Dear all, Currently we are going to deploy Exchange 2010 Federation Trust within 2 organizations Let assume: Organization A domain name: aa.com Organization B domain name: bb.com Exchange version: Exchange 2010 SP2 Rollup 3 Both organizations Exchange CAS servers is running behind the Forefront TMG 2010 (all OWA/ Active Sync/ Outlook Anywhere publishing rules are go through from Forefront TMG) with Single SSL Certificate (Multiple Subject Alternative Name) I had did some study, Exchange 2010 federation uses SAML tokensnot user accountsto authenticate against IIS for EWS calls, TMG doesnt know how to validate SAML tokens, so the incoming requests cant be authenticated and passed on to the Exchange Server 2010 Just want to check, normally how we perform federation trust behind the Forefront TMG 2010 within 2 organization? Thanks in advance!

anyone can help about this?

Hello, Do you use multiple web listeners to publish Exchange 2010? If not, you can follow these steps to have a try: <1> Modify the OWA and ECP virtual directories on Exchange 2010 CAS servers to perform FBA, then modify the web listener on our TMG server to disable pre-authentication. <2> Modify the authentication settings for each of the TMG publishing rules for ActiveSync, Outlook anywhere and OWA to set them to no delegation. <3>Revise the Users settings from All Authenticated Users to All Users. <4>You may also need to verify that the authentication settings of your other Exchange virtual directories are valid; many organizations will allow basic authentication between TMG and their CAS servers, but require NTLM or Windows Integrated from external clients to TMG. Thanks, EvanEvan Liu TechNet Community Support

Hello, Do you use multiple web listeners to publish Exchange 2010? If not, you can follow these steps to have a try: <1> Modify the OWA and ECP virtual directories on Exchange 2010 CAS servers to perform FBA, then modify the web listener on our TMG server to disable pre-authentication. <2> Modify the authentication settings for each of the TMG publishing rules for ActiveSync, Outlook anywhere and OWA to set them to no delegation. <3>Revise the Users settings from All Authenticated Users to All Users. <4>You may also need to verify that the authentication settings of your other Exchange virtual directories are valid; many organizations will allow basic authentication between TMG and their CAS servers, but require NTLM or Windows Integrated from external clients to TMG. Thanks, EvanEvan Liu TechNet Community Support

Hi You need to have a rule on the TMGs which allows anonymous traffic to these paths for the autodiscover public name: /ews/mrsproxy.svc /ews/exchange.asmx/wssecurity /autodiscover/autodiscover.svc/wssecurity /autodiscover/autodiscover.svc This rule needs to be above the existing Autodiscover rule so that it is processed first. Steve

Hi You need to have a rule on the TMGs which allows anonymous traffic to these paths for the autodiscover public name: /ews/mrsproxy.svc /ews/exchange.asmx/wssecurity /autodiscover/autodiscover.svc/wssecurity /autodiscover/autodiscover.svc This rule needs to be above the existing Autodiscover rule so that it is processed first. Steve

Autodiscover work perfect in ExRCA

Hi, tried and not working... did you tried before it can be use same listener? If using separate web listener, we might need use additional certificate right? http://ucoutloud.blogspot.com/2011/08/during-recent-rich-co-exist-deploymnet.html

I have tried the solution you provided, still having same issue when I running command get-federationinformation -domain xxx.local [PS] C:\Windows\system32>Get-FederationInformation -verbose cmdlet Get-FederationInformation at command pipeline position 1 Supply values for the following parameters: DomainName: xxx.local VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Active Directory session settings for 'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'xxx,local', Configuration Domain Controller: 'DC02.xxx.local', Preferred Global Catalog: 'DC03.xxx.local', Preferred Domain Controllers: '{ DC03.xxx.local }' VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Runspace context: Executing user: xxx.local/Users/Administrator, Executing user organization: , Current organization: , RBAC-enabled: Enabled. VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Beginning processing & VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} } VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Resolved current organization: . VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com. VERBOSE: [06:11:36.723 GMT] Get-FederationInformation : The discovery process returned the following results: Type=Failure;Url=https://autodiscover.xxx.com.my/autodiscover/autodiscover.svc;Exception=Discovery for domain xxx.local failed.;Details=(Type=Failure;Url=https://autodiscover.xxx.com.my/autodiscover/autodiscover.svc;Exception=Unable to connect to the remote server;); Type=Failure;Url=https://xxx.com.my/autodiscover/autodiscover.svc;Exception=Discovery for domain xxx.com.my failed.;Details=(Type=Failure;Url=https://xxx.com.my/autodiscover/autodiscover.svc;Exception=The underlying connection was closed: An unexpected error occurred on a send.;); Type=Failure;Url=http://autodiscover.xxx.com.my/autodiscover/autodiscover.xml;Exception=Discovery for domain xxx.com.my failed.;Details=(Type=Failure;Url=http://autodiscover.xxx.com.my/autodiscover/autodiscover.xml;Exception=The operation has timed out;); Type=Failure;Url=http://xxx.com.my/autodiscover/autodiscover.xml;Exception=Discovery for domain xxx.com.my failed.;Details=(Type=Failure;Url=http://xxx.com.my/autodiscover/autodiscover.xml;Exception=The remote server returned an error: (404) Not Found.;); . Federation information could not be received from the external organization. + CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException + FullyQualifiedErrorId : AA653248,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation

Thanks for your reply, when I try to publishing the rules? Can I use back the Web Listener? Or I need to create another Web Listener?

Hi Does autodiscover work externally for both of these domains? Can you test it with the ExRCA? Steve

Thanks for your reply, when I try to publishing the rules? Can I use back the Web Listener? Or I need to create another Web Listener? You can use the same listener and IP, by having this rule higher up then the standard Autodiscover or OA rules is so that it gets processed first and the traffic to those specific paths is allowed through without authentication. Steve