Federation Trust with Exchange 2010 behind Forefront TMG 2010
Dear all,
Currently we are going to deploy Exchange 2010 Federation Trust within 2 organizations
Let assume:
Organization A
domain name: aa.com
Organization B
domain name: bb.com
Exchange version: Exchange 2010 SP2 Rollup 3
Both organizations Exchange CAS servers is running behind the Forefront TMG 2010 (all OWA/ Active Sync/ Outlook Anywhere publishing rules are go through from Forefront TMG) with Single SSL Certificate (Multiple Subject Alternative Name)
I had did some study, Exchange 2010 federation uses SAML tokensnot user accountsto authenticate against IIS for EWS calls, TMG doesnt know how to validate SAML tokens, so the incoming requests cant be authenticated and passed on to the Exchange Server 2010
Just want to check, normally how we perform federation trust behind the Forefront TMG 2010 within 2 organization?
Thanks in advance!
September 18th, 2012 10:02am
anyone can help about this?
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2012 9:24pm
Hello,
Do you use multiple web listeners to publish Exchange 2010?
If not, you can follow these steps to have a try:
<1> Modify the OWA and ECP virtual directories on Exchange 2010 CAS servers to perform FBA, then modify the web listener on our TMG server to disable pre-authentication.
<2> Modify the authentication settings for each of the TMG publishing rules for ActiveSync, Outlook anywhere and OWA to set them to no delegation.
<3>Revise the Users settings from All Authenticated Users to All Users.
<4>You may also need to verify that the authentication settings of your other Exchange virtual directories are valid; many organizations will allow basic authentication between TMG and
their CAS servers, but require NTLM or Windows Integrated from external clients to TMG.
Thanks,
EvanEvan Liu
TechNet Community Support
September 19th, 2012 5:44am
Hello,
Do you use multiple web listeners to publish Exchange 2010?
If not, you can follow these steps to have a try:
<1> Modify the OWA and ECP virtual directories on Exchange 2010 CAS servers to perform FBA, then modify the web listener on our TMG server to disable pre-authentication.
<2> Modify the authentication settings for each of the TMG publishing rules for ActiveSync, Outlook anywhere and OWA to set them to no delegation.
<3>Revise the Users settings from All Authenticated Users to All Users.
<4>You may also need to verify that the authentication settings of your other Exchange virtual directories are valid; many organizations will allow basic authentication between TMG and
their CAS servers, but require NTLM or Windows Integrated from external clients to TMG.
Thanks,
EvanEvan Liu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 5:44am
Hi
You need to have a rule on the TMGs which allows anonymous traffic to these paths for the autodiscover public name:
/ews/mrsproxy.svc
/ews/exchange.asmx/wssecurity
/autodiscover/autodiscover.svc/wssecurity
/autodiscover/autodiscover.svc
This rule needs to be above the existing Autodiscover rule so that it is processed first.
Steve
September 19th, 2012 5:50am
Hi
You need to have a rule on the TMGs which allows anonymous traffic to these paths for the autodiscover public name:
/ews/mrsproxy.svc
/ews/exchange.asmx/wssecurity
/autodiscover/autodiscover.svc/wssecurity
/autodiscover/autodiscover.svc
This rule needs to be above the existing Autodiscover rule so that it is processed first.
Steve
Free Windows Admin Tool Kit Click here and download it now
September 19th, 2012 5:50am
Autodiscover work perfect in ExRCA
October 27th, 2012 1:20am
Hi, tried and not working... did you tried before it can be use same listener?
If using separate web listener, we might need use additional certificate right?
http://ucoutloud.blogspot.com/2011/08/during-recent-rich-co-exist-deploymnet.html
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2012 1:23am
I have tried the solution you provided, still having same issue when I running command get-federationinformation -domain xxx.local
[PS] C:\Windows\system32>Get-FederationInformation -verbose
cmdlet Get-FederationInformation at command pipeline position 1
Supply values for the following parameters:
DomainName: xxx.local
VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Active Directory session settings for
'Get-FederationInformation' are: View Entire Forest: 'False', Default Scope: 'xxx,local', Configuration Domain
Controller: 'DC02.xxx.local', Preferred Global Catalog: 'DC03.xxx.local', Preferred Domain Controllers: '{
DC03.xxx.local }'
VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Runspace context: Executing user:
xxx.local/Users/Administrator, Executing user organization: , Current organization: , RBAC-enabled: Enabled.
VERBOSE: [06:10:42.091 GMT] Get-FederationInformation : Beginning processing &
VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient
Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclusive Recipient
Scope(s): {}, Exclusive Configuration Scope(s): {} }
VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Resolved current organization: .
VERBOSE: [06:10:42.107 GMT] Get-FederationInformation : Using the following trusted host names: *.outlook.com.
VERBOSE: [06:11:36.723 GMT] Get-FederationInformation : The discovery process returned the following results:
Type=Failure;Url=https://autodiscover.xxx.com.my/autodiscover/autodiscover.svc;Exception=Discovery for domain
xxx.local
failed.;Details=(Type=Failure;Url=https://autodiscover.xxx.com.my/autodiscover/autodiscover.svc;Exception=Unable to
connect to the remote server;);
Type=Failure;Url=https://xxx.com.my/autodiscover/autodiscover.svc;Exception=Discovery for domain xxx.com.my
failed.;Details=(Type=Failure;Url=https://xxx.com.my/autodiscover/autodiscover.svc;Exception=The underlying
connection was closed: An unexpected error occurred on a send.;);
Type=Failure;Url=http://autodiscover.xxx.com.my/autodiscover/autodiscover.xml;Exception=Discovery for domain
xxx.com.my
failed.;Details=(Type=Failure;Url=http://autodiscover.xxx.com.my/autodiscover/autodiscover.xml;Exception=The
operation has timed out;);
Type=Failure;Url=http://xxx.com.my/autodiscover/autodiscover.xml;Exception=Discovery for domain xxx.com.my
failed.;Details=(Type=Failure;Url=http://xxx.com.my/autodiscover/autodiscover.xml;Exception=The remote server
returned an error: (404) Not Found.;);
.
Federation information could not be received from the external organization.
+ CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
+ FullyQualifiedErrorId : AA653248,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation
October 27th, 2012 5:58am
Thanks for your reply, when I try to publishing the rules? Can I use back the Web Listener? Or I need to create another Web Listener?
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2012 5:59am
Hi
Does autodiscover work externally for both of these domains? Can you test it with the ExRCA?
Steve
October 27th, 2012 6:03am
Thanks for your reply, when I try to publishing the rules? Can I use back the Web Listener? Or I need to create another Web Listener?
You can use the same listener and IP, by having this rule higher up then the standard Autodiscover or OA rules is so that it gets processed first and the traffic to those specific paths is allowed through without authentication.
Steve
Free Windows Admin Tool Kit Click here and download it now
October 27th, 2012 6:30am