• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How can I publish Outlook Anywhere via TMG in an Exchange 2010/2013 Co-existence scenario?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2013] >> Management >> How can I publish Outlook Anywhere via TMG in an Exchange 2010/2013 Co-existence scenario? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How can I publish Outlook Anywhere via TMG in an Exchan... - 28.Aug.2013 9:47:26 AM   
tbennett300

 

Posts: 12
Joined: 9.Jun.2009
Status: offline
Hi,

I have a lab deployment of Exchange 2010, 2013, and TMG 2010, and I'm trying to publish email services to the Internet. I have experience of doing this in the past via ISA 2006, but I'm having lots of trouble doing the same via Exchange 2013/TMG 2010.

First off, let me explain my setup:
•2 x Exchange 2010 Mailbox servers in a DAG
•1 x server sharing the 2010 hub/CAS role
•2 Exchange 2013 mailbox servers in a DAG
•1 Exchange 2013 CAS server
•1 TMG 2010 server
•2 x Windows 7 internal test clients (Outlook 2010 & 2013 - domain joined)
•2 x Windows 7 external test clients (Outlook 2010 & 2013 - non-domain joined)

I'm using Hyper-V for this with multiple networks, specifically I've got 'internal' servers on the 192.168.5.0 range (VLAN5) and external clients on the 192.168.2.0 range (VLAN2).

The TMG server has 4 interfaces:
•VLAN5 for internal traffic
•VLAN2 for FBA listener
•VLAN2 for HTTPS listener
•VLAN2 for HTTP Only listener


I have managed to publish the following services correctly:
•OWA 2010 for an external user (via TMG, proxied via 2013 CAS)
•OWA 2013 for an external user (via TMG)
•Outlook Anywhere for an external 2013 mailbox user (via TMG)


I'm having difficulty with Outlook Anywhere for an external 2010 mailbox user, and for all internal Outlook Anywhere users, irrespective of whether they are 2010 or 2013 mailbox users. My understanding is that the 2013 CAS acts as a proxy to the client, and makes the connection to the 2010 CAS on the client's behalf, rather than redirecting the client for a direct connection to the 2010 CAS (is this correct?).

I've set my internal URLs using the exchange14.local domain name (as this is the AD namespace), so for example:
•mail.exchange14.local/autodiscover/autodiscover.xml
•mail.exchange14.local/ews/exchange.asmx

Where there are internal URL and external URL values available, I have used the exchange14.local domain internally, and the externaltest.net namespace for mocked up external connectivity via VLAN2.

When I try to connect an 'external' client on VLAN2 to a 2010 mailbox, I get the following message from Outlook 2010:

"Cannot open your default e-mail folders. You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)".

I've checked out the following articles:

http://www.ntsystems.it/post/Migrating-from-Exchange-2010-to-2013-part-2.aspx (this is part 2, but I have checked parts 1, 3, and 4 via this link)

http://blogs.technet.com/b/exchange/archive/2013/05/23/ambiguous-urls-and-their-effect-on-exchange-2010-to-exchange-2013-migrations.aspx

I've also gone through the deployment assistant from Microsoft located here:

http://technet.microsoft.com/en-us/exchange/jj657516.aspx

Mostly these articles say that NTLM should be enabled internally for 2010, which I've done, but I just can't connect from an external client. I can't use the Remote Connectivity Analyzer because it's not a publicly resolvable setup, so I'm tearing my hair out a bit.

This is just a lab (a freshly built one, with no historic configuration hangovers), so it can be modified as necessary.

I am using an FBA listener in TMG with a single Outlook Anywhere rule pointing off to a server farm containing the single 2013 CAS server, using Basic auth.

URLs and auth methods are as follows in Exchange:


From Get-OutlookAnywhere:

ServerName:CAS13-3 (2013 CAS)

ExternalHostname: mail.externaltest.net

InternalClientAuthenticationMethod: Negotiate

ExternalClientAuthenticationMethod: Basic

IISAuthenticationMethods: Basic, NTLM


ServerName:MSX2010-1 (2010 Mailbox)

ExternalHostname: mail.exchange14.local

InternalClientAuthenticationMethod: NTLM

ExternalClientAuthenticationMethod: Basic

IISAuthenticationMethods: Basic, NTLM


ServerName:MSX2010-1 (2010 CAS)

ExternalHostname: msx2010-3.exchange14.local (changed this back to FQDN to attempt using different 2010 server name)

InternalClientAuthenticationMethod: NTLM

ExternalClientAuthenticationMethod: Basic

IISAuthenticationMethods: Basic, NTLM


From-Get-AutodiscoverVirtualDirectory
ServerName:CAS13-3 (2013 CAS)

InternalURL: https://autodiscover.exchange14.local/autodiscover/autodiscover.xml

ExternalURL: https://autodiscover.externaltest.net/autodiscover/autodiscover.xml

InternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, OAuth

ExternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, OAuth


ServerName: MSX2010-1 (2010 CAS)

InternalURL: https://msx2010-3.exchange14.local/autodiscover/autodiscover.xml

ExternalURL: https://autodiscover.externaltest.net/autodiscover/autodiscover.xml

InternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, WSSecurity

ExternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, WSSecurity


From Get-WebServicesVirtualDirectory:

ServerName:CAS13-3 (2013 CAS)

InternalURL: https://mail.exchange14.local/ews/exchange.asmx

ExternalURL: https://mail.externaltest.net/ews/exchange.asmx

InternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, WSSecurity, OAuth

ExternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, WSSecurity, OAuth


ServerName:MSX2010-3 (2010 CAS)

InternalURL: https://mail.exchange14.local/ews/exchange.asmx

ExternalURL: https://mail.externaltest.net/ews/exchange.asmx

InternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, WSSecurity

ExternalAuthenticationMethods: Basic, NTLM, WindowsIntegrated, WSSecurity



From Get-ClientAccessServer:

ServerName:CAS13-3 (2013 CAS)

AutoDiscoverInternalUri: https://autodiscover.exchange14.local/autodiscover/autodiscover.xml

OutlookAnywhereEnabled: True


ServerName:MSX2010-3 (2010 CAS)

AutoDiscoverInternalUri: https://autodiscover.exchange14.local/autodiscover/autodiscover.xml

OutlookAnywhereEnabled: True







From Get-OutlookAnywhere:
ServerName:CAS13-3(2013 CAS)
Identity: CAS13-3\Rpc (Default Web Site)

IISAuthenticationMethods: Basic, NTLM

SSLOffLoading: True

InternalAuthenticationMethods: Negotiate

ExternalAuthenticationMethods: Basic



ServerName:MSX2010-1 (2010 Mailbox)

Identity: MSX2010-1\Rpc (Default Web Site)

IISAuthenticationMethods: Basic

SSLOffLoading: True

InternalAuthenticationMethods: NTLM


ServerName:MSX2010-1 (2010 CAS)

Identity: MSX2010-3\Rpc (Default Web Site)

IISAuthenticationMethods: Basic

SSLOffLoading: False

InternalAuthenticationMethods: NTLM

ExternalAuthenticationMethods: Basic


I appreciate any help that anyone might be able to offer.

< Message edited by tbennett300 -- 28.Aug.2013 10:29:56 AM >
Post #: 1
RE: How can I publish Outlook Anywhere via TMG in an Ex... - 28.Aug.2013 11:11:38 AM   
tbennett300

 

Posts: 12
Joined: 9.Jun.2009
Status: offline
I didn't think about this to start with, but I notice that the 2010 mailbox server has values returned from a Get-OutlookAnywhere that I would only expect to see on a CAS server. This is likely because this server was a single multi role server, but when the lab grew the CAS & hub roles were relocated. Could this be a possible cause of my problems?

(in reply to tbennett300)
Post #: 2
RE: How can I publish Outlook Anywhere via TMG in an Ex... - 29.Aug.2013 5:35:56 AM   
tbennett300

 

Posts: 12
Joined: 9.Jun.2009
Status: offline
To update this, I've removed the original multi role mailbox server from the org and deployed a fresh one, thereby removing any references to the former server that originally had the CAS/Hub roles installed. I've also since discovered that by running Set-OutlookAnywhere -Identity "msx2010-3\rpc (Default Web Site)" -ExternalHostName to msx2010-3.exchange14.local (on the 2010 CAS with my internal, namespace) and that the IISAuthenticationMethods are BAsic, NTLM on the 2010 CAS, I can now redirect successfully via a 2013 CAS to a 2010 mailbox using Outlook Anywhere.

For me, with the setup I have using a FBA listener in TMG, this is still very slow, so I will test the switch of OA to a HTTPS listener (seems much faster when I tested OA2010 using an https listener) and leaving OWA on the FBA listener, and will update accordingly.

(in reply to tbennett300)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2013] >> Management >> How can I publish Outlook Anywhere via TMG in an Exchange 2010/2013 Co-existence scenario? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter