Log on to Forefront TMG 2010 server using admin credential. Open Forefront TMG Management from start menu. Expand Forefront TMG>Firewall Policy>Select Tasks>Click Publish Exchange web client access.
Click New button to add Exchange Farm i.e. Exchange CAS servers you have installed.
Click yes to accept changes you made.
In this step you will be adding Exchange web listener or CAS servers.
Select an web server certificate you have installed before hand.
Important! You have to install web server certificate before you proceed adding publishing rule.
Publishing Mail Server
Expand Forefront TMG>Select Firewall Policy>Select Tasks>Click Publish Mail Servers
Share this 
Blog by Raihan Al-Beruni 
Pingback: How to configure Exchange 2010 Client Access Server (CAS) Role « Information Technology Blog
Pingback: How to configure Exchange 2010 Hub Transport (HT) Server « Information Technology Blog
Hi Raihan. I don’t know how to install web server certificate as you said (“Important! You have to install web server certificate before you proceed adding publishing rule.”). I have 3 servers: one ADDS, one Hub/Cas/Mbx server and one Edge/TMG server. So i must install CA service on Edge/TMG server or Hub/Cas/Mbx server? I use Certificate snap-in in MMC, (Computer account) in Hub/Cas/Mbx server but i can’t find request new certificate function as link http://www.isaserver.org/img/upl/image0041249305239309.jpg
LikeLike
You need a web cert installed in CAS server. You dont need to install CA service in TMG/Edge. You must have a Enterprise root CA in your internal network. If you dont have a Enterprise root CA in your internal network. You have to install CA in any member server or in ADDS (your situation) of internal network. Once installed and authorize to enroll certificate using CA management console from administrative tools. Then you will request for web and computer certificate for TMG and CAS using MMC snap-in. Then You will be able to enrol.
Important! Certificate Authority can not be renamed once installed.
CA Link https://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/
regards,Raihan
LikeLike
Pingback: How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide « Information Technology Blog
Hi Raihan,
Thanks for sharing you knowledge, I really appreciate it.
I was wondering if I could use a thrid party firewall such as fortinet or cisco ASA as a front-end firewall (1 interface connecting to internet router and 2nd interface connecting to DMZ switch) and Forefront TMG as a back-end firewall (1 interface connecting to the DMZ switch and the 2nd interface connecting to Internal switch).
In the DMZ I would have a Web Server (IIS) and an Exchange Client Access Server additional to the Forefront TMG server.
I want to allow 80, 443 & 25 ports inbound from the third party firewall and allow AD, SQL & Exchange ports inbound (through to internal network)
Will this network layout work? Or should i use the 3-leg layout? The reason I want to use a third party firewall is because of the theory “your external and internal firewall should always be different make”
Thanks in advance.
Cheers,
Milind
LikeLike
Milind,
I am starting from last line of your query. I don’t disagree or agree with your external and internal firewall should always be different make. It depends on Sys Admin how they configure firewall. From a good firewall prospect, your design is ok. I would happy to use TMG in both ends. You may also create separate VLANs for DMZ, external and internal. Make sure you block everything first and allow one by one. Two tier firewall is always good. 3-leg is ok but not good when you want tighter security.
Regards,
Raihan
LikeLike
Pingback: How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step | MicrosoftGURU
Hello Raihan,
I installed Forefront TMLG on a single network topology. Everything is working fine as far as filtering is concerned. However, I’m having one issue concerning igoogle website.
I have prevented webmail and social network access in general such as yahoomail; gmail; facebook; etc…
If a user wants to access directly throught his/her browser to gmail; facebook the access is refused. But through igoogle which url is wwww.google.fr/ig, users can access to gmail when they add gmail widget. I tried to add facebook, twitter, yahoomail widgets, I realise they are blocked. But gmail widget is not and users can access gmail through it.
The problem is that I cannot refuse the access to wwww.google.fr/ig otherwise google.fr would be refused as well.
My question is do you know any means to prevent gmail widgets with Firefront TMG?
The weird thing is that facebook; twitter and yahoo mail are refuser whereas gmail is allowed despite it is categorized as a webmail which is prevented in our rules.
Thanks again for your help.
Best regards,
Amrai
LikeLike
hi raihan
already configure as you discribe on the blog
but i’m still got this error
”
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) “
LikeLike
use https not http.
Further info http://support.microsoft.com/kb/947124/en-us
Is it internal or external users. Allow appropriate group to browse OWA.
LikeLike
Dear Raihan,
I want to know if BlackBerry Internet Service (BIS) works with Exchange 2010 that has OWA published through TMG, while Form based authentication is enabled on the internal Exchange 2010 CAS Server.
Thank You.
LikeLike
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB02858
http://supportforums.blackberry.com/t5/BlackBerry-Internet-Service/A-Guide-to-Getting-Forms-Based-Authentication-to-Work-with-BIS/m-p/456988
This two url will be help for you.
LikeLike
hi Raihan,
i have an issue regrading mail access using pop3 connection,i have been told by implementation team that secure port 995 has been disable at firewall,
so i tried with 110 port,but i am unable to access using these port,i can able to telnet port 110.
when i configure outlook for pop connection i am getting error as “unable to find incoming server”
Our Exchange Scenario
On a single Domain
2 Cas-hub,2MB
@ dmz zone we are having TMG,Edge and iron port firewall.
thz
LikeLike
Can you send and receive email internally? Do you configured HT correctly? Do you add MX record? Check all these.
LikeLike
thanks for the great Article.. was wondering how can i pulish multiple tenant org…as each access will be with certificate and i have only one SSL for my parent domain.
i did all this without TMG all worked fine.. now in new setup we introduced TMG and getting problems more then solutions.. are we doing good .. or should we remove the TMg
LikeLike
you can publish multiple secure websites different certificates, in this case you have to install web certificates into your TMG and assign that certificate for specific secure site. you can use TMG to do that.
LikeLike
Thanks Raihan, for the quick reply.. but i am wondering … as i am having only one certificate from third party CA, and we are not planning to buy certificate for each tenant for their owa access. This i did without TMG.
You said installing web certificates into TMG but who is providing this web certificate ..? and CAS only shows the default web site which is only for my parent domain . So how can i access some other tenant over WAN passing TMG.
Please suggest
LikeLike
its update you how you configure ssl certificate. you can configure SSL cert for each of the secure site you publish through TMG that means you have to install certificates into TMG to verify that web certificate exist for that site. for example
webmail.mydomain.com.au
myblog.mydomain.com.au
that means you need two certificates installed in TMG and attached with published rule for each website.
LikeLike
Dear Raihan
i have set up my network as follows :
I have setup forefront TMG 2010 in a 3-legged environment.
The internal network uses the 10.0.12.x network
The DMZ uses the 172.16.10.x network
The external is the Internet coming in via the ISP modem using the 192.168.1.x network
The TMG is joined to the internal domain.
The only server going to exist in the DMZ would be the EXCHANGE 2010 EDGE server.
The remaining exchange servers, i.e. one server for cas/hub and two servers as mailbox servers in DAG are working fine on the internal network.
I am able to use exchange, create mailboxes, send and receive email.
I have the access rules configured to allow connectivity between the DMZ and INTERNAL network .
I have setup the edge server in the DMZ network, done with the edge subscription.
From here on , I have the following doubts:
1. If i publish exchange using TMG , the internal link points to the CAS server in the internal network which is very confusing for me, as then, what is the purpose of edge server here when the external request is coming directly to the internal network ?
2. is there a way to test exchange publishing without having registered domain name and the ssl/san/ucc certificate?
I would like to know the steps required to publish the email online here onwards.
thanks
LikeLike
you can test your email internally without registering domain and mx record. However, to test email externally you must register MX and Domain name.
The purpose of Edge server is to protect you from spaming and guarding exchange CAS. Nothing to confuse. Edge Server provide similar functionality like Cisco IronPort.
LikeLike
the internal mail is working fine. I need to test this some how for external, as i have no idea about domain name registration and the san certificates that i need to purchase. the way i understand, if i dont have mx records, and if someone sends an email to me, the domain name would not get resolved so i wont receive any email. but i should be able to send out an email myself, as i have the public ips. further i cannot find any solution online to buy temporary domain name and certificates for the purpose of testing publishing. any suggestions?
LikeLike
Pingback: Configure Co-existence and Migrate Exchange 2007/2010 to Exchange 2013 Step by Step Guide | Blog by Raihan Al-Beruni