Exchange 2010

Configure Microsoft Exchange Server 2010 SP2 with Microsoft Federation Gateway


Since the topic around configuring Federation using Microsoft Federation Gateway is not very clear in the documentation I decided to create a post around it.
The confusion came when SP2 was released for Exchange 2010.
One article says one thing and another says something else, things have changed after SP2, that’s why I’m posting this even if there were articles around this for SP1 (see links in the end).

Basic facts: You don’t need to create any sub-domain, it’s done and used only by Exchange itself.


You need to open up so that the server is able to reach Internet during the creation of the Federation.
Or else you will have this error message.


More information (read about the prereqs):



Step 1.

The most basic way for creating the Federation trust is to use the EMC.
Go to “Organization Configuration” and select tab “Federation Trust”.
Press the “New Federation Trust” button and the wizard will launch.





Step 2.

You will need to run the command below for every domain you want to federate.
Copy the value from the “Proof” field and add it into a TXT record for the public DNS zone.
This is the unique value that the Federation Gateway Service is using to identify and verify.

“Get-FederatedDomainProof –DomainName”




Step 3.

For each domain you want to federate you will need to create a TXT record including the corresponding “Proof” value into.
(In my case I’m just federating one domain).

Create the TXT record in the public DNS zone.
It should look like this when the record has been created.

Let’s take a look in the public DNS using “nslookup”.



Below is an example on you create a TXT record in the Windows DNS.

Start the DNS Management tool
Select the public DNS zone
Right click the DNS zone and select “Other New Records..”
Choose the “Text (TXT)” type and press “Create Record..”
Then insert the text string into the Text field and press “OK”.




Step 4.


Now it’s time for completing the federation steps, we need to add the domain so it’s actually federated.
This is done by using the EMC, go to Organization Configuration and select the tab “Federation Trust”.
Select the “Microsoft Federation Gateway” and press “Manage Federation..”



In the wizard you can check so that the self-signed certificate (used for federation purpose only) is distributed to all Exchange servers.
Then press “Next”



Now select the domain you want to federate, in my case it’s “”, and press “OK”.



Type in the organizational contact for this domain and make sure that the checkbox for “Enable federation” is selected.




In the EMC it should now show the “Application Identifier” and “Application URI” values.
Those values were empty before.




Step 5.

The last step around the Federation is to make sure that the Autodiscover function is working since it’s used for finding and checking the FreeBusy information.
First thing to make sure of is that it’s published in the public DNS zone, when it’s published it should look like the picture below.

Autodiscover must be reachable from Outside/External and this is also done per domain, so for each domain you want to federate this must be done.



Below is an example on you create a Alias/CNAME record in the Windows DNS.

Start the DNS Management tool
Select the public DNS zone
Right click the DNS zone and select “New Alias (CNAME)..”
In the “Alias name” field type in Autodiscover and in the FQDN value browse for the server/name that’s used for Autodiscover
Press “OK”



For publishing Autodiscover using TMG, check this article:



Step 6.

The last and final step for accomplish the sharing of FreeBusy information is to create the Organization Relationship.

Go to “Organization Configuration” and select tab “Organizational Relationships”.
Press the “New Organizational Relationship..” button and the wizard will launch.

For details around which relationship you should choose, read the link below:


If you want to specify which users that should be able to use this federation feature, this can be done by specifying a security distribution group.



Next step is to type in the organization you will be able for sharing the information with.
This can be done either by using Autodiscover (first option) or manually typing in the “Application URI” and “Autodiscover endpoint”.




Notice: This article is based on Exchange 2010 SP2




Tagged , , ,