Exchange Federation with TMG 2010
I am trying to setup Exchange Federation with my Exchange 2010 system where my internet facing CAS system sits behind a TMG 2010 firewall. I've added the TXT records to the domain, i've created the exchange delegation namespace, and I've been successful in creating the federation trust with the microsoft federation gateway. The problem i am having is that when another company tries to create the Organization Relationship using the automatic Discovery option, it errors out. If i run get-federationinformation on my exchange system, it errors out saying it couldnt find the federation information. if i run it with the verbose logging, i find that the reason why it is erroring out is because it cant connect to my Autodiscover systems VERBOSE: [21:18:31.247 GMT] Get-FederationInformation : The discovery process returned the following results: Type=Failure;Url=https://autodiscover.xxxx.com/autodiscover/autodiscover.svc;Exception=Discovery for domain xxxx.com failed.;Details=(Type=Failure;Url=https://autodiscover.xxxx.com/autodiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;); Type=Failure;Url=https://xxxx.com/autodiscover/autodiscover.svc;Exception=Discovery for domain xxxx.com failed.;Details=(Type=Failure;Url=https://xxxx.com/autodiscover/autodiscover.svc;Exception=The underlying connection was closed: An unexpected error occurred on a send.;); Type=Failure;Url=http://autodiscover.xxxx.com/autodiscover/autodiscover.xml;Exception=Discovery for domain xxxx.com failed.;Details=(Type=Failure;Url=http://autodiscover.xxxx.com/autodiscover/autodiscover.xml;RedirectUrl=https://au todiscover.xxxx.com/autodiscover/autodiscover.xml;Alternate=(Type=Failure;Url=https://autodiscover.xxxx.com/aut odiscover/autodiscover.svc;Exception=The request failed with HTTP status 401: Unauthorized ( The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator. ).;);); Type=Failure;Url=http://xxxx.com/autodiscover/autodiscover.xml;Exception=Discovery for domain xxxx.com failed.;Details=(Type=Failure;Url=http://xxxx.com/autodiscover/autodiscover.xml;Exception=The remote server returned an error: (401) Unauthorized.;); since xxxx.com is configured to another server then exchange http://xxxx.com/autodiscover will never work. for autodiscover we use autodiscover.xxxx.com, but the problem i'm finding is that our TMG obviously requires authentication, which the federation is not doing, so TMG is rejecting (just like TMG should be doing) So my question is this, how do i setup Exchange Federation for a CAS system thats behind a TMG server. We dont want to setup a whole new IP/Web Listener just for Autodiscover so we can turn off the authentication. That defeats the whole purpose of the TMG system. Please help as i can find NO documentation on setting up Exchange Federation behind a Forefront TMG 2010 system.
May 17th, 2011 12:24am

51 views and no reply? This obvoiusly is a univeral issue that affects Exchange 2010, TMG 2010 and exchange federation. No MVP's have anything to say in the matter?
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 7:31pm

Please check the comment from Greg Taylor at Aug 2010 1:26 PM in the article below Publishing Exchange Server 2010 with Forefront UAG and TMGPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 19th, 2011 9:00am

We have this issue as well and have done eveything in the article but this does not work still for us. We have exactly the same issue as djjsin. Did Microsoft get any closure on this issue? Thanks Lloyd
Free Windows Admin Tool Kit Click here and download it now
June 24th, 2011 5:00pm

I have the same issue. any news?
August 10th, 2011 7:58pm

TMG needs to allow anonymous connections to the EWS and autodiscover virtual directories on the Exchange 2010 CAS server (https only). The "401 unauthorized" is often seen when ISA or TMG try to authenticate the connections before passing them onto exchange. I'm not that familiar with TMG or ISA, but when looking at the rule, I believe its under the Users tab. It should be set to 'All users' and not 'authenticated users'. I'm sure there's more to it than just what's on the Users Tab, so get your TMG / ISA expert involved if needed.
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2011 7:08pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics