Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010


Log on to Forefront TMG 2010 server using admin credential.  Open Forefront TMG Management from start menu.  Expand Forefront TMG>Firewall Policy>Select Tasks>Click Publish Exchange web client access.

 1 2 3 4 5 6 7

Click New button to add Exchange Farm i.e. Exchange CAS servers you have installed.

8 9 10 11

Click yes to accept changes you made.

12 13 14

In this step you will be adding Exchange web listener or CAS servers.

15 16 17

Select an web server certificate you have installed before hand.

18 19 20 21 22

23

 24 25 26

27

Important! You have to install web server certificate before you proceed adding publishing rule.

Publishing Mail Server

Expand Forefront TMG>Select Firewall Policy>Select Tasks>Click Publish Mail Servers

1

 28 29 30 31 32

33  

Share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Author: LM Publications

This is me.

24 thoughts on “Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010”

  1. Hi Raihan. I don’t know how to install web server certificate as you said (“Important! You have to install web server certificate before you proceed adding publishing rule.”). I have 3 servers: one ADDS, one Hub/Cas/Mbx server and one Edge/TMG server. So i must install CA service on Edge/TMG server or Hub/Cas/Mbx server? I use Certificate snap-in in MMC, (Computer account) in Hub/Cas/Mbx server but i can’t find request new certificate function as link http://www.isaserver.org/img/upl/image0041249305239309.jpg

    Like

    1. You need a web cert installed in CAS server. You dont need to install CA service in TMG/Edge. You must have a Enterprise root CA in your internal network. If you dont have a Enterprise root CA in your internal network. You have to install CA in any member server or in ADDS (your situation) of internal network. Once installed and authorize to enroll certificate using CA management console from administrative tools. Then you will request for web and computer certificate for TMG and CAS using MMC snap-in. Then You will be able to enrol.
      Important! Certificate Authority can not be renamed once installed.
      CA Link https://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/

      regards,Raihan

      Like

  2. Hi Raihan,

    Thanks for sharing you knowledge, I really appreciate it.

    I was wondering if I could use a thrid party firewall such as fortinet or cisco ASA as a front-end firewall (1 interface connecting to internet router and 2nd interface connecting to DMZ switch) and Forefront TMG as a back-end firewall (1 interface connecting to the DMZ switch and the 2nd interface connecting to Internal switch).

    In the DMZ I would have a Web Server (IIS) and an Exchange Client Access Server additional to the Forefront TMG server.

    I want to allow 80, 443 & 25 ports inbound from the third party firewall and allow AD, SQL & Exchange ports inbound (through to internal network)

    Will this network layout work? Or should i use the 3-leg layout? The reason I want to use a third party firewall is because of the theory “your external and internal firewall should always be different make”

    Thanks in advance.

    Cheers,
    Milind

    Like

    1. Milind,
      I am starting from last line of your query. I don’t disagree or agree with your external and internal firewall should always be different make. It depends on Sys Admin how they configure firewall. From a good firewall prospect, your design is ok. I would happy to use TMG in both ends. You may also create separate VLANs for DMZ, external and internal. Make sure you block everything first and allow one by one. Two tier firewall is always good. 3-leg is ok but not good when you want tighter security.
      https://araihan.wordpress.com/2010/06/17/how-to-configure-back-to-back-firewall-with-perimeter-dmz-topology-step-by-step-guide/

      Regards,
      Raihan

      Like

  3. Hello Raihan,

    I installed Forefront TMLG on a single network topology. Everything is working fine as far as filtering is concerned. However, I’m having one issue concerning igoogle website.
    I have prevented webmail and social network access in general such as yahoomail; gmail; facebook; etc…
    If a user wants to access directly throught his/her browser to gmail; facebook the access is refused. But through igoogle which url is wwww.google.fr/ig, users can access to gmail when they add gmail widget. I tried to add facebook, twitter, yahoomail widgets, I realise they are blocked. But gmail widget is not and users can access gmail through it.

    The problem is that I cannot refuse the access to wwww.google.fr/ig otherwise google.fr would be refused as well.

    My question is do you know any means to prevent gmail widgets with Firefront TMG?

    The weird thing is that facebook; twitter and yahoo mail are refuser whereas gmail is allowed despite it is categorized as a webmail which is prevented in our rules.

    Thanks again for your help.

    Best regards,

    Amrai

    Like

  4. hi raihan
    already configure as you discribe on the blog
    but i’m still got this error

    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) “

    Like

  5. Dear Raihan,

    I want to know if BlackBerry Internet Service (BIS) works with Exchange 2010 that has OWA published through TMG, while Form based authentication is enabled on the internal Exchange 2010 CAS Server.

    Thank You.

    Like

  6. hi Raihan,
    i have an issue regrading mail access using pop3 connection,i have been told by implementation team that secure port 995 has been disable at firewall,
    so i tried with 110 port,but i am unable to access using these port,i can able to telnet port 110.
    when i configure outlook for pop connection i am getting error as “unable to find incoming server”

    Our Exchange Scenario
    On a single Domain
    2 Cas-hub,2MB
    @ dmz zone we are having TMG,Edge and iron port firewall.

    thz

    Like

  7. thanks for the great Article.. was wondering how can i pulish multiple tenant org…as each access will be with certificate and i have only one SSL for my parent domain.
    i did all this without TMG all worked fine.. now in new setup we introduced TMG and getting problems more then solutions.. are we doing good .. or should we remove the TMg

    Like

    1. you can publish multiple secure websites different certificates, in this case you have to install web certificates into your TMG and assign that certificate for specific secure site. you can use TMG to do that.

      Like

  8. Thanks Raihan, for the quick reply.. but i am wondering … as i am having only one certificate from third party CA, and we are not planning to buy certificate for each tenant for their owa access. This i did without TMG.
    You said installing web certificates into TMG but who is providing this web certificate ..? and CAS only shows the default web site which is only for my parent domain . So how can i access some other tenant over WAN passing TMG.
    Please suggest

    Like

    1. its update you how you configure ssl certificate. you can configure SSL cert for each of the secure site you publish through TMG that means you have to install certificates into TMG to verify that web certificate exist for that site. for example
      webmail.mydomain.com.au
      myblog.mydomain.com.au

      that means you need two certificates installed in TMG and attached with published rule for each website.

      Like

  9. Dear Raihan

    i have set up my network as follows :

    I have setup forefront TMG 2010 in a 3-legged environment.

    The internal network uses the 10.0.12.x network

    The DMZ uses the 172.16.10.x network

    The external is the Internet coming in via the ISP modem using the 192.168.1.x network

    The TMG is joined to the internal domain.

    The only server going to exist in the DMZ would be the EXCHANGE 2010 EDGE server.

    The remaining exchange servers, i.e. one server for cas/hub and two servers as mailbox servers in DAG are working fine on the internal network.

    I am able to use exchange, create mailboxes, send and receive email.

    I have the access rules configured to allow connectivity between the DMZ and INTERNAL network .
    I have setup the edge server in the DMZ network, done with the edge subscription.
    From here on , I have the following doubts:
    1. If i publish exchange using TMG , the internal link points to the CAS server in the internal network which is very confusing for me, as then, what is the purpose of edge server here when the external request is coming directly to the internal network ?
    2. is there a way to test exchange publishing without having registered domain name and the ssl/san/ucc certificate?
    I would like to know the steps required to publish the email online here onwards.

    thanks

    Like

    1. you can test your email internally without registering domain and mx record. However, to test email externally you must register MX and Domain name.
      The purpose of Edge server is to protect you from spaming and guarding exchange CAS. Nothing to confuse. Edge Server provide similar functionality like Cisco IronPort.

      Like

      1. the internal mail is working fine. I need to test this some how for external, as i have no idea about domain name registration and the san certificates that i need to purchase. the way i understand, if i dont have mx records, and if someone sends an email to me, the domain name would not get resolved so i wont receive any email. but i should be able to send out an email myself, as i have the public ips. further i cannot find any solution online to buy temporary domain name and certificates for the purpose of testing publishing. any suggestions?

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.