Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Log on to Forefront TMG 2010 server using admin credential.  Open Forefront TMG Management from start menu.  Expand Forefront TMG>Firewall Policy>Select Tasks>Click Publish Exchange web client access.

 1 2 3 4 5 6 7

Click New button to add Exchange Farm i.e. Exchange CAS servers you have installed.

8 9 10 11

Click yes to accept changes you made.

12 13 14

In this step you will be adding Exchange web listener or CAS servers.

15 16 17

Select an web server certificate you have installed before hand.

18 19 20 21 22


 24 25 26


Important! You have to install web server certificate before you proceed adding publishing rule.

Publishing Mail Server

Expand Forefront TMG>Select Firewall Policy>Select Tasks>Click Publish Mail Servers


 28 29 30 31 32


Share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

24 thoughts on “Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

  1. Pingback: How to configure Exchange 2010 Client Access Server (CAS) Role « Information Technology Blog

  2. Pingback: How to configure Exchange 2010 Hub Transport (HT) Server « Information Technology Blog

  3. Hi Raihan. I don’t know how to install web server certificate as you said (“Important! You have to install web server certificate before you proceed adding publishing rule.”). I have 3 servers: one ADDS, one Hub/Cas/Mbx server and one Edge/TMG server. So i must install CA service on Edge/TMG server or Hub/Cas/Mbx server? I use Certificate snap-in in MMC, (Computer account) in Hub/Cas/Mbx server but i can’t find request new certificate function as link


    • You need a web cert installed in CAS server. You dont need to install CA service in TMG/Edge. You must have a Enterprise root CA in your internal network. If you dont have a Enterprise root CA in your internal network. You have to install CA in any member server or in ADDS (your situation) of internal network. Once installed and authorize to enroll certificate using CA management console from administrative tools. Then you will request for web and computer certificate for TMG and CAS using MMC snap-in. Then You will be able to enrol.
      Important! Certificate Authority can not be renamed once installed.
      CA Link



  4. Pingback: How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide « Information Technology Blog

  5. Hi Raihan,

    Thanks for sharing you knowledge, I really appreciate it.

    I was wondering if I could use a thrid party firewall such as fortinet or cisco ASA as a front-end firewall (1 interface connecting to internet router and 2nd interface connecting to DMZ switch) and Forefront TMG as a back-end firewall (1 interface connecting to the DMZ switch and the 2nd interface connecting to Internal switch).

    In the DMZ I would have a Web Server (IIS) and an Exchange Client Access Server additional to the Forefront TMG server.

    I want to allow 80, 443 & 25 ports inbound from the third party firewall and allow AD, SQL & Exchange ports inbound (through to internal network)

    Will this network layout work? Or should i use the 3-leg layout? The reason I want to use a third party firewall is because of the theory “your external and internal firewall should always be different make”

    Thanks in advance.



  6. Pingback: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step | MicrosoftGURU

  7. Hello Raihan,

    I installed Forefront TMLG on a single network topology. Everything is working fine as far as filtering is concerned. However, I’m having one issue concerning igoogle website.
    I have prevented webmail and social network access in general such as yahoomail; gmail; facebook; etc…
    If a user wants to access directly throught his/her browser to gmail; facebook the access is refused. But through igoogle which url is, users can access to gmail when they add gmail widget. I tried to add facebook, twitter, yahoomail widgets, I realise they are blocked. But gmail widget is not and users can access gmail through it.

    The problem is that I cannot refuse the access to otherwise would be refused as well.

    My question is do you know any means to prevent gmail widgets with Firefront TMG?

    The weird thing is that facebook; twitter and yahoo mail are refuser whereas gmail is allowed despite it is categorized as a webmail which is prevented in our rules.

    Thanks again for your help.

    Best regards,



  8. hi raihan
    already configure as you discribe on the blog
    but i’m still got this error

    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) “


  9. Dear Raihan,

    I want to know if BlackBerry Internet Service (BIS) works with Exchange 2010 that has OWA published through TMG, while Form based authentication is enabled on the internal Exchange 2010 CAS Server.

    Thank You.


  10. hi Raihan,
    i have an issue regrading mail access using pop3 connection,i have been told by implementation team that secure port 995 has been disable at firewall,
    so i tried with 110 port,but i am unable to access using these port,i can able to telnet port 110.
    when i configure outlook for pop connection i am getting error as “unable to find incoming server”

    Our Exchange Scenario
    On a single Domain
    2 Cas-hub,2MB
    @ dmz zone we are having TMG,Edge and iron port firewall.



  11. thanks for the great Article.. was wondering how can i pulish multiple tenant org…as each access will be with certificate and i have only one SSL for my parent domain.
    i did all this without TMG all worked fine.. now in new setup we introduced TMG and getting problems more then solutions.. are we doing good .. or should we remove the TMg


    • you can publish multiple secure websites different certificates, in this case you have to install web certificates into your TMG and assign that certificate for specific secure site. you can use TMG to do that.


  12. Thanks Raihan, for the quick reply.. but i am wondering … as i am having only one certificate from third party CA, and we are not planning to buy certificate for each tenant for their owa access. This i did without TMG.
    You said installing web certificates into TMG but who is providing this web certificate ..? and CAS only shows the default web site which is only for my parent domain . So how can i access some other tenant over WAN passing TMG.
    Please suggest


    • its update you how you configure ssl certificate. you can configure SSL cert for each of the secure site you publish through TMG that means you have to install certificates into TMG to verify that web certificate exist for that site. for example

      that means you need two certificates installed in TMG and attached with published rule for each website.


  13. Dear Raihan

    i have set up my network as follows :

    I have setup forefront TMG 2010 in a 3-legged environment.

    The internal network uses the 10.0.12.x network

    The DMZ uses the 172.16.10.x network

    The external is the Internet coming in via the ISP modem using the 192.168.1.x network

    The TMG is joined to the internal domain.

    The only server going to exist in the DMZ would be the EXCHANGE 2010 EDGE server.

    The remaining exchange servers, i.e. one server for cas/hub and two servers as mailbox servers in DAG are working fine on the internal network.

    I am able to use exchange, create mailboxes, send and receive email.

    I have the access rules configured to allow connectivity between the DMZ and INTERNAL network .
    I have setup the edge server in the DMZ network, done with the edge subscription.
    From here on , I have the following doubts:
    1. If i publish exchange using TMG , the internal link points to the CAS server in the internal network which is very confusing for me, as then, what is the purpose of edge server here when the external request is coming directly to the internal network ?
    2. is there a way to test exchange publishing without having registered domain name and the ssl/san/ucc certificate?
    I would like to know the steps required to publish the email online here onwards.



    • you can test your email internally without registering domain and mx record. However, to test email externally you must register MX and Domain name.
      The purpose of Edge server is to protect you from spaming and guarding exchange CAS. Nothing to confuse. Edge Server provide similar functionality like Cisco IronPort.


      • the internal mail is working fine. I need to test this some how for external, as i have no idea about domain name registration and the san certificates that i need to purchase. the way i understand, if i dont have mx records, and if someone sends an email to me, the domain name would not get resolved so i wont receive any email. but i should be able to send out an email myself, as i have the public ips. further i cannot find any solution online to buy temporary domain name and certificates for the purpose of testing publishing. any suggestions?


  14. Pingback: Configure Co-existence and Migrate Exchange 2007/2010 to Exchange 2013 Step by Step Guide | Blog by Raihan Al-Beruni

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.