Published: 2010-03-01
Updated: 2010-07-27
Version: 1.1

Installation

 
 

This will be a complete walkthrough to setup up certificate based on a CA server on a DC.
My environment looks like this

1 x Windows 2003 (DC/DNS/CA)
1 x Forefront TMG
1 x Exchange 2010 CAS/HUB/MBX

Everything is running as virtual machines in VMware Workstation.

My TMG server is installed with Windows 2008 R2 x64 with 2 Nics (E1000), running with an internal Nic setup
IP: 172.16.2.18
Subnet: 255.255.255.0
DNS: 172.16.2.11 (pointing to the DC)

The external Nic is setup with
IP: 192.168.0.1
Subnet: 255.255.255.0
DNS: External IP
Default Gateway: Pointing to my external gateway

On the TMG server in the hosts file I have edited it with notepad and pointed out the CAS server
172.16.2.12    owa.target.se

Just to get the name resolution working fine with the rule and certificate.

First thing to do is to import the certificate that is generated from the CAS server; in my case it’s a CA server on the DC that generated this certificate. Best practice is to buy the certificate from a 3rd part that is trusted root in most devices (godaddy.com, digicert.com, comodo.com, verisign.com etc).
The certificate import is easy, start a mmc console and add certificates for the local computer.
Go to Personal and right click, choose import and point at the file. When it’s done it should look like below.

Next step is to create the Web listener, it will be done in TMG Console under Firewall Policy, choose Toolbox and right click Web Listeners to create a new web listener.

Give it a friendly name, I called it “SSL Listener”, set it up to require SSL, select the sources where it should listen to traffic from. In my case I listen on External and Internal, also select a specific IP address on the External and Internal interface. Next screen select ‘Assign a certificate for each IP address and point out the imported certificate.

The authentication setting that will be used is called HTML Form Authentication, make sure that Windows (Active Directory) is selected.

In the SSO (Single Sign On) type in the .domain.local if you want to use the function.
(Or else you will need to logon two times for using the OWA.)
When the creating is completed it should look like below.
Don’t forget to apply the changes.

OWA

Next step is to create the publishing rule; it will be done under the Tasks tab called ‘Publish Exchange Web Client Access’.
A wizard will start, setup a friendly name like OWA (Basic) and select the appropriate Exchange version, in my case it’s Exchange 2010.

Select the option ‘publishes single server’ and require SSL.
In the setting regarding internal site name, give it the external site name (owa.target.se) and select the option below and browse for the CAS server.
In the public name, give it your external site name (owa.target.se).

Next thing it to select the newly created web listener, for authentication delegation settings; select Basic Authentication and finally All Authenticated Users.

OWA Redirect

 

A nice one to complete the publishing of the OWA is to create a ‘Publish Web Sites’ rule and set it to deny, publish it as a single server and require SSL.

Point out the internal site name to be the external site name (owa.target.se) and browse for the CAS server. In the path selection just type / as will indicate the whole site.

For the public name, type in the external site name (in my case; owa.target.se) to work.
Select the web listener and the authentication method should be set to ‘No delegation, and client cannot authenticate directly’. Remove the All Authenticated Users and replace it with All Users.

Open up the rule after it is created, go to the Action tab and select the option ‘Redirect HTTP requests to this web page’ and type in ‘https://owa.target.se/owa’.

This rule is created so the end-user can reach the OWA without typing in /owa in the addressbar.

Now this is completed and should look like below.

Outlook Anywhere

Next to do is to publish Outlook Anywhere, it will be done thru the same wizard.

Select the appropriate Exchange version and the function you want to publish, in this case it’s the Outlook Anywhere (earlier called RPC over HTTP(s)

Publishing using Basic Authentication

Just like the publishing rule above this is a single server publishing rule and it requires SSL.
And point out the internal site name like before, it should be the external site name (owa.target.se) and browse for the CAS server.
The public name should be the external site name (owa.target.se).
Then select the web listener that has been created earlier.
Basic authentication is used as the authentication method.

Verify that the correct authentication method is selected in Exchange Management Console (EMC), if using Basic it should look like this.

Also, verify the rules in TMG by selecting the rule and press “Test Rule”

It should then look like below, if you have any issues it will give you the info in clear text like authentication methods is not correctly configured, like a mismatch.

Time for verification so the publishing rule works for Basic Auth by using Outlook Anywhere function and typing in address: owa.target.se that points to TMG.

It seems to work fine J

ActiveSync

 

This is almost the same as above, besides ActiveSync will use Basic as the Authentication method.

So the next to do is to publish the ActiveSync function, it will be done thru the same wizard.

Select the appropriate Exchange version and the function you want to publish, in this case it’s the ActiveSync function.

Just like the publishing rule above this is a single server publishing rule and it requires SSL.
And point out the internal site name like before, it should be the external site name (webmail.testlabs.se) and browse for the CAS server.
The public name should be the external site name (webmail.testlabs.se).
Then select the web listener that has been created earlier.
Basic is used as the authentication method.

Sometimes in testing purposes you need to turn of spoof detection, or else it will not work.
I have had that problem, if you need to turn it off, check this link

http://support.microsoft.com/kb/838114

Copy and paste from the link above;

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/FwEng/Parameters

If the Parameters subkey is not displayed, follow these steps to create this subkey:
Click the FwEng subkey.
On the Edit menu, point to New, and then click Key.
To name the key, type Parameters, and then press ENTER.
Right-click Parameters, point to New, and then click DWORD Value.
To name the value, type DisableSpoofDetection, and then press ENTER.
Right-click DisableSpoofDetection, and then click Modify.
In the Value data box, type 1, and then click OK.