1 300 737 205

How to set up auto discover redirection on ForeFront Threat Management Gateway

This is the 10th chapter from the guide How to setup and configure Exchange server 2010 behind Microsoft Forefront Threat Management Gateway (TMG). This is a continuation from the 9th chapter which explained how to Publish Exchange with Microsoft ForeFont Threat Management Gateway 2010.


Auto discover redirection on ForeFront TMG 2010 for multiple accepted domains

To use this method of redirection, the most important thing we need is an external IP address bound to the TMG server that currently doesn’t listen on HTTPS, port 443.

To use single certificate for all accepted domains we should redirect auto discovery requests to a single website otherwise users will receive the error – The name on the security certificate is invalid or does not match the name of the site – as you see in Figure.1.



To resolve this issue on TMG, click on the Publish Web Sites link. On the welcome screen, type a name for the rule and click Next.

Select Deny on Select Rule Action. Click Next.

Select Publish a single Web site or load balancer and click Next.

Select Use  non-secured connection to connect the published Web server or server farm and click Next.

Type the autodiscover website address and specify the Exchange server IP address. Click Next.

On the Internal Publishing Details page, leave the default settings and click Next. On the following page, select This domain name (type below): and enter in the autodiscovery site name in the public name textbox. Click Next to continue.

Click on the New button and make a listener like we made in the previous chapter but attention that we need a new public IP address here to listen to the incoming request. We cannot use the IP address that we used for publishing Outlook Anywhere and Outlook Web Application.

After creating the listener, click Next on the remaining pages and select Finish. Click Apply.

Double click the rule and to open the rule’s properties dialog box. Navigate to the Action tab and specify the address of the Autodiscover website (as shown in Figure. 2).



Click OK then Apply.

Auto discover redirection using SRV record for multiple accepted domains

Another method to get rid of “The name on the security certificate is invalid or does not match the name of the site” is using SRV record.
Create a service record in your DNS server as shown below.




— by Soheil Esmaeili

Request Your Free Consultation Today

We’ll come to your place of business, and give you a full diagnostic snapshot of your IT systems.