Log on to Forefront TMG 2010 server using admin credential. Open Forefront TMG Management from start menu. Expand Forefront TMG>Firewall Policy>Select Tasks>Click Publish Exchange web client access.
Click New button to add Exchange Farm i.e. Exchange CAS servers you have installed.
Click yes to accept changes you made.
In this step you will be adding Exchange web listener or CAS servers.
Select an web server certificate you have installed before hand.
Important! You have to install web server certificate before you proceed adding publishing rule.
Publishing Mail Server
Expand Forefront TMG>Select Firewall Policy>Select Tasks>Click Publish Mail Servers
Share this 
Advertisement
I am currently working as a Senior Systems Engineer-Wintel in Fujitsu Australia based in Perth WA. I have been working on ICT field since 1999 specializing in Microsoft Windows Server, Microsoft Active Directory Infrastructure, Microsoft Messaging & Collaboration Technologies, Microsoft ISA, Microsoft Forefront Technologies and System Centre Configuration Manager (SCCM), Hyper-v and VMware vSphere.
[...] install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010 [...]
[...] Information Technology Blog By Raihan Al-Beruni « Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010 [...]
Hi Raihan. I don’t know how to install web server certificate as you said (“Important! You have to install web server certificate before you proceed adding publishing rule.”). I have 3 servers: one ADDS, one Hub/Cas/Mbx server and one Edge/TMG server. So i must install CA service on Edge/TMG server or Hub/Cas/Mbx server? I use Certificate snap-in in MMC, (Computer account) in Hub/Cas/Mbx server but i can’t find request new certificate function as link http://www.isaserver.org/img/upl/image0041249305239309.jpg
You need a web cert installed in CAS server. You dont need to install CA service in TMG/Edge. You must have a Enterprise root CA in your internal network. If you dont have a Enterprise root CA in your internal network. You have to install CA in any member server or in ADDS (your situation) of internal network. Once installed and authorize to enroll certificate using CA management console from administrative tools. Then you will request for web and computer certificate for TMG and CAS using MMC snap-in. Then You will be able to enrol.
Important! Certificate Authority can not be renamed once installed.
CA Link http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/
regards,Raihan
[...] Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010 [...]
Hi Raihan,
Thanks for sharing you knowledge, I really appreciate it.
I was wondering if I could use a thrid party firewall such as fortinet or cisco ASA as a front-end firewall (1 interface connecting to internet router and 2nd interface connecting to DMZ switch) and Forefront TMG as a back-end firewall (1 interface connecting to the DMZ switch and the 2nd interface connecting to Internal switch).
In the DMZ I would have a Web Server (IIS) and an Exchange Client Access Server additional to the Forefront TMG server.
I want to allow 80, 443 & 25 ports inbound from the third party firewall and allow AD, SQL & Exchange ports inbound (through to internal network)
Will this network layout work? Or should i use the 3-leg layout? The reason I want to use a third party firewall is because of the theory “your external and internal firewall should always be different make”
Thanks in advance.
Cheers,
Milind
Milind,
I am starting from last line of your query. I don’t disagree or agree with your external and internal firewall should always be different make. It depends on Sys Admin how they configure firewall. From a good firewall prospect, your design is ok. I would happy to use TMG in both ends. You may also create separate VLANs for DMZ, external and internal. Make sure you block everything first and allow one by one. Two tier firewall is always good. 3-leg is ok but not good when you want tighter security.
http://araihan.wordpress.com/2010/06/17/how-to-configure-back-to-back-firewall-with-perimeter-dmz-topology-step-by-step-guide/
Regards,
Raihan
Hello Raihan,
I installed Forefront TMLG on a single network topology. Everything is working fine as far as filtering is concerned. However, I’m having one issue concerning igoogle website.
I have prevented webmail and social network access in general such as yahoomail; gmail; facebook; etc…
If a user wants to access directly throught his/her browser to gmail; facebook the access is refused. But through igoogle which url is wwww.google.fr/ig, users can access to gmail when they add gmail widget. I tried to add facebook, twitter, yahoomail widgets, I realise they are blocked. But gmail widget is not and users can access gmail through it.
The problem is that I cannot refuse the access to wwww.google.fr/ig otherwise google.fr would be refused as well.
My question is do you know any means to prevent gmail widgets with Firefront TMG?
The weird thing is that facebook; twitter and yahoo mail are refuser whereas gmail is allowed despite it is categorized as a webmail which is prevented in our rules.
Thanks again for your help.
Best regards,
Amrai
hi raihan
already configure as you discribe on the blog
but i’m still got this error
”
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) “
use https not http.
Further info http://support.microsoft.com/kb/947124/en-us
Is it internal or external users. Allow appropriate group to browse OWA.
Dear Raihan,
I want to know if BlackBerry Internet Service (BIS) works with Exchange 2010 that has OWA published through TMG, while Form based authentication is enabled on the internal Exchange 2010 CAS Server.
Thank You.
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB02858
http://supportforums.blackberry.com/t5/BlackBerry-Internet-Service/A-Guide-to-Getting-Forms-Based-Authentication-to-Work-with-BIS/m-p/456988
This two url will be help for you.
hi Raihan,
i have an issue regrading mail access using pop3 connection,i have been told by implementation team that secure port 995 has been disable at firewall,
so i tried with 110 port,but i am unable to access using these port,i can able to telnet port 110.
when i configure outlook for pop connection i am getting error as “unable to find incoming server”
Our Exchange Scenario
On a single Domain
2 Cas-hub,2MB
@ dmz zone we are having TMG,Edge and iron port firewall.
thz
Can you send and receive email internally? Do you configured HT correctly? Do you add MX record? Check all these.
thanks for the great Article.. was wondering how can i pulish multiple tenant org…as each access will be with certificate and i have only one SSL for my parent domain.
i did all this without TMG all worked fine.. now in new setup we introduced TMG and getting problems more then solutions.. are we doing good .. or should we remove the TMg
you can publish multiple secure websites different certificates, in this case you have to install web certificates into your TMG and assign that certificate for specific secure site. you can use TMG to do that.
Thanks Raihan, for the quick reply.. but i am wondering … as i am having only one certificate from third party CA, and we are not planning to buy certificate for each tenant for their owa access. This i did without TMG.
You said installing web certificates into TMG but who is providing this web certificate ..? and CAS only shows the default web site which is only for my parent domain . So how can i access some other tenant over WAN passing TMG.
Please suggest
its update you how you configure ssl certificate. you can configure SSL cert for each of the secure site you publish through TMG that means you have to install certificates into TMG to verify that web certificate exist for that site. for example
webmail.mydomain.com.au
myblog.mydomain.com.au
that means you need two certificates installed in TMG and attached with published rule for each website.