Since the topic around configuring Federation using Microsoft Federation Gateway is not very clear in the documentation I decided to create a post around it.
The confusion came when SP2 was released for Exchange 2010.
One article says one thing and another says something else, things have changed after SP2, that’s why I’m posting this even if there were articles around this for SP1 (see links in the end).
Basic facts: You don’t need to create any sub-domain, it’s done and used only by Exchange itself.
Prerequisites:
You need to open up so that the server is able to reach Internet during the creation of the Federation.
Or else you will have this error message.
More information (read about the prereqs):
http://technet.microsoft.com/en-us/library/dd335198.aspx
Step 1.
The most basic way for creating the Federation trust is to use the EMC.
Go to “Organization Configuration” and select tab “Federation Trust”.
Press the “New Federation Trust” button and the wizard will launch.
Step 2.
You will need to run the command below for every domain you want to federate.
Copy the value from the “Proof” field and add it into a TXT record for the public DNS zone.
This is the unique value that the Federation Gateway Service is using to identify and verify.
“Get-FederatedDomainProof –DomainName testlabs.se”
Step 3.
For each domain you want to federate you will need to create a TXT record including the corresponding “Proof” value into.
(In my case I’m just federating one domain).
Create the TXT record in the public DNS zone.
It should look like this when the record has been created.
Let’s take a look in the public DNS using “nslookup”.
Below is an example on you create a TXT record in the Windows DNS.
Start the DNS Management tool
Select the public DNS zone
Right click the DNS zone and select “Other New Records..”
Choose the “Text (TXT)” type and press “Create Record..”
Then insert the text string into the Text field and press “OK”.
Step 4.
Now it’s time for completing the federation steps, we need to add the domain so it’s actually federated.
This is done by using the EMC, go to Organization Configuration and select the tab “Federation Trust”.
Select the “Microsoft Federation Gateway” and press “Manage Federation..”
In the wizard you can check so that the self-signed certificate (used for federation purpose only) is distributed to all Exchange servers.
Then press “Next”
Now select the domain you want to federate, in my case it’s “testlabs.se”, and press “OK”.
Type in the organizational contact for this domain and make sure that the checkbox for “Enable federation” is selected.
In the EMC it should now show the “Application Identifier” and “Application URI” values.
Those values were empty before.
Step 5.
The last step around the Federation is to make sure that the Autodiscover function is working since it’s used for finding and checking the FreeBusy information.
First thing to make sure of is that it’s published in the public DNS zone, when it’s published it should look like the picture below.
Autodiscover must be reachable from Outside/External and this is also done per domain, so for each domain you want to federate this must be done.
Below is an example on you create a Alias/CNAME record in the Windows DNS.
Start the DNS Management tool
Select the public DNS zone
Right click the DNS zone and select “New Alias (CNAME)..”
In the “Alias name” field type in Autodiscover and in the FQDN value browse for the server/name that’s used for Autodiscover
Press “OK”
For publishing Autodiscover using TMG, check this article:
http://www.testlabs.se/blog/2010/07/27/how-to-publish-owaactivesyncoutlook-anywhere-exchange-2010-with-microsoft-forefront-tmg-2/
Step 6.
The last and final step for accomplish the sharing of FreeBusy information is to create the Organization Relationship.
Go to “Organization Configuration” and select tab “Organizational Relationships”.
Press the “New Organizational Relationship..” button and the wizard will launch.
For details around which relationship you should choose, read the link below:
http://technet.microsoft.com/en-us/library/dd351260.aspx
If you want to specify which users that should be able to use this federation feature, this can be done by specifying a security distribution group.
Next step is to type in the organization you will be able for sharing the information with.
This can be done either by using Autodiscover (first option) or manually typing in the “Application URI” and “Autodiscover endpoint”.
Notice: This article is based on Exchange 2010 SP2
Sources:
http://technet.microsoft.com/en-us/library/ff601760.aspx
http://www.stevieg.org/2010/08/federation-onpremise-outlooklive/
http://www.expta.com/2011/07/how-to-configure-exchange-2010-sp1.html
I’ve been looking at federation but couldn’t find any really useful doco as everything changes when it comes to SP2. Thanks for putting this up!
One thing though – does this also allow the sharing of the GAL or will a contact import on each end be the best option?
Great article! Very helpful! Thanks!
Thanks a lot for your feedback!
It’s always great to get comments
Regards
Jonas
Hi,
I’ve followed the different step to achieve this, but when I’m trying tu get the availibility in outlook for a federated user, I see on the federated server a 401 unauthorize message?
Do i need to manage permission or something like that?
Thank you in advance?
Dear Mr. Jonas,
Can you send me basic exchange server setup.
Thanks
Saminda
Hi,
What kind of config are you looking for?
Cheers,
Jonas
Hello,
thank you for that howto.
I have problems with the step where I Should select the federated Domain – it is not listed. Is there anything I can do?
My Config is Exchange 2010 with SP3.
Regards
timo2k
Hey Timo,
If you have the domain added into accepted domains it should be OK.
Take a look at the TechNet forums – https://social.technet.microsoft.com