changes made are:
  - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
  - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
  Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
  I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
  http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
  If I try to use ldp.exe on the inner TMG, I get the error in the pic below
  Thanks
  IT Support/Everything

  Hi,
  You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
  TMG 2010 – FBA, troubleshooting the change password feature 
  http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
  Best Regards,
  Joyce

• Exchange 2010/2013 coexistence published in TMG 2010

  Environment:
  Two Windows 2008 R2, Exchange 2010 SP3 servers, currently holding all mailboxes
  Two Windows 2012 R2, Exchange 2013 SP1 servers, setup in progress
  Two Windows 2008 R2, TMG 2010, V7.0.9193.540 publishing both Exchange 2010 servers.
  Scenario:
  I need to continue having Exchange 2010 setup in TMG as is as the mailbox migration to 2013 will take weeks if not months and I have a project requirement to have Exchange Database Availability Group (DAG) functionality for all mailboxes throughout the project,
  so 4 servers are an absolute must. So I need to add Exchange 2013 in TMG and not just replace the 2010 setup with the 2013 setup and I cannot run one 2010 and one 2013 server. 
  Questions:
  1. I currently only have 2 public IP addresses available to SMTP, mapped to the external interfaces of TMG, to allow my environment to be able receive emails on 4 Exchange servers (two 2010 and two 2013) I need to have 4 public IP addresses, is that correct?
  2. Does anyone have a good general guide/blog for doing this (setting up Exchange 2013 in TMG in a coexistance scenario)? 
  This is nice, but doesn't really approach it from a coexistance scenario:
  http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
  Thanks!

  Hi Trana,
  In TMG you can use single IP address to publish multiple Web address and below are the options which you can explore.
  Hope your OWA ECP etc are Https
  You need a SSL certificate which has all the URL SAN entry of both old and new Exchange server.
  Create a listener and select the IP address (Say public IP address 195.219.x.x)
  Link the SSL certificate
  Public DNS entry
   A record , Single IP
  195.219.x.x 
  Point to           
  Owa1.exchange1.com   - Old Server
  195.219.x.x 
  Point to           
  ECP1.exchange1.com     - Old Server
  195.219.x.x 
  Point to           
  ECP2.exchange2.com      - New Server
  195.219.x.x 
  Point to           
  Owa2.exchange2.com     - New Server
  Create a Web publishing rule as below
  Old server Exchange 1
  Owa1.exchange1.com  
  ECP1.exchange1.com    
  One Web publishing Rule with all the URL added on it and link the Rule with the listener we created
  Point the Web publishing to Exchange1.com server which is old
  New server Exchange 2
   Web publishing Rule with all the URL added on it and link the Rule with the listener we created
  Point the Web publishing to Exchange2.com server which is New
  ECP2.exchange2.com     
  Owa2.exchange2.com    

• Publishing Exchange coexistance in 2010/2013 in TMG

  I already asked this in the TMG forums and didnt really get the answers there, so hoping I get better luck
  here, so slightly rephrased:
  Environment:
  Two Windows 2008 R2, Exchange 2010 SP3 servers, currently holding all mailboxes
  Two Windows 2012 R2, Exchange 2013 SP1 servers, setup in progress
  Two Windows 2008 R2, TMG 2010, V7.0.9193.540 publishing both Exchange 2010 servers.
  Scenario:
  I need to allow incoming and outgoing emails through TMG to both Exchange 2010 and 2013 as it will take me weeks, if not months before all mailboxes are in 2013.
  Question:
  1. How do I need to configure TMG to allow both Exchange 2010 and 2013 simultaneously? 
  2. Do I just redirect all SMTP to Exchange 2010 mailboxes to Exchanges 2013 in TMG and 2013 just pass on the traffic to 2010 if it doesn't have the mailbox?
  Hoping to hear from someone whos actually had 2010/2013 in coexistence with TMG doing the publishing and firewalling for Exchange. Thanks.

  These answers assume that all servers are in the same Exchange organization.
  1.  Exchange 2013 will proxy all Exchange 2010 traffic, so all you should route all traffic through and publish the Exchange 2013 servers rather than trying to publish both.  Unfortunately, TMG hasn't been updated with a wizard for Exchange 2013. 
  I've seen this article that explains how to publish Exchange 2013, but I haven't tried it myself since none of my Exchange 2013 customers have deployed TMG with it.  It does come from a source I would trust.
  http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
  2.  Generally I don't recommend routing SMTP through TMG as it doesn't offer much value for that, but there's no reason you can't do it.  You should not have to worry about the server to which you route SMTP since SMTP mail will find
  its way to the correct destination regardless of where you submit it.  It is my preference to change your routing so that all mail goes through the Exchange 2013 servers early in the project rather than late.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Exchange 2010 - Decommissioning Exchange 2007 Coexistence and Removal of Public Folders

  We are about to decommission exchange 2007, currently in coexistence with Exchange 2010.
  We do not want to use ANY public folders in exchange 2010 going forward. Will do this after decom of 2007:
  http://technet.microsoft.com/en-us/library/dd876883(v=exchg.141).aspx
  I see this in the outlook connection status in outlook:
  I have changed all Exchange 2010 mailbox databases to use a temporary 2010 public folders db named "public1" so that it is not communicating with the 2007 mailbox virtual server. However, the exact same connection status appears after I changed
  the 2010 mailbox DBs to use a 2010 public folder db instead of the old 2007.
  Question is, is it safe to decom the 2007 environment now? Is it normal to still have a connection to 2007  in "connection status" in outlook when the users mailbox is on a 2010 mailbox db? Is this connection related to public folders or something
  else that needs modified before decom?
  Thanks,
  Josh

  So, that wasn't the answer. I switched the Public folder DB on each mailbox database to a exchange 2010 server, PF DB, but hadn't actually moved any data from 2007 to 2010. 
  I didnt realize this is needed when we don't use public folders except for free-busy, default, etc.
  What is the correct way to move the default public folders to a 2010 public folder?
  I'm using the below URL as a template to migrate this info to a 2010 PF db.
  https://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-ii/
  "The user Public Folders then need to be replicated to the Exchange 2010 Public Folder database as well. It is possible to manually configure
  all Public Folders with a new replication partner, but it’s better to use PowerShell scripts that Microsoft delivers with Exchange Server 2010. Open the Exchange Management Shell and navigate to the Scripts directory
  by entering the CD $ExScripts command,
  and execute the following script:
  AddReplicaToPFRecursive.ps1 -Server 2007MBX -TopPublicFolder "\" 
  -ServerToAdd 2010MBX"
  My question is, do I have to do this "3rd step" since I don't think i have any custom "user public folders". Is this the user's free busy that I have to migrate, or is this author referring to custom PF db info?
  Do I have to have public folders for free-busy and default exchange services at all in 2010?

• Exchange 2007 to Exchange 2010 URL redirection

  Hi,
  I am performing exchange 2007 to exchange 2010 migration in co-existence. When i am accessing exchange 2010 OWA and logged in with exchange 2007 user then silent redirection is happening.
  But when i am accessing the exchange 2007 OWA and logged in with exchange 2010 user, this is asking for manual redirection to exchange 2010 OWA url.
  Please suggest the silent redirection method from exchange 2007 to exchange 2010 URLs.
  All exchange servers are in same active directory site.
  Regards Sunny Chauhan

  Hi  Sunny,
  You can run the below command to resolve this error
  Set-OWAVirtualDirectory <CAS2007>\OWA* -LegacyRedirectType Silent
  The LegacyRedirectType parameter specifies the type of redirect that Outlook Web App uses to a legacy Client Access server or front-end server when forms-based authentication isn't used on the Exchange 2013 Outlook Web App virtual directory.
  The following values are valid for this parameter:
  •Silent
  •Manual
  Silent causes a standard redirect. Manual displays an intermediate page that shows the legacy URL so that users can change their bookmarks.
  Please mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you.
  Regards,
  Sathish

• Publish Exchange 2013 OWA + Active Sync + Outlook Anywhere using TMG 2010

  We plan to publish our new Exchange 2013 SP1 servers (3 in DAG) outside corporate network using TMG 2010. I am looking for some guide how to do it in the proper way. What I found is little old and does not take into consideration Exchange 2013
  SP1
  http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
  Any advice how to publish Exchange 2013 OWA using form-based authentication and how to use Kerberos Constrained Delegation?

  Hi,
  The blog below describes some scenarios about publishing Exchange. You could have a look the Scenario 2.
  Exchange publishing after TMG/UAG
  http://dizdarevic.ba/ddamirblog/?p=168
  Note: Microsoft provides third-party contact information to help you find technical support. This contact
  information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Publishing Exchange 2013 Outlook Web App with Forefront TMG 2010

  Hello guys,
  I have published Exchange 2013 via TMG 2010 with pre-authentication. Since this is the first time I am doing it- I want to ask experts for the explanations:).
  When I configure Active Sync on mobile, I just type the password and  it's starts syncing after 20 sec.
  When I use browser and trying to login using TMG logon screen, after I enter credentials (if they were not wrong), I get exchange 2013 logon screen ( because my password was checked by DC's).
  I have customized TMG tamplate to Exchange 2013 tamplate, but it did not help- I have two logon screens.
  Is it possible to configure TMG for showing only one logon screen ( without disabling pre-authentication) ? Does it work this way?
  Did I miss something?

  Hi,
  Please try to enable FBA for external and internal OWA 2010 users by the methods in the blog below.
   There are several ways to accomplish this:
  Have internal users pointed to the internal interface of the Forefront TMG and utilize the forms-based authentication logon page offered by Forefront TMG. 
  Deploy Forefront UAG instead of Forefront TMG. Forefront UAG allows you to have FBA enabled on both the Exchange 2010 Client Access Servers and on the Forefront UAG solution itself. 
  Publish Exchange 2010 to the Internet using Forefront TMG but do not configure pre-authentication. This way the users need to go through the Forefront TMG solution, but will authenticate directly against the Exchange 2010 Client Access servers. 
  Configure an additional OWA and ECP virtual directory on the Exchange 2010 Client Access Servers.
  Reference:http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part1.html
  Then check the blog
  - Creating a custom Forefront TMG 2010 OWA FBA logon page
  Note:
  Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Exchange 2010 SP1 and SP2 are no longer supported.

  Exchange 2010 SP3 is the minimal version that should be installed on your Exchange Servers and just may contain the fixes you need to solve your issue.
  Support for 2010 SP1 and SP2 has ended.
  Before posting a question, please ensure you are running at least 2010 SP3.
  For more details:
  http://blogs.technet.com/b/rmilne/archive/2014/04/09/end-of-exchange-2010-sp2-support.aspx
  Twitter!:
  Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

  Exchange 2010 SP3 is the minimal version that should be installed on your Exchange Servers and just may contain the fixes you need to solve your issue.
  Support for 2010 SP1 and SP2 has ended.
  Before posting a question, please ensure you are running at least 2010 SP3.
  For more details:
  http://blogs.technet.com/b/rmilne/archive/2014/04/09/end-of-exchange-2010-sp2-support.aspx
  Twitter!:
  Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.