How to correctly publish Exchange 2003 OWA through a two legged TMG 2010 Server
HAllo:
I have a two legged TMG box -- one leg to the LAN and another to NATed to a firewall which is then internet facing
i have used "Back end Firewall" template - TMG 2010 SP1 with a roll-up update and hosted on Windows 2008 RII SP1; configured behind a Cisco Router/Firewall.
My exchange is - 2003 SPII (one as the mailbox server and another configured as the front end box)
I have followed this:http://blog.meigh.eu/2010/03/15/publishing-outlook-web-access-with-microsoft-forefront-tmg.aspx
but am unable to get owa working
internally i get the IIS error while externally i get "page cannot be displayed".
It's just embarrasing -- really with all the experience of ISA 2004 and 2006 and am unable to crack TMG 2010 -- by the way i find zero clear documentation on the internet relatating to this situation.I will gladly appreciate your assistance please!
-----
NguriNguriJN
May 4th, 2011 5:50pm
Hi Nguri,
I can find some web link which might help you.
http://www.isaserver.org/tutorials/publishing-outlook-web-access-microsoft-forefront-tmg.html
http://social.technet.microsoft.com/Forums/en-US/ForefrontedgePub/thread/9d68c06f-ba3d-4628-9dd4-95f934b21ac8
Anil
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2011 11:35pm
Does OWA work if you go directly to the site via IP, bypassing the TMG?
When you Test your OWA Rule on the TMG, do you get any errors?
May 5th, 2011 11:21am
Hallo Horton:
OWA does not work either via IP nor by the FQDN -- however
on the LAN as well as on the TMG (bypassing TMG - i assume you mean that the browser does not use the TMG as the proxy) am able to get the log in screen -- but once i log in i get an error "Under Construction" -- this i get whether i user the IP of the published
FBA box or the FQDN of the OWA site ...i.e. https://mail.domain.com/ or the FBA internal IP
https://192.168.1.7/ public IP
https://x.x.x.x/ does not work -- internet explorer cannot display page.
By the way -- once the publishing is complete on TMG and i run the test -- all come out clean and green!
NguriJN
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 3:15pm
I would forget about the TMG's and work on getting OWA up first. Review your OWA configuration on the Front-ends and in IIS.
May 5th, 2011 3:42pm
Does OWA work if you go directly to the site via IP, bypassing the TMG?
When you Test your OWA Rule on the TMG, do you get any errors?
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 6:20pm
I would forget about the TMG's and work on getting OWA up first. Review your OWA configuration on the Front-ends and in IIS.
May 5th, 2011 10:41pm
Hallo Horton:
I heeded to your sentiments of getting owa up and my frustrations led to a thread by Andersson
http://www.testlabs.se/blog/2010/07/27/how-to-publish-owaactivesyncoutlook-anywhere-exchange-2010-with-microsoft-forefront-tmg-2/
combined the thoughts of preperations of FE and BE
http://isaserver.org/tutorials/rpchttppart1.html upto
http://isaserver.org/tutorials/rpchttppart3.html and counterchecked permissions
http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
and the results - you guessed are
a) test rules on TMG for OWA rules
1. https://owa.domain.com:443/exchange/ – results green — details–>HTTP response: 401 Unauthorized
2. https://owa.domain.com:443/exchweb/ — results green — details–> HTTP response: 200 OK
3. https://owa.domain.com:443/public/ — results green — details –>HTTP response: 401 Unauthorized
4. pathping to FE.domain.com — good!
a - 1: when i test OWA internally --> internal — i get the log in screen atleast — but once i put the username and password: i get the error “page cannot be displayed”.
a-2: test of OWA externally --> i get a log in page, i log in and get an error "under construction".
Some facts:
I have done a split dns rule in the AD DNS and have an A record owa.domain.com (same as certificate for OWA) pointing to FE's IP
I have further gone to the TMG box and created an entry in the host file FE's IP pointing to owa.domain.com
-- you know what ... somethis is just not right and am not sure where am going so -- so wrong!
NguriJN
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2011 11:08am
Again, forget about the TMG's. Get OWA working first, before that is working it's useless to troubleshoot the TMGs.
May 9th, 2011 3:03pm
Again, forget about the TMG's. Get OWA working first, before that is working it's useless to troubleshoot the TMGs.
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2011 10:02pm
Hallo Horton:
Kindly note that am currently able to
http://exchangemailboxserver/exchange and get into OWA and work; this is not my goal -- i need to have OWA accessible over the internet and this is why i need to have it published through TMG. Am i missing something here? NguriJN
May 11th, 2011 3:53pm
Sorry you stated:
a - 1: when i test OWA internally --> internal — i get the log in screen atleast — but once i put the username and password: i get the error “page cannot be displayed”.
Which I assumed meant you couldn't access OWA internally or externally.
In you Publishing Rule what is listed on the following tabs:
1. Public Name
2. Paths
The Pubic tab lists the external DNS name of the OWA site correct?
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 10:00am
Public name: mail.domain.com (as per certificate publishing and this points/ resolves to the Exchange FE Server)
Paths /public/* /Exchweb/* /Exchange/*
yes you are right -- the dns name above (as per internal certificate) is also exactly as is and is (published on our external (ISP) DNS servers and is availably reached as follows
a) if you ping externally (from the internet) mail.domain.com it resolves to the public IP that is also NATed on the external firewall to TMG's "external leg"
b) on TMG as well as in the -- if i ping mail.domain.com (OWA site) it resolves to the exchange FE's IP address on which TMG's internal leg belongs to -- i.e. same network.
Horton:
There's something about TMG that i plainly just fail to understand -- for the sake of this discussion though your suggestion was that we work on OWA only... I can get email (inbound and outbound) going through -- very well ON CONDITION that the INBOUND email
DOES not have any attachments -- any mail with attachment NEVER GETS delivered internally....yet same rules on ISA 2006 on the same exchange FE work seamlessly....
Question: just what am I not doing :-(
NguriJN
May 16th, 2011 10:00am
Sir:
My issue is on Exchange 2003 FE and NOT Exchange 2007. the configurations and setups are extremely different please -- please!
NguriJN
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2011 3:39am
Hello John,
This is my two cents, I am not an expert on TMG but I have very similar environment, I used to have the Exchange FrontEnd server accessible by a Cisco appliance, which worked okay, but when I moved the setup to the TMG I could not make it work, I published
Exchange FrontEnd to the TMG and I could not pass beyond the form based authentication, after login I used to get a 500 error. But once I changed the target to the Exchange backend server it worked as it was supposed to. I am guessing the frontend was manipulated
to work with the Cisco appliance (automatic redirection to the correct URL) and when I tried with TMG the redirection did not work, the backend did not have any alteration and that is why I guess it worked without problem. Now I am looking to publish Exchange
to be access by mobile phones using TMG.
AdminQuest
June 21st, 2011 9:31am
Hallo AdminQuest:
this is a major relief -- this week i had scheduled to actually format the server and revert to Win2K3 RII and ISA 2006!
I'll try this and revert to you-- oh how i pray that it works!
I thank you for your time!
--
JohnNguriJN
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2011 8:53am