Publishing Outlook Web Access with Microsoft Forefront TMG

How to publish Exchange Server 2007 SP1 Outlook Web Access (OWA) with Microsoft Forefront TMG.


Change FBA to basic authentication on Exchange Server

Firstly, we have to change the Forms based Authentication (FBA) on Exchange Server site, because TMG also uses FBA and the settings enabled on TMG and Exchange will result in conflicts. To change OWA from FBA to Basic Authentication (used by TMG) start the Exchange Management Console, navigate to Server Configuration – Client Access – and click into the properties of the OWA settings and change FBA to Basic and Windows Authentication as you can see in the following screenshot.

Figure 1: Change authentication from FBA to Basic authentication


we must request a new certificate for the TMG web listener for the public DNS

After we changed from forms based authentication to basic authentication at Exchange site, we must request a new certificate for the TMG web listener for the public DNS name which will be used to access Outlook Web Access from the Internet.

The common name (CN) of the certificate must match the public DNS name used to access OWA. For example: If your public DNS name is, the CN of the certificate must be the same.

With the Windows Server 2008 MMC Certificate Snap In it is possible to add additional information to the certificate request process. You will need these additional settings to create a certificate request with the custom CN as you can see in the following screenshot.



Figure 2: Request a new certificate

Lưu ý: Trường hợp gặp lỗi sau


To automatically enroll clients for certificates in a domain environment, you must:

  • Configure a certificate template with Auto enroll permissions. For more information, see Issuing Certificates Based on Certificate Templates (
  • Configure an auto enrollment policy for the domain.


Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure auto enrollment Group Policy for a domain

  1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  3. Right-click the Default Domain Policy GPO, and then click Edit.

  4. In the Group Policy Management Console (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  5. Double-click Certificate Services Client – Auto-Enrollment.

  6. Select the Enroll certificates automatically check box to enable auto enrollment. If you want to block auto enrollment from occurring, select the Do not enroll certificates automatically check box.

  7. If you are enabling certificate auto enrollment, you can select the following check boxes:

    • Renew expired certificates, update pending certificates, and remove revoked certificates enables auto enrollment for certificate renewal, issuance of pending certificate requests, and the automatic removal of revoked certificates from a user’s certificate store.
    • Update certificates that use certificate templates enables auto enrollment for issuance of certificates that supersede issued certificates.
  8. Click OK to accept your changes.

Click the link in the request certificate wizard and select the common name type and enter the CN you will need, in this case and click Add.

Figure 3: Specify the CN for the public certificate

After the certificate has been successfully created, you will see the result in the certificate Snap In.

If the certificate request process with the MMC was not successful, the problem might appear due to the fact that the certificate request requires DCOM access which must be manually configured at the ISA/TMG Firewall. For additional information read the following Blog post from the ISA/TMG product team.

Figure 4: Certificate enrollment successful


Phần 3: Cách tạo chữ ký số SSL cho Exchange 2007

Cách cài chữ ký số SSL vào Exchange 2007


Phần 4: Cách cấu hình OWA trong TMG 2010

Start the TMG Management console, navigate to the Firewall Policy node and create a new Exchange Web Client Access Publishing rule.

Figure 5: Create a new Exchange Web Client Access Publishing Rule

A new wizard start which will guide you to the OWA publishing process. Enter a name for the new publishing rule.

Figure 6: Exchange Publishing rule name

Specify the correct Exchange version and the web client mail service you want to publish.

Figure 7: Publish OWA with Exchange Server 2007

We want to publish a single Website, so we select this option.

Figure 8: Publish a single Web site

Select SSL, so TMG will establish a secure connection with the Client Access Server (CAS).

Figure 9: use SSL for connection to the published server

Enter the Internal Site name of the Client Access Server. This is the internal FQDN of the CAS server. The Internal Site name must match the Common Name (CN) of the certificate used on the Client Access Server.

Figure 10: Specify the internal site name

In the next step of the wizard, enter the public name which clients must use in their browsers to access the published Outlook Web Access Server through the Internet.

Figure 11: Specify the public name to access OWA

Create a new OWA Web listener. The web listener should use SSL due to security reasons.

Figure 12: Require SSL for connections with clients

Now it is time to select the Network on which Microsoft TMG should listen for incoming network traffic for Outlook Web Access. Select the External network and if you only have one IP address bound to the external network interface of TMG you can leave the setting unchanged, else you must select the IP address in the Listener which should be used to publish Outlook Web Access.

Figure 13: Select the Web listener for external requests

Next, choose the certificate which will be bound to the web listener in order to access OWA through the Internet. You must select the certificate which you had created with the MMC.

Figure 14: Select the certificate for public OWA access

Select Formats Based Authentication (FBA) with Windows authentication.

Figure 15: Select Authentication method

Because we do not use SSO (Single Sign On), uncheck the SSO option.

Figure 16: Deactivate SSO

Click Finish and Next.

The Authentication Delegation method selects the Basic Authentication. Since Basic Authentication is used with SSL, this does not pose a security problem.

Figure 17: Authentication Delegation

When this is done, select the users and user groups which should be allowed to access Outlook Web Access through the Internet.

Figure 18: Select users who should use OWA through TMG

Click Finish and Apply.

After the wizard has successfully completed, you can test your configuration. For this article I accessed the OWA website with my Windows 7 Netbook.

Figure 19: Successfully connected to the OWA website through the Internet


About thangletoan

Hallo Aloha

Posted on 31/03/2013, in Công nghệ và Giáo dục, Chính sách CNTT, Exchange 2007, Microsoft, Microsoft Exchange & TMG, Microsoft Exchange 2007, Microsoft Forefront TMG 2010, Outlook Web Access, TMG 2010 and tagged , . Bookmark the permalink. %(count) bình luận.

  1. You are so cool! I do not suppose I’ve truly read something like that
    before. So good to discover someone with original thoughts on this topic.

    Seriously.. many thanks for starting this up. This site is one thing that is needed on the internet, someone with some originality!

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất /  Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )


Connecting to %s

%d bloggers like this: