Publishing EWS with TMG?
I seem to be having issues with Lync EWS connectivity. I am using TMG to publish exchange. Internal and external EWS url's are the same. I can access https://mail.domain.com/ews/exchange.asmx internally just fine(I think there is a windows
authentication popup), and Lync connects to EWS. But from the internet the EWS url brings me first to a TMG authentication page. Once I authenticate it directs me to https://mail.domain.com/ews/Services.wsdl just like internally, but Lync fails
to connect.
Do I need to publish EWS with a separate TMG rule using a different listener to require no authentication? How is EWS supposed to be published? I've tried the Lync specific forums but there is no enough activity on them. Please help.
March 1st, 2011 12:28am
No separate publishing rule, it piggy backs of the Outlook Anywhere rule. Is Outlook Anywhere working? Did you use the whitepaper below?
Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010
http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022&displaylang=enJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2011 12:52pm
Hey,
I just read through the entire TMG section in that document. Our rules and configuration look identical except we don't have autodiscover.domain.com on our certificate, DNS or used anywhere else. I don't see it being a problem though since we
use mail.domain.com/autodiscover/autodiscover.xml. Would it be a problem?
Outlook anywhere doesn't appear to work. When I run the autoconfiguration with an external client this is what I see in the log:
Srv Record lookup for domain.com starting
Autodiscover URL redirection to https://mail.domain.com/autodiscover/autodiscover.xml
Autodiscover to https://mail.domain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://mail.domain.com/autodiscover/autodiscover.xml Failed (0x80070057)
When I try to browse to https://mail.domain.com/autodiscover/autodiscover.xml I get the TMG authentication prompt and then the text (text contains a 600 Invalid Request" but I hear that's normal.
March 1st, 2011 2:23pm
On the client that you tested Outlook Anywhere on, was it a domain joined client? Were you creating a new profile externally through autodiscover or were you using an existing profile and just trying to connect from outside? Reason is if Autodiscover
does not work externally you can't create a profile. Only clients that had their profiles setup inside the network first will work (unless you do a workaround)
Go to https://testexchangeconnectivity.com/ and run the outlook anywhere test and post the diagnostic.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2011 3:58pm
Machine did not have an existing outlook profile configured in the domain. When i use my machine and open outlook on the internet it connects to exchange just fine. I ran the autodiscover test at https://testexchangeconnectivity.com/ and it completed
successfully.
However, this behavior seems random, as I just set up a test machine, domain joined, and configured outlook. Then I moved it to an internet connection and did Test Oulook Autoconfiguration and it still fails to determine settings with the same log
above. However, the client will still make a connection to exchange. I'm a bit confused.
Should I try to create a different TMG listener for OutlookAnywhere? Although i'm not sure how that would work because I would need it to listen on the same IP/port as the one for OWA, right?
March 1st, 2011 6:37pm
Hi Tpullins,
Sure, you are right.
I would suggest that you could let the CERT contains the autodiscover.domian.com. And follow the DOC to publish the autodiscover service for outlook anywhere.
Some information for you:
http://technet.microsoft.com/en-us/library/bb124251.aspx
Per my known, LYNC server would also use it.
Regards!
GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2011 10:29pm
I honestly don't think it's a cert issue. I think it's an authentication issue at this point.
Is it supported to use the same listener for my OutlookAnywhere rule as the OWA rule? That is how I'm currently doing it and I have Form Based Authentication on my listener. However I've seen guides from people that recommend using HTTP
Basic authentication on a separate listener for OutlookAnywhere/EWS/Autodiscover.
I would also like to direct you to my thread here on the Lync forums:
http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/232ff25f-8b66-47ea-b9ea-033185ef7afc
March 2nd, 2011 10:38pm
Hi tpullins,
Hope you have done some research from the above link I referred.
Per my known, depending on whether you've configured the Autodiscover service on a separate site, the Autodiscover service URL will be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml,
But, per your description,
" Autodiscover to https://mail.domain.com/autodiscover/autodiscover.xml starting"
So, it is different between them, I would suggest that you could follow the DOC.
Or, you could do some tests to confirm what is right?
Regards!
Gavin
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2011 12:52am
Yes, ours is https://mail.domain.com/autodiscover/autodiscover.xml so I suppose using another listener would not work.
I think it's just a matter of finding an authentication method on TMG that will work for both OWA and Autodiscover with Lync.
March 3rd, 2011 11:34am
Hi tpullins,
Per my known, the outlook anywhere would automatically detect and use
https://domain.com/autodiscover/autodiscover.xml. not the
https://mail.domain.com/autodiscover/autodiscover.xml .
was the domain.com contained in the CERT?
About how to set the authentication method, we could follow the DOC, good luck.
Regards!
GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2011 8:42pm
It tries several different methods, even with https://mail.domain.com/autodiscover/autodiscover.xml which works fine. But ultimately I think there is a security problem on TMG.
March 4th, 2011 3:42pm