Published: 2010-03-01
Updated: 2010-07-27
Version: 1.1

Installation

This will be a complete walkthrough to setup up certificate based on a CA server on a DC.
My environment looks like this

1 x Windows 2003 (DC/DNS/CA)
1 x Forefront TMG
1 x Exchange 2010 CAS/HUB/MBX

Everything is running as virtual machines in VMware Workstation.

My TMG server is installed with Windows 2008 R2 x64 with 2 Nics (E1000), running with an internal Nic setup
IP: 172.16.2.18
Subnet: 255.255.255.0
DNS: 172.16.2.11 (pointing to the DC)

The external Nic is setup with
IP: 192.168.0.1
Subnet: 255.255.255.0
DNS: External IP
Default Gateway: Pointing to my external gateway

On the TMG server in the hosts file I have edited it with notepad and pointed out the CAS server
172.16.2.12    owa.target.se

Just to get the name resolution working fine with the rule and certificate.

First thing to do is to import the certificate that is generated from the CAS server; in my case it’s a CA server on the DC that generated this certificate. Best practice is to buy the certificate from a 3^rd part that is trusted root in most devices (godaddy.com, digicert.com, comodo.com, verisign.com etc).
The certificate import is easy, start a mmc console and add certificates for the local computer.
Go to Personal and right click, choose import and point at the file. When it’s done it should look like below.

Next step is to create the Web listener, it will be done in TMG Console under Firewall Policy, choose Toolbox and right click Web Listeners to create a new web listener.

Give it a friendly name, I called it “SSL Listener”, set it up to require SSL, select the sources where it should listen to traffic from. In my case I listen on External and Internal, also select a specific IP address on the External and Internal interface. Next screen select ‘Assign a certificate for each IP address and point out the imported certificate.

The authentication setting that will be used is called HTML Form Authentication, make sure that Windows (Active Directory) is selected.

In the SSO (Single Sign On) type in the .domain.local if you want to use the function.
(Or else you will need to logon two times for using the OWA.)
When the creating is completed it should look like below.
Don’t forget to apply the changes.

OWA

Next step is to create the publishing rule; it will be done under the Tasks tab called ‘Publish Exchange Web Client Access’.
A wizard will start, setup a friendly name like OWA (Basic) and select the appropriate Exchange version, in my case it’s Exchange 2010.

Select the option ‘publishes single server’ and require SSL.
In the setting regarding internal site name, give it the external site name (owa.target.se) and select the option below and browse for the CAS server.
In the public name, give it your external site name (owa.target.se).

Next thing it to select the newly created web listener, for authentication delegation settings; select Basic Authentication and finally All Authenticated Users.

OWA Redirect

A nice one to complete the publishing of the OWA is to create a ‘Publish Web Sites’ rule and set it to deny, publish it as a single server and require SSL.

Point out the internal site name to be the external site name (owa.target.se) and browse for the CAS server. In the path selection just type / as will indicate the whole site.

For the public name, type in the external site name (in my case; owa.target.se) to work.
Select the web listener and the authentication method should be set to ‘No delegation, and client cannot authenticate directly’. Remove the All Authenticated Users and replace it with All Users.

Open up the rule after it is created, go to the Action tab and select the option ‘Redirect HTTP requests to this web page’ and type in ‘https://owa.target.se/owa’.

This rule is created so the end-user can reach the OWA without typing in /owa in the addressbar.

Now this is completed and should look like below.

Outlook Anywhere

Next to do is to publish Outlook Anywhere, it will be done thru the same wizard.

Select the appropriate Exchange version and the function you want to publish, in this case it’s the Outlook Anywhere (earlier called RPC over HTTP(s)

Publishing using Basic Authentication

Just like the publishing rule above this is a single server publishing rule and it requires SSL.
And point out the internal site name like before, it should be the external site name (owa.target.se) and browse for the CAS server.
The public name should be the external site name (owa.target.se).
Then select the web listener that has been created earlier.
Basic authentication is used as the authentication method.

Verify that the correct authentication method is selected in Exchange Management Console (EMC), if using Basic it should look like this.

Also, verify the rules in TMG by selecting the rule and press “Test Rule”

It should then look like below, if you have any issues it will give you the info in clear text like authentication methods is not correctly configured, like a mismatch.

Time for verification so the publishing rule works for Basic Auth by using Outlook Anywhere function and typing in address: owa.target.se that points to TMG.

It seems to work fine J

ActiveSync

This is almost the same as above, besides ActiveSync will use Basic as the Authentication method.

So the next to do is to publish the ActiveSync function, it will be done thru the same wizard.

Select the appropriate Exchange version and the function you want to publish, in this case it’s the ActiveSync function.

Just like the publishing rule above this is a single server publishing rule and it requires SSL.
And point out the internal site name like before, it should be the external site name (webmail.testlabs.se) and browse for the CAS server.
The public name should be the external site name (webmail.testlabs.se).
Then select the web listener that has been created earlier.
Basic is used as the authentication method.

Sometimes in testing purposes you need to turn of spoof detection, or else it will not work.
I have had that problem, if you need to turn it off, check this link

http://support.microsoft.com/kb/838114

Copy and paste from the link above;

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/FwEng/Parameters

If the Parameters subkey is not displayed, follow these steps to create this subkey:
Click the FwEng subkey.
On the Edit menu, point to New, and then click Key.
To name the key, type Parameters, and then press ENTER.
Right-click Parameters, point to New, and then click DWORD Value.
To name the value, type DisableSpoofDetection, and then press ENTER.
Right-click DisableSpoofDetection, and then click Modify.
In the Value data box, type 1, and then click OK.

Published: 2010-07-18
Updated: –
Version: 1.0

Installation

This will be a complete walkthrough to setup up certificate based on a CA server on a DC.
My environment looks like this

1 x Windows 2003 (DC/DNS/CA)
1 x Forefront UAG
1 x Exchange 2010 CAS/HUB/MBX

Everything is running as virtual machines in VMware workstation.
Just to mention, this is done in a lab and no reality allocation with memory, the machines are just for this post and not serving any production environment.

Before doing anything with UAG we need to configure the network with correct ip addresses.

My UAG server is installed with Windows 2008 R2 x64 with 2 Nics (E1000), running with an internal Nic setup
IP: 172.16.2.17
Subnet: 255.255.255.0
DNS: 172.16.2.11 (pointing to the DC)

The external Nic is setup with
IP: 192.168.0.1
Subnet: 255.255.255.0
DNS: External IP
Default Gateway: Pointing to my external gateway

On the TMG server in the hosts file I have edited it with notepad and pointed out
172.16.2.12    owa.target.se

Just to get the name resolution to working fine with the rule and certificate.

It time to launch the installation wizard for Forefront UAG

It will take some time for the installation to finish.

The first thing to do when the installation is done is to export the certificate from my Exchange server and import it on the UAG server.

For creating and requesting certificates on Exchange, have a look at this link:
http://www.digicert.com/exchange-ssl-certificate.htm

The export and import of the existing certificate is really easy, start Exchange Management Console (EMC) and go to Server configuration, select the certificate and right click, choose export exchange certificate.

The certificate import is easy, go to the UAG server and start an mmc console and add the snapin for certificates (computer) for the local computer. Then select Personal and right click on that and select all tasks -> import and point out the certificate that was just exported from Exchange server.

When it’s done it should look like below.

Notice: If you’re using own CA server like I do in this example, make sure that the trusted root certificate is installed on UAG server before you’re trying to import the certificate.

Configuration

First time when UAG is started, it will give you a wizard and configure the network settings for it.

Define the internal ip addresses.

Configuration selection, in my case I only have one server so I select single server.

Then after these steps it’s time to active these settings.

Now it’s time for the configuration of the UAG

Start with creating a HTTPS trunk by right clicking the HTTPS connections

I will create a HTTPS trunk just for this purpose.

The trunk type should be set to “portal trunk” and select to publish exchange applications via the portal.

Step 2, give the trunk a name and a public name, this name should match the name on the certificate and in my case I was also adding this name into the hostfile of the UAG server.

My name in the lab is: owa.target.se

We need to add an authentication server (AD server) so I did like the picture below shows.

Select the server and then go further to next step.

It’s time to choose the correct certificate so the name matches each other, in my case it’s: owa.target.se.

Step 5 will be to select endpoint security, I don’t have any NAP servers so I’ll select Forefront UAG.

Step 6, Endpoint policy’s, let the default policy’s stay there

Step 7, select Exchange version and which services that should be published.

Step 8, Configure Application

Give it a friendly name.

Step 9, Select Endpoint Policies

Let the default policy’s stay there.

Step 10, Deploying an Application

Select to Configure an application server

Step 11, Select Web servers

In address field I type in; owa.target.se, or could be fqdn of the server.

This name will be resolved on the UAG to my Exchange server since it’s added to the host file.

Double check so the Public host name is configured correctly; owa.target.se

Step 12, Authentication

In here I select 401 request, with that means the UAG will check the credentials and if they are correct the users will be authenticated and forwarded to the correct instance.

Step 13, Outlook Anywhere, the authentication method I will use is; Basic Authentication

Double check so the public host name is correct

For autodiscover I will use; Basic Authentication

Step 13 (14), Portal Link (Yes I know, it’s the same number as before, but it’s says so in the application)

Portal name; portal
Application URL; https://owa.target.se/owa

Step 15, Authorization

Select Authorize all users

When all steps are configured it will look like this

Don’t forget to save and active the settings, or else it will not work J

Verifying

It’s time for the testing of the solution with a Windows 7 machine.

On the Windows 7 machine in the hosts file I have edited it with notepad and pointed out
172.16.2.17    owa.target.se

This is done since I don’t have target.se as a DNS zone internally so the client can find the UAG/publishing portal.

Let’s start IE and go to https://owa.target.se/owa

I went successfully into the OWA

Successfully authenticated and logged on!

Feel free to give feedback on the post, hope it will help someone