Is it possible to Publish Exchange 2010 behind TMG in Test Lab

Similar Messages

• ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem

  Hi
  I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
  The clients have an IPSEC policy pushed to them via GPO.  The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
  However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why.  I cant get the Oakley log to work and I cant see any traffic on the ISA.
  I am wondering if I need to publish the CRL's externally?  Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
  public certificates).
  I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
  Any advice would be appreciated.
  Steven

  Hi,
  Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
  In addition,
  While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
  Please also make sure that you have selected the
  External interface for the web listener to listen on.
  Besides, the link below would be helpful to you:
  OWA publishing using Kerberos Constrained Delegation
  method for authentication delegation
  Best regards,
  Susie

• Exchange 2010 OWA : TMG Error 12302 The server denied the specified Uniform Resource Locator (URL).

  Hello All,
  We are using TMG2010 (SP2, rollup4) for publishing Exchange 2010 OWA sites. The issue is that after every 10-24 hrs , the TMG server stops logging in OWA sites and start giving below error. Then we have to restart the server one two times or the problem
  solves by itself.
  I have also install a new server and it is also giving same behavior.  On TMG server the exchange edge server and Forefront Protection for exchange is also installed.
  Please help to solve this issue.
  Denied Connection
  -TMG05 5/21/2014 11:44:39 PM
  Log type:
  Web Proxy (Reverse)
  Status: 12302 The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.
  Rule:
  PRC-OWA
  Source:
  119.157.175.238:56971
  Destination:
  111.68.105.121:443
  Request:
  GET http://mail.parc.gov.pk/owa
  Filter information:
  Req ID: 0e947d98; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=yes, valid=yes, updated=no, logged off=no, client type=public, user activity=yes
  Protocol:
  https
  User:
  anonymous
  Additional information
  Client agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
  Object source: (No source information is available.)
  Cache info: 0x0
  Processing time: 125 MIME type:

  Hi,
  A similar thread:
  http://social.technet.microsoft.com/Forums/forefront/en-US/e8fdc1bd-f023-4804-ad02-67899d8c7347/the-server-denied-the-specified-uniform-resource-locator-errors12302-ashttp-error-code-of-500?forum=Forefrontedgegeneral
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Login error when publishing OWA 2010 through TMG 2010

  Its configuration publish OWA 2010 with TMG 2010 but when logged through the internet must enter the correct net name: domain.com\administrator and password to login.
  administrator login name or login [email protected] not login. And all the other mailbox account not login.
  This is a picture of my configuration. You do know how to fix it help me okay. Thanks.

  Hi Xuan,
  It depends on your selected authentication method.
  I recommend you refer to the following article, it will give you some hints:
  http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part2.html
  Please note: Since the website is not hosted by Microsoft, the link may change without
  notice. Microsoft does not guarantee the accuracy of this information. And the
  changes made in the above blog is not supported officially by Microsoft.
  Best regards,
  Niko Cheng
  TechNet Community Support

• Need detail information, steps would be nicer, to upgrade from Exchange 2003 to Exchange 2010 to setup in test system first then try on production, since not much room for downtime, thanks bekir

  Need detail information, steps would be nicer,  to upgrade from Exchange 2003 to Exchange 2010 to setup in test system first then try on production, since not much room for downtime, thanks bekir

  Hi,
  Overview of the upgrade progress from Exchange 2003 to Exchange 2010 including the following steps:
  Installing Exchange 2010 within your organization on new hardware.
  Configuring Exchange 2010 Client Access.
  Creating a set of legacy host names and associating those host names with your Exchange 2003 infrastructure.
  Obtaining a digital certificate with the names you'll be using during the coexistence period and installing it on your Exchange 2010 Client Access server.
  Associating the host name you currently use for your Exchange 2003 infrastructure with your newly installed Exchange 2010 infrastructure.
  Moving mailboxes from Exchange 2003 to Exchange 2010.
  Decommissioning your Exchange 2003 infrastructure.
  For more details, please refer to this following document.
  http://technet.microsoft.com/en-us/library/ff805040(v=exchg.141).aspx
  Best Regards.

• TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

  Hi,
   I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
  My setup is as follows:
  outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
  inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
  password is selected in the publishing rules.
  Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
  I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
  set in AD.
  If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
  and change my password using the correct URL. However if I point my browser at
  http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
  The only recent changes made are:
  - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
  - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
  Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
  I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
  http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
  If I try to use ldp.exe on the inner TMG, I get the error in the pic below
  Thanks
  IT Support/Everything

  Hi,
  You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
  TMG 2010 – FBA, troubleshooting the change password feature 
  http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
  Best Regards,
  Joyce

• ISA 2006 publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation

  Hi,
  I have two Exchange 2010 Sp1 CAS with Windows Network Loadbalancing. I set up an alternate Serviceaccount and mapped the http,ExchangeMDB,PRF and ExchangeAB SPNs.
  Then i published the Exchange Services via ISA 2006. OWA is working using Internet -> via NTLM -> ISA(webmail.domain.com) -> via KCD -> CAS-Array(ex2010.domain.com)
  I tried the same with Outlook Anywhere (RPC over HTTP) without success.
  Authentication to the ISA via NTLM works fine, but i think the isa server cannot delegate the Credentials successfully to the CAS-Server.
  The ISA Log looks like:
  Allowed Connection ISA 24.11.2011 15:50:40
  Log type: Web Proxy (Reverse)
  Status: 403 Forbidden
  Rule: Exchange 2010 RPC
  Source: Internal (172.16.251.33)
  Destination: (172.18.10.182:443)
  Request: RPC_OUT_DATA
  http://webmail.domain.com/rpc/rpcproxy.dll?ex2010.domain.com:6001
  Filter information: Req ID: 108b89d8; Compression: client=No, server=No, compress rate=0% decompress rate=0%
  Protocol: https
  So i always get a 403 Forbidden from the CAS.
  I the IIS logfile from the cas server i see this entry:
  2011-11-24 15:51:37 172.18.10.182 RPC_OUT_DATA /rpc/rpcproxy.dll ex2010.domain.com:6001 443 - <ISA IP> MSRPC 401 1 2148074254 203
  I use the same Listener for OWA and Outlook Anywhere. Authentication Methods are Basic and Integrated. I forward the request to a webfarm which exists of the two physical CAS. Internal Site Name is set to the NLB name ex2010.domain.com, SPN is set to http/ex2010.domain.com
  Thanks for your support

  Hi, i ran into the same Problem.
  the steps above solved mine too (Creating a custom AppPool which runs under LocalSystem).
  I wonder why they included only the Script: convertoabtovdir.ps1
  http://social.technet.microsoft.com/Forums/en-US/Forefrontedgegeneral/thread/dc24ccd3-378a-47cc-bbbf-48236f8fe5b0
  Ist this a supported configuration (changing AppPool of RPC)?

• Securing publishing exchange 2010 OWA and ActiveSync with WAP 2012

  Hello,
  my client have the following environment:
  Exchange 2010 sp3
  AD 2003
  we want to secure activesync and owa by using reverse proxy. TMG/UAG life ends 2015, then we study WAP 2012 and ADFS 3.0. the difficulties is there is not enough experience feedback, specially for this environnement.
  Is there any incompatibility ?
  do you know good articles and blogs which address this issue ?
  Thanks in advance

  Are any other options available since posting in June 2014?  Specifically for securing ActiveSync connections from smartphones on the Internet.  We are running Exchange 2010 in AD 2008  
  TMG has already transitioned from mainstream to extended support.  Not only is there less support now, to my understanding there is still a licensing cost for this product.  Paying for a product at EOL seems inadvisable.
  Web Access Protocol (WAP) looked like the right choice, but to secure communications from domain users on unknown devices over the Internet requires Exchange 2013 which is "claims aware".  Exchange 2010 is not and what we are left with is
  configuring WAP in pass-thru mode, allowing unauthenticated Internet traffic into our internal network where the Exchange CAS server is. 
  Is there any Microsoft solution to authenticate the user before allowing the user's device to connect to our CAS server on our internal network.

• Exchange 2010 to office 365 migration lab

  I am looking out for free migration lab if any available online from Microsoft or any vendor related to migrate from exchange 2010 to office 365 . Please suggest ? 
  Aditya Mediratta

  Hi,
  Unfortunately, there’s no related lab for use.
  We can Microsoft Exchange Server Deployment Assistant to generates a custom step-by-step checklist that will help you deploy different versions of Exchange Server for different types of scenarios. For your reference:
  https://technet.microsoft.com/en-us/office/dn756393.aspx
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support

• BIS and Exchange 2010 with TMG

  Dear all,
   I stumped into this problem whereby my client has an Exchange 2010 with mixed-mode mobile users of Active Sync and BlackBerry.
  They have this [url]https://mail.***.com.my[/url] as their OWA URL and credentials should be entered as:
  Username: Domain\Username
   Password: Password
  This convention is the same irregardless users accessing from OWA or to setup Active Sync or BlackBerry.
  Question are:
  1. How do I setup BIS account on my BlackBerry? Method I use is log into my telco portal but the credentials I entered does not recognised by the system.
  2. Alternatively, I tried to set it direct on my BlackBerry but was prompt the same error as above which is 'Username must be at least 4 characters'.
  3. Does naming convention setup same for Active Sync users and BlackBerry users?
  Any help would be greatly appreciated.

  Hi and Welcome to the Forums!
  rizauden wrote:
  1. How do I setup BIS account on my BlackBerry? Method I use is log into my telco portal but the credentials I entered does not recognised by the system.
  2. Alternatively, I tried to set it direct on my BlackBerry but was prompt the same error as above which is 'Username must be at least 4 characters'.
  BIS itself is provided to you by your wireless service provider. With hundreds of different carriers in the world and dozens of different methods each, there's no way to be sure how to guide you with specifics. I suggest you ring them up and talk to them about how to enable BIS on your BB.
  rizauden wrote:
  3. Does naming convention setup same for Active Sync users and BlackBerry users?
  I'm not sure how ActiveSync works, but the configuration instructions for OWA are here:
  KB03133How to integrate a Microsoft Outlook Web Access email address with a BlackBerry Internet Service account
  And here are some further helpful KBs on the topic:
  KB15173Locate the mailbox name for a Microsoft Outlook Web Access 2007 email account
  KB02858Unable
  to integrate a Microsoft Outlook Web Access or IBM Lotus Domino Web
  Access email address with a BlackBerry Internet Service account
  KB04804Error message appears when attempting to integrate a Microsoft Outlook Web Access 5.5 or 2010 account
  KB18567BlackBerry
  Internet Service cannot connect to a Microsoft Outlook Web Access
  account using Microsoft Exchange 2007 or Microsoft Exchange 2010
  Good luck and let us know!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• How do you publish Exchange 2010 Management Console on a Citrix Server?

  I need to be able to remotely manage exchange throught the management console and want to publish it through Citrix.  I successfully installed the console on the XenApp servers in our farm, but after publishing it, can not get the published console
  to run through the Citrix Plug in or oweb interface.  Any idea what I could be doing wrong?  Since I can run it directory from the server, the problem must exist in the way I published it.  I have checked permissions and those appear to be ok.
  Thanks for the assistance.

  hi,
  How do you publish your EMC? Since you can't run, do you get some error information. But it seems it isn't a exchange problem. If you have installed your EMC on your another computer in you ORG. You can run it by click start. If you want to use Citrix, ask
  them for help is a good idea.
  hope can help you
  thanks,
  CastinLu
  TechNet Community Support

• Publishing Exchange 2013 Outlook Web App with Forefront TMG 2010

  Hello guys,
  I have published Exchange 2013 via TMG 2010 with pre-authentication. Since this is the first time I am doing it- I want to ask experts for the explanations:).
  When I configure Active Sync on mobile, I just type the password and  it's starts syncing after 20 sec.
  When I use browser and trying to login using TMG logon screen, after I enter credentials (if they were not wrong), I get exchange 2013 logon screen ( because my password was checked by DC's).
  I have customized TMG tamplate to Exchange 2013 tamplate, but it did not help- I have two logon screens.
  Is it possible to configure TMG for showing only one logon screen ( without disabling pre-authentication) ? Does it work this way?
  Did I miss something?

  Hi,
  Please try to enable FBA for external and internal OWA 2010 users by the methods in the blog below.
   There are several ways to accomplish this:
  Have internal users pointed to the internal interface of the Forefront TMG and utilize the forms-based authentication logon page offered by Forefront TMG. 
  Deploy Forefront UAG instead of Forefront TMG. Forefront UAG allows you to have FBA enabled on both the Exchange 2010 Client Access Servers and on the Forefront UAG solution itself. 
  Publish Exchange 2010 to the Internet using Forefront TMG but do not configure pre-authentication. This way the users need to go through the Forefront TMG solution, but will authenticate directly against the Exchange 2010 Client Access servers. 
  Configure an additional OWA and ECP virtual directory on the Exchange 2010 Client Access Servers.
  Reference:http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part1.html
  Then check the blog
  - Creating a custom Forefront TMG 2010 OWA FBA logon page
  Note:
  Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Publish Exchange 2013 using UAG 2010 Sp4

  Hi,
  We need to publish Exchange 2013 through UAG 2010. But we are not getting any dedicated link for UAG 2010 to publish Exchange 2013. we have UAG 2010 with SP4.
  Is there any Step by step UAG 2010 configuration link to publish Exchange 2013?
  Thanks
  jitender

  Hi Jitender,
  Based on my knowledge, publishing Exchange 2013 with UAG 2010 is similar with publishing Exchange 2010.
  I find a related Blog and Guid for your reference:
  1. Publishing Exchange Server 2010 with Forefront UAG and TMG
  http://blogs.technet.com/b/exchange/archive/2010/07/16/publishing-exchange-server-2010-with-forefront-uag-and-tmg.aspx
  2. Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010
  http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=8946
  Please also notice the System requirement of both Exchange 2013 and UAG 2010.
  System Requirement
  Exchange 2013
  http://technet.microsoft.com/en-us/library/aa996719(v=exchg.150).aspx  
  UAG 2010 SP4
  Supported Operating System
  Windows Server 2008 R2
  Servers running Forefront UAG and SP4 require the   following:
    • Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, or   Windows Server 2008 R2 DataCenter.
    • Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
  Thanks
  Mavis Huang
  TechNet Community Support

• Exchange 2010 - 2013 random auth.owa error

  Hello,
  I have an odd situation where we are preparing 2 exchange 2013 servers to migrate 2010 servers to 
  so currently:
  2x Exchange 2010 (with dag)
  2x Exchange 2013 (with dag).
  Now it's behaving extremely odd when it comes to ECP for the 2013 servers.
  randomly it works and doesn't work.
  i generally try it from localhost on both 2013 servers, and individual server ip's from lets say 4 or 5 places.
  all same login, and admin user is inside mailbox db DAG cluster.
  now the problem:
  it randomly pops up auth.owa error 500 
  when i say random i truly mean random, sometimes everything 100% works, i am able to login 100% from all servers.
  then i check back lets say 2 hours later.. some obtain auth.owa errors while others work.
  What i tried:
  - I rebuild OWA (first with reset, then with remove and re-add method) on both 2013 servers.
  - removed killbit file from 2013's
  - rebuild exchange 2013's (just exchange it self).
  - checked heartbeat monitor boxes and removed the null values.
  It's safe to say i am kind of lost on what to try next. 
  i am also mistefied why it randomly works, i know it's internally loadbalanced, but shutting down 1 of the 2013 servers did not get rid of this strange behavior.
  is it possible that the exchange 2010 servers play a part in this issue?
  Any ideas, any help is very much welcome!.
  Regards,
  Marco
  Key4ce - IT professionals: www.key4ce.eu

  Hi,
  Please check whether the Microsoft Forms Based Authentication service is running on all Exchange servers. 
  Similar thread for your reference:
  https://social.technet.microsoft.com/Forums/exchange/en-US/8cf6886f-a96f-44f1-88ee-bd3a42349fa9/owa-brings-up-logon-screen-but-after-login-gives-http-500-internal-server-error
  Also check the authentication configuration on CAS.
  Get-OwaVirtualDirectory -Server <server name> | fl *auth*
  Set-OwaVirtualDirectory -Identity " server name \owa (Default Web Site)" -FormsAuthentication $true
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Mavis Huang
  TechNet Community Support

• Inplace Upgrade of Exchange 2010 on SBS 2011 to Exhange 2013

  Is it possible to upgrade exchange 2010 that is on SBS 2011 to Exchange 2013?
  George Zugg

  No 'In Place' Upgrade.
  You can move exchange to a new server running 2013.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+