Sưu tầm: How to set up TMG 2010 to publish Outlook Anywhere on Exchange 2010 & Exchange 2007
How to set up TMG 2010 to publish Outlook Anywhere on Exchange 2010. This article assumes that the TMG server is in the DMZ and is not a domain member, as per best practices.
First of all ensure that the Exchange 2010 CAS server is set up correctly:
- Install the RPC over HTTPs feature via Windows Server Manager.
- Go into the Exchange management console.
- Expand Server Configuration > Client Access.
- Right click on the CAS server and select Enable Outlook Anywhere.
As the TMG server is in the DMZ it will not trust the Exchange servers self signed certificate. In order for Outlook Anywhere to work, the TMG server must be able to access https://YourMailServer.YourDomain.Local/RPC/rpcproxy.dll
Therefore we need to create a new certificate that can be trusted by both the Exchange server and the TMG server. This is easily achieved by installing an internal root CA. I would recommend you do this on a Windows Server 2008 machine as it is easily able to create a SAN cert (it can be done on Windows Server 2003, but only via CLI).
You should also ensure that the TMG server can access the mail server by name. The best way to achieve this without opening up additional ports on the firewall is to add the following lines to the TMG servers hosts file:
220.127.116.11 (Your mail servers IP address) YourMailServer YourMailServer.YourDomain.Local ExternalURLOfMailService.YourExternalDomain.Com
- Connect to a Windows Server 2008 machine and install the Active Directory Certificate Services role.
- Select both the Certification Authority and the Certification Authority Web Enrolment.
Once the above is complete we can create a new certificate for use in Exchange. Connect back to the Exchange server and perform the following:
- Launch the Exchange management console.
- Click on Server Configuration and then click on the mail servers name in the right hand pane.
- Click New Exchange Certificate on the actions pane.
- Follow the wizard. Do not worry too much about the Exchange Configuration screen as we can add and alter the Certificate Domains on the next screen. This is where we add all the required names for the SAN certificate.
- Once the wizard is complete and you have exported the certificate request you can launch a web browser to: http://YourRootCAServer/certsrv
- Select Request a certificate.
- Select advanced certificate request.
- Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Open your certificate request file and copy the string.
- Paste this into the Saved Request section of the certificate services website.
- Select the option to create a Web Server under Certificate Template.
- Select submit and complete the wizard.
- Once you have your certificate file, return to the Exchange management console.
- Select the option to complete a pending request and select your new certificate file.
- Once complete you may receive the following error against the new certificate in Exchange manager: The Certificate is Invalid for Exchange Server Usage.
- This is beacuse the server (and clients) have not had time to pick up the new certificate authority.
- To resolve this you can either wait, reboot the machines or update group policy via: gpupdate /force on the command line.
- Once the gpupdate /force has been run you may need to close and re-open the management console.
- Once the certificate shows as valid select Assisgn Services to Certificate.
- Follow the wizard and select the required services for your site (I would select all apart from Unified Messaging).
- At this point, client machines using Outlook might start getting certificate errors. This is because they have not had their policy updated to recognise the new root CA. Again, you can fix this either by rebooting the client machiens or runnign gpupdate /force
Exchange is now configured to allow RPC over HTTPs connections. To publish the server we need to do the following on the TMG server:
- Launch the TMG management console and browse to Firewall Policy.
- On the right hand side, select Tasks > System Policy Tasks > Edit System Policy.
- In the pop up window, select Authentication Services > Active Directory.
- Uncheck Enforce strict RPC compliance, and click OK.
- Right click Firewall Policy and select New > Exchange Web Client Access Publishing Rule.
- Follow the wizard selecting the following options: Exchange version – Exchange Server 2010 > Outlook Anywhere (RPC/HTTP(s)) (Note that once this is selected, the other client access services are greyed out. This is because RPC over HTTPs must exist in its own rule and cannot be shared with other services) > Publish a single Web site or load balancer > Use SSL to connect to the published Web server or server farm > Internal site name: YourMailServer.YourDomain.Local (check the TNG server is able to resolve this) > Public name: ExternalURLOfMailService.YourExternalDomain.Com > Select a Web listener from the dropdown (this can be the one used for OWA and should use a SAN cert. No authentication should be enabled). > No delegation, but client may authenticate directly > All Users > Finish.
- Right click the newly created rule and select properties.
- Select Test Rule.
- You should get no errors and the test should read as: Configuration Tests > YourTMGServerName > YourMailServerName.YourDomain.Local > https://ExternalURLOfMailService.YourExternalDomain.Com:443/rpc/
- If you get a HTTP error 500 message then follow this article: http://www.cenobite.eu/index.php?option=com_content&view=article&id=61:exchange-outlook-anywhere-error-an-aspnet-setting-has-been-detected-that-does-not-apply-in-integrated-managed-pipeline-mode&catid=3:exchange&Itemid=19
Outlook Anywhere configuration is now complete.