1 300 737 205

Publishing Exchange with Microsoft ForeFront Threat Management Gateway

This is the 9th chapter from the guide How to setup and configure Exchange server 2010 behind Microsoft Forefront Threat Management Gateway (TMG). This is a continuation from the 8th chapter which focuses on Requesting and installing a certificate on Exchange Server.

Before you begin publishing the Exchange server, set all authentication methods for OWA and ECP websites to “Basic Authentication”. To set this authentication, right click on the relevant websites, select properties and click on Authentication tab. Select Basic Authentication.



Open the Exchange Management Shell (EMS) and issue  the command below to set all authentications methods for “OAB” and “Virtual Directory Service” to Basic Authentication:

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -BasicAuthentication:$true

Get-OabVirtualDirectory | Set-OabVirtualDirectory -BasicAuthentication:$true -RequireSSL:$true


1- Publishing Outlook Web App

To publish Exchange 2010 web access mail on the third server, install TMG and update it with the latest patches that Microsoft has released.

Copy the certificate that you have purchased into the TMG machine and import it into the machine’s certificate store. To import the certificate, launch the Microosft Management Console (MMC) and navigate to File – Add/Remove snap-ins. From the Available snap-ins listed, select Certificates and press Add.

On the Certificates snap-ins, select Computer account and press Next to continue.



Then select local computer, click Finish and then OK.

Right click on the Personal Folder and select All tasks and then Import. On the welcome screen, press Next . Select the certificate path by clicking the Browse button and press Next. 

Enter password for the certificate file and tick Mark this key exportable… checkbox. Click Next for the remaining pages, and thenFinish.

Open the Microsoft TMG and select the Firewall Policy node. Click on Publish Exchange Web Client Access.

Type a rule name and pressNext.



On the next window, for the Exchange version  select Exchange Server 2010 from the drop down menu. In the Web client mail services section, select Outlook Web Access.

On the Publishing Type page, select Publish a single web site or load balancer and clickNext.

On the Server Connection Security page, select Use SSL to connect to the published web server or server farm and click Next.

On Internal Publishing Details page, enter your Internal Site Name in the text box and tick the checkbox Use a computer name or IP address to connect to the published server. Assign the Exchange Server’s IP address (CAS server IP address).



On the Public Name Details page, select This Domain name (type below): and type your public name in the Public Name textbox (example shown in Figure 5). Click Next to continue.



On the Select Web Listener page, window click New.

Type a name in the Web Listener textbox and press Next to continue.

Select Require SSL secured connection with clients and click Next.

On Web Listener IP Addresses page, windows select External and click Select IP addresses... Select specified IP addresses on the Forefront TMG computer in the selected network and from the Available IP addresses list, choose the IP address that should listen to the incoming connection and click Add. Press OK and Next to continue.

On the Listener SSL Certificate page, select Use a single certificate for this Web Listener and click Select Certificate. Select the certificate that you have imported to the certificate store and press Select. Click Next.

On the Authentication Setting page, select HTML Form Authentication and then Windows (Active Directory). Click Next.

On Single Sign On Settings page, type your domain name (for example, .cloudbt.com.au) and click Next. Click Finish. Click Next.

On Select Web Listener page, leave the default setting and click Next.

On Authentication Delegation page, choose Basic authentication.

On User Sets page, click Next.

Press Finish.

Click apply on the Forefront window and it’s complete!

To test the configuration open the rule that you have made by double clicking on the rule and clicking Test Rule. If everything is configured correctly, you should see all green tick marks (as in Figure 6).




If you got certificate invalid message like before in Exchange server just setup winhttp proxy

Now you should be able to browse Outlook Web App if you have set up the DNS records correctly.



2- Publishing Outlook Anywhere (RPC/HTTP(s))

To publish Outlook Anywhere click on the Publish Exchange Web client Access again (as seen in Figure 3) and type a name for this publishing rule. Click Next.

On the following page, select Exchange Server 2010 from the Exchange version drop down menu and mark Outlook Anywhere (RPC/HTTP(s)) and Publish additional folders on the ….. Click Next.

On Publishing Type page, select Publish a single web site or load balancer. Click Next.

On the Server Connection Security page, select Use SSL to connect to the published web server or server farm. Click Next.

On the Internal Publishing Details page, type your internal site name and enable Use a computer name or IP address to connect to the published server. Assign an Exchange Server’s IP address (CAS server IP address). Click Next.

On Public Name Details page, select This Domain name (type below): and type your public name in the Public Name textbox. Click Next.

On Select Web Listener window, leave the default setting. Click Next.

On the Authentication Delegation page,  select Basic authentication. Click Next.

On User Sets page, click Next. 

Click Finish.

Double click on the rule and open it. Navigate to the Public Name tab and click Add. Type autodiscover.pandahost.net in the Public domain name or IP address and click OK. Select Apply.

To test the configuration, open the rule that you have made by double clicking on the rule and clicking Test Rule. If everything is configured correctly you should see all green tick marks in the result.

Click Apply on Forefront window.



3 – Publishing Mail Server

To publish your mail server, navigate to Tasks –  Publish Mail Servers. Enter a name for the Mail Server Publishing rule and click Next.



Select client access: RPC,IMAP,POP3,SMTP and click Next.

On the Select Services page,  select all check boxes and click Next.



Specify your Exchange server IP address on the Select Server screen and pressNext.

On the Network Listener IP Address page, select external and click the Address button. On the pop up External Network Listener IP Selection box, choose the specify IP address on the forefront TMG computer in the selected network radio button. From Available IP Addresses select your TMG IP address and click Add. This adds it to the Selected IP addresses list. (as shown in Figure.11)



Click OK on the popup, which returns you to the wizard.

Select Next, Finish and then Apply on Forefront TMG window.

4 – Creating access rule for DNS.

Without access to DNS, your server won’t be able to deliver messages to recipients. To create the DNS access rule, click on Create Access Rule located in the Tasks tab. Assign a name to the rule and click Next.

Click Allow and then Next to continue.

From the dropdown menu select All out bound traffics and click Next.

On the Malware inspection  page, select Do not enable malware inspection for this rule. Click Next.

For source of the traffic, select Add and choose Internal. Click Next.

For the destination of traffic, select Add and choose External. Click Next.

On the User Sets screen click Next. Select Finish and then Apply.

Now our Exchange mail server is almost configured and is ready for testing!

You can test your Exchange mail server on the Microsoft website to ensure it is fully functional. The reports that Microsoft provide are very useful for rectifying problems that you may encounter during the Exchange server installation.


The next chapter (10th chapter) explains how to set up auto discover redirection on ForeFront TMG 2010 for multiple accepted domains


 — By Soheil Esmaeili

Request Your Free Consultation Today

We’ll come to your place of business, and give you a full diagnostic snapshot of your IT systems.