Khi nâng cấp lên Office365 hệ thống bên Trường Đại học gặp lỗi bị trả lại mail “Delivery is delayed to these recipients or groups:”


1 Bạn Quản trị tại Trường ĐH vùng nêu câu hỏi:

Như đã trao đổi qua điện thoại với anh khi nâng cấp lên office365 hệ thống bên em gặp lỗi bị trả lại mail “Delivery is delayed to these recipients or groups:” .

Nhờ anh coi giúp và đưa ra hướng xử lý dùm bên em. Em cảm ơn

Trân trọng.

 

Trả lời:

Chào Bạn,

1. Mình đã xem phần cấu hình DNS ở phần quản lý tên miền mà bạn gửi và trên http://Portal.microsoftonline.com   đều đúng.

DNS records 1

checking upload recorddns record2

 

Lỗi này mình cũng gặp phải khi xoá / thay hẳn cấu hình MX, và CNAME cũ.

Mình đã kiểm tra bên các Trường khác khi nâng cấp, họ vẫn giữa nguyên các bản ghi cũ, chỉ thêm bản ghi mới như Trung làm thì chạy ổn định.

Vậy, bạn thêm lại giúp mình trong máy chủ DNS đang quản lý tên miền các bản ghi MX và CNAME cũ nhé

ví dụ:

1. CNAME: f3feeecccf8985 Host: mail.outlook.com

2. MX @ Host: f3feeecccf8985.mail.outlook.com Priority: 5

3. MX @ Host: f3feeecccf8985.msv1.invalid Priority: 10

P.S :Các bản ghi mới thêm đều đúng không phải xoá / sửa gì cả (chỉ thêm bản ghi cũ trước khi nâng cấp lên Office 365).

2. Nếu Bạn đang kiểm soát DNS thì cũng nên thêm bản ghi để dùng Lync Conferencing ( dùng làm truyền hình, họp, học, hội thảo quan mạng Trực tuyến)

Ví dụ sau đây, mình quản lý tên miền cloud.edu.vn cung cấp bởi matbao.vn, sẽ phải cấu hình Lync (theo các ô đánh dấu đỏ) khai báo thêm các thông số sau

 

Lync

Advertisements

Cách cấu hình SMTP Relay trên máy chủ IIS–Windows 2008 kết nối Exchange Online của Office 365


Cấu hình SMTP Relay trên máy chủ IIS 7, 7.5 Windows Server 2008

Contents

1. Mở IIS 7. 1

2. Kích hoạt SMTP Server trên máy chủ Windows 2008. 2

3. Cấu hình SMTP trên IIS 6. 3

4. Kiểm tra chạy cấu hình SMTP trên IIS 6. 9

5. Cấu hình Mail trên SharePoint Administrator Center. 10

1. Mở IIS 7

clip_image002

2. Kích hoạt SMTP Server trên máy chủ Windows 2008

clip_image004

3. Cấu hình SMTP trên IIS 6

clip_image006

clip_image008

clip_image010clip_image012

clip_image014

clip_image016clip_image018clip_image019clip_image021

Cách xác định địa chỉ máy chủ Exchange Online bằng lệnh CMD như sau:

clip_image023

Ví dụ: địa chỉ mail.cloud.edu.vn là địa chỉ bạn đã khai subdomain / DNS của webmail theo nhà cung cấp dịch vụ quản lý tên miền

Kết quả trả về là màn thông báo kết nối thành công mã 220

clip_image025

Cuối cùng, mở Start\Control Panel\Services kiểm tra dịch vụ SMTP đã started.

clip_image027

4. Kiểm tra chạy cấu hình SMTP trên IIS 6

Tạo 1 file có tên mail.txt, có nội dung sau:

From:<thang.le@hotmail.com>

To:<youremail@your_domain_office365.edu.vn>

Subject: Test mail from IIS Server via SMTP Relay Office 365

Body:

Mail Content to send SMTP Relay.

^

Hãy copy file này vào thư mục c:\inetpub\mailroot\pickup\

clip_image029

Nếu hệ thống chạy tốt, cấu hình SMTP trong IIS đúng, file đó sẽ tự động chuyển sang thư mục Queu và Send, bạn có thể kiểm tra log của IIS 6 hoặc trên hòm thư bạn đã gửi trong mục To:<> của nội dung file mail.txt.

5. Cấu hình Mail trên SharePoint Administrator Center

clip_image031

Cách xoá thư điện tử trong dữ liệu của Exchange 2007 và 2010


Muốn xoá được thư điện tử đã gửi trên máy chủ Exchange 2007 / 2010

Bạn cần phải có quyền Administrator điều khiển máy chủ Exchange ở mức Windows Location Administrator và Exchange Administrators.

2 bước sau sẽ cần bạn thực hiện là:

1. Cấp quyền Admins để điều khiển Exchange can thiệp vào Mail box database.

2. Dùng quyền Run as Administrator để điều khiển Exchange Shell để xoá thư trong máy chủ Exchange Server.

 

Ever so often, an Exchange administrator faces a situation where messages that fit specific criteria need to be removed from a large number of mailboxes or from Exchange transport queues. The need may arise due to some sort of mass mailing, a message sent accidentally to a large distribution group or individual recipients, or it could be one of the steps required to be taken as a part of cleanup efforts after a mass-mailing virus outbreak (although the latter have been increasingly rare and generally taken care of by Exchange-aware antivirus scanners).

The steps for accomplishing this are documented in various places in Exchange documentation, but it can be difficult to refer to multiple sources if you have a mixed environment containing several versions of Exchange Server. We wanted to provide a single place with somewhat generic instructions on how to accomplish these tasks across all currently supported versions of Exchange Server – Exchange 2010, Exchange 2007, and Exchange 2003.

Removing messages from mailboxes

Removing messages using the Shell in Exchange 2010 RTM and Exchange 2007

In Exchange 2010 RTM and Exchange 2007, you can use the Export-Mailbox cmdlet to export or delete messages. In Exchange 2010 SP1, the functionality to export a mailbox is provided by the New-MailboxExportRequest cmdlet and is covered in a separate article. The functionality to search and delete messages is provided by the Search-Mailbox cmdlet.

Permissions

In Exchange 2010, the Mailbox Export Import RBAC role must be assigned to the account used to perform this operation (using Export-Mailbox in Exchange 2010 RTM or Search-Mailbox in Exchange 2010 SP1). If the role isn’t assigned, you’ll be unable to run or “see” the cmdlet.

The versatile Export-Mailbox cmdlet can export mailbox content based on specific folder names, date and time range, attachment file names, and many other filters. A narrow search will go a long way in preventing accidental deletion of legitimate mail. For more details, syntax and parmeter descriptions, see the following topics:

The account used to export the data must be an Exchange Server Administrator, a member of the local Administrators group of the target server, and have Full Access mailbox permission assigned on the source and target mailboxes. The target mailbox you specify must already be created; the target folder you specify is created in the target mailbox when the command runs.

Adding and removing the necessary permissions

This example retrieves all mailboxes from an Exchange organization and assigns the Full Access mailbox permission to the MyAdmin account. You must run this before exporting or deleting messages from user mailboxes. Note, if you need to export or delete messages only from a few mailboxes, you can use the Get-Mailbox cmdlet with appropriate filters, or specify each source mailbox.

Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all

After exporting or deleting messages from mailboxes, you can remove the Full Access mailbox permission, as shown in this example:

Get-Mailbox -ResultSize unlimited | Remove-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all

Removing messages

Here are a few examples that remove messages.

This example removes all messages with the subject keyword “Friday Party” and received between Sept 7 and Sept 9 from the Inbox folder of mailboxes on Server1. The messages will be deleted from the mailboxes and copied to the folder DeleteMsgs of the MyBackupMailbox mailbox. The Administrator can now review these items or delete them from the MyBackupMailbox mailbox. The StartDate and EndDate parameters must match the date format setting on the server, whether it is mm-dd-yyyy or dd-mm-yyyy.

Get-Mailbox -Server Server1 -ResultSize Unlimited | Export-Mailbox -SubjectKeywords “Friday Party” -IncludeFolders “\Inbox” -StartDate “09/07/2010” -EndDate “09/09/2010” -DeleteContent -TargetMailbox MyBackupMailbox -TargetFolder DeleteMsgs -Confirm:$false

This example removes all messages that contain the words “Friday Party” in the body or subject from all mailboxes.

Depending on the size of your environment, it is better to do the extraction/deletion in batches by using the Get-Mailbox cmdlet with the Server or Database parameters (Get-Mailbox -Server servername -ResultSize Unlimited or Get-Mailbox -Database DB_Name -ResultSize Unlimited), or specifying a filter using the Filter parameter. You can also use the Get-DistributionGroupMember cmdlet to perform this operation on members of a distribution group.

Get-Mailbox -ResultSize Unlimited | Export-Mailbox -ContentKeywords “Friday Party” -TargetMailbox MyBackupMailbox -TargetFolder ‘Friday Party’ -DeleteContent

It is recommended to always use a target mailbox (by specifying the TargetMailbox and TargetFolder parameters) so you have a copy of the data. You can review messages before purging them so any legitimate mail returned by the filter can be imported back to its owner mailbox. However, it is possible to outright delete all messages without temporarily copying them to a holding mailbox.

This example deletes all messages that contain the string “Friday Party” in the message body or subject, without copying them to a target mailbox.

Get-Mailbox | Export-Mailbox -ContentKeywords “Friday Party” -DeleteContent

 

Phiên bản Exchange 2000, 2003:

Removing messages on Exchange 2003 and Exchange 2000 using ExMerge

The ExMerge utility can be used to extract mail items from mailboxes located on legacy Exchange Server versions. Follow the steps in KB 328202 HOW TO: Remove a Virus-Infected Message from Mailboxes by Using the ExMerge.exe Tool to remove unwanted messages from user mailboxes.

Removing messages from Public Folders

You can use the Outlook Object Model to remove messages from Public Folders. This works on any version of Exchange. The down side is that it’s slower and may stumble when it hits huge folders with tens of thousands of items. In Exchange 2010/2007, you can use Exchange Web Services to remove messages from Public Folders. EWS has no problem running against large folders.

The following posts have more details:

 

Xoá các thư dạng Pending hoặc Queues trong Exchange Server:

Removing messages from mail queues

There may be times where you need to purge messages from Exchange Server’s mail queues to prevent delivery of unwanted mail. For more details about mail queues, see Understanding Transport Queues.

Removing messages from mail queues on Exchange 2010 RTM and Exchange 2007

Removing a message from the queue is a two-step process. The first thing that must be done is that the message itself must be suspended. Once the messages have been suspended then you can precede with removing them from the queue. The below commands are based on suspending and removing messages based on the Subject of the message.

Exchange 2007 SP1 and SP2

This command suspends messages with the string “Friday Party” from transport queues on all Hub Transport servers in your Exchange organization:

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.Subject -eq “Friday Party” -and $_.Queue -notlike “*\Submission*”} | Suspend-Message

On Exchange 2007 RTM to SP2, you will not be able to suspend or remove message that are held in the Submission queue. So the command will not run against the messages in the submission queue.

This command removes all suspended messages from queues other than the Submission queue.

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.status -eq “suspended” -and $_.Queue -notlike “*\Submission*”} | Remove-Message -WithNDR $False

Exchange 2010 and Exchange 2007 SP3

This command suspends messages that have the string “Friday Party” in the message subject in all queues on Hub Tranpsort servers.

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where {$_.Subject -eq “Friday Party”} | Suspend-Message

This command removes messages that have the string “Friday Party” in the message subject in all queues on Hub Transport servers:

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | Where {$_.Subject -eq “Friday Party”} | Remove-Message -WithNDR $False

Note, you can run the command against an individual Hub Transport server by specifiying the server name after Get-TransportServer.

Suspend and remove messages from a specified transport queue

You can also suspend and remove messages from a specified queue. To retrieve a list of queues on a transport server, use the Get-Queue cmdlet.

This example suspends messages with the string “Friday Party” in the message subject in a specified queue.

Get-Message -Queue “server\queue” -ResultSize unlimited | where{$_.Subject -eq “Friday Party”} | Suspend-Message

This example removes messages with the string “Friday Party” in the message subject in the specified queue.

Get-Message -Queue “server\queue” -ResultSize unlimited | where{$_.Subject -eq “Friday Party” } | Remove-Message -WithNDR $False

Clear queues in Exchange Server 2000 and Exchange Server 2003 with MFCMAPI

In Exchange 2003/2000, you can use MFCMapi to clear the queues. For details, see KB 906557 How to use the Mfcmapi.exe utility to view and work with messages in the SMTP TempTables in Exchange 2000 Server and in Exchange Server 2003.

If there are a large number of messages in the queue, you may want to limit how many are displayed at a time. From the tool bar select Other > Options and under Throttle Level change the value to a more manageable number (for example, 1000).

Preventing message delivery using Transport Rules

In Exchange 2010 and Exchange 2007, you can use Transport Rules to inspect messages in the transport pipeline and take the necessary actions, such as deleting a message, based on the specified criteria. See Understanding Transport Rules for more details.

On Exchange 2010 and Exchange 2007, you can use the New Transport Rule wizard from the EMC to easily create transport rules. The following examples illustrate how to accomplish this using the Shell. Note the variation in sytnax between the two versions. (The Exchange 2010 transport rule cmdlets have been simplified, allowing you to create or modify a transport rule using a one-line command.)

Creating a Transport Rule to delete messages in Exchange 2010

This example creates a transport rule to delete messages that contain the string “Friday Party” in the message subject.

New-TransportRule -Name “purge Friday Party messages” -Priority ‘0’ -Enabled $true -SubjectContainsWords ‘Friday Party’ -DeleteMessage $true

Creating a Transport Rule to delete messages in Exchange 2007

This example creates a transport rule to delete messages that contain the string “Friday Party” in the message subject.

$condition = Get-TransportRulePredicate SubjectContains
$condition.Words = @(“Friday Party”)
$action = Get-TransportRuleAction DeleteMessage
New-TransportRule -name “purge Friday Party messages” -Conditions @($condition) -Actions @($action) -Priority 0

Note: If your Exchange Organization has mixed Exchange 2007 and Exchange 2010 you will have to create a rule for each Exchange version.

Publishing Outlook Web Access with Microsoft Forefront TMG


How to publish Exchange Server 2007 SP1 Outlook Web Access (OWA) with Microsoft Forefront TMG.

1.

Change FBA to basic authentication on Exchange Server

Firstly, we have to change the Forms based Authentication (FBA) on Exchange Server site, because TMG also uses FBA and the settings enabled on TMG and Exchange will result in conflicts. To change OWA from FBA to Basic Authentication (used by TMG) start the Exchange Management Console, navigate to Server Configuration – Client Access – and click into the properties of the OWA settings and change FBA to Basic and Windows Authentication as you can see in the following screenshot.


Figure 1: Change authentication from FBA to Basic authentication

2.

we must request a new certificate for the TMG web listener for the public DNS

After we changed from forms based authentication to basic authentication at Exchange site, we must request a new certificate for the TMG web listener for the public DNS name which will be used to access Outlook Web Access from the Internet.

Important:
The common name (CN) of the certificate must match the public DNS name used to access OWA. For example: If your public DNS name is OWA.IT-Training-Grote.de, the CN of the certificate must be the same.

With the Windows Server 2008 MMC Certificate Snap In it is possible to add additional information to the certificate request process. You will need these additional settings to create a certificate request with the custom CN as you can see in the following screenshot.

image

image


Figure 2: Request a new certificate

Lưu ý: Trường hợp gặp lỗi sau

image

To automatically enroll clients for certificates in a domain environment, you must:

  • Configure a certificate template with Auto enroll permissions. For more information, see Issuing Certificates Based on Certificate Templates (http://go.microsoft.com/fwlink/?LinkId=142333).
  • Configure an auto enrollment policy for the domain.

image

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure auto enrollment Group Policy for a domain

  1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  3. Right-click the Default Domain Policy GPO, and then click Edit.

  4. In the Group Policy Management Console (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  5. Double-click Certificate Services Client – Auto-Enrollment.

  6. Select the Enroll certificates automatically check box to enable auto enrollment. If you want to block auto enrollment from occurring, select the Do not enroll certificates automatically check box.

  7. If you are enabling certificate auto enrollment, you can select the following check boxes:

    • Renew expired certificates, update pending certificates, and remove revoked certificates enables auto enrollment for certificate renewal, issuance of pending certificate requests, and the automatic removal of revoked certificates from a user’s certificate store.
    • Update certificates that use certificate templates enables auto enrollment for issuance of certificates that supersede issued certificates.
  8. Click OK to accept your changes.

Click the link in the request certificate wizard and select the common name type and enter the CN you will need, in this case owa.it-training-grote.de and click Add.


Figure 3: Specify the CN for the public certificate

After the certificate has been successfully created, you will see the result in the certificate Snap In.

Note:
If the certificate request process with the MMC was not successful, the problem might appear due to the fact that the certificate request requires DCOM access which must be manually configured at the ISA/TMG Firewall. For additional information read the following Blog post from the ISA/TMG product team.


Figure 4: Certificate enrollment successful

 

Phần 3: Cách tạo chữ ký số SSL cho Exchange 2007

https://www.digicert.com/easy-csr/exchange2007.htm

Cách cài chữ ký số SSL vào Exchange 2007

http://www.digicert.com/ssl-certificate-installation-microsoft-unified-communications.htm

 

Phần 4: Cách cấu hình OWA trong TMG 2010

Start the TMG Management console, navigate to the Firewall Policy node and create a new Exchange Web Client Access Publishing rule.


Figure 5: Create a new Exchange Web Client Access Publishing Rule

A new wizard start which will guide you to the OWA publishing process. Enter a name for the new publishing rule.


Figure 6: Exchange Publishing rule name

Specify the correct Exchange version and the web client mail service you want to publish.


Figure 7: Publish OWA with Exchange Server 2007

We want to publish a single Website, so we select this option.


Figure 8: Publish a single Web site

Select SSL, so TMG will establish a secure connection with the Client Access Server (CAS).


Figure 9: use SSL for connection to the published server

Enter the Internal Site name of the Client Access Server. This is the internal FQDN of the CAS server. The Internal Site name must match the Common Name (CN) of the certificate used on the Client Access Server.


Figure 10: Specify the internal site name

In the next step of the wizard, enter the public name which clients must use in their browsers to access the published Outlook Web Access Server through the Internet.


Figure 11: Specify the public name to access OWA

Create a new OWA Web listener. The web listener should use SSL due to security reasons.


Figure 12: Require SSL for connections with clients

Now it is time to select the Network on which Microsoft TMG should listen for incoming network traffic for Outlook Web Access. Select the External network and if you only have one IP address bound to the external network interface of TMG you can leave the setting unchanged, else you must select the IP address in the Listener which should be used to publish Outlook Web Access.


Figure 13: Select the Web listener for external requests

Next, choose the certificate which will be bound to the web listener in order to access OWA through the Internet. You must select the certificate which you had created with the MMC.


Figure 14: Select the certificate for public OWA access

Select Formats Based Authentication (FBA) with Windows authentication.


Figure 15: Select Authentication method

Because we do not use SSO (Single Sign On), uncheck the SSO option.


Figure 16: Deactivate SSO

Click Finish and Next.

The Authentication Delegation method selects the Basic Authentication. Since Basic Authentication is used with SSL, this does not pose a security problem.


Figure 17: Authentication Delegation

When this is done, select the users and user groups which should be allowed to access Outlook Web Access through the Internet.


Figure 18: Select users who should use OWA through TMG

Click Finish and Apply.

After the wizard has successfully completed, you can test your configuration. For this article I accessed the OWA website with my Windows 7 Netbook.


Figure 19: Successfully connected to the OWA website through the Internet

Thất bại do làm việc máy móc: configure Exchange Server 2007 use Outlook Anywhere via TMG 2010


 

Step 1. Test DNS External

https://www.testexchangeconnectivity.com

Result:

Testing RPC/HTTP connectivity.

The RPC/HTTP test failed.

Test Steps

ExRCA is attempting to test Autodiscover for admin@demomail.net.

Testing Autodiscover failed.

Step 2. Extent Expire for CA Service (4 years of Exchange Cert)

Current Exchange cert:

Check in DC:

image

Check in Webmail of Exchange mail

image

Current CA configures:

image

After CA configure:

image

After modify configure of CA Server:

image

Step 3. Renew Cert from Exchange 2007

New Cert request from IIS 6 of Exchange

image

image

image

image

image

image

image

image

image

 

DC submit new cert for Exchange 2007

Export file Cert for Exchange 2007

image

Save into folder c:\cert of DC

image

Import new file Cert for Exchange 2007

image

image

image

image

image

image

image

image

image

New Cert updated for Exchange 2007

image

Check web mail https in local Exchange 2007

image

 

Step 4. Export file Personal security of Exchange 2007 for TMG

Open Exchange 2007 MMC

image

image

image

image

image

image

image

image

-Export files Pfx of Exchange 2007 for TMG

image

image

image

Pass: Blabla123…

image

image

Export file cer from Exchange 2007

 

Step 5. Import 2 files pfx & cer of Exchange 2007 to TMG

Step 6. Update a rule external “OWA” open HTTP & HTTPS filter for Outlook Anywhere on TMG server

Step 7. Test again

Sưu tầm: Kịch bản bảo mật và mở rộng dịch vụ Exchange của UN


Using Forefront TMG to publish Exchange ActiveSync and Outlook Web App Using Certificate Based Authentication

This is an overview on how Exchange 2010 OWA/EAS clients connect when TMG is deployed in DMZ

The following steps describe the process involved when a mobile device or Outlook Web App (OWA) connects to a mailbox using a certificate and how Kerberos Constrained Delegation and Protocol transitioning are used.

  1. User attempts to access mailbox using OWA or a mobile device over a cellular network. Connection between client and external TMG interface is encrypted using SSL certificate.
  2. TMG has been configured to publish OWA and Exchange ActiveSync URL and prompts the user for authentication.
  3. The user or device presents an X509 certificate as proof of identity.
  4. TMG has been configured to use Kerberos Constrained Delegation (KCD) and connects to Key Distribution Center service on the Domain Controller and requests a Kerberos Ticket on behalf of the connecting user.

    Note: This is where Protocol Transitioning takes place as initial user authentication method was X.509 certificate and TMG Firewall service has been configured to be allowed to request a Kerberos ticket on behalf of the user.

  5. The Key Distribution Center service passes back the user Kerberos Ticket to Network Service identity under which TMG Firewall is running.
  6. TMG has been configured to be able to delegate Kerberos tickets to an Exchange CAS server. The firewall rule on the TMG server knows the internal URL of the Exchange CAS server and passes the requested Kerberos Ticket for the authenticated user to the Exchange CAS server.
  7. The Exchange CAS then accesses the mailbox server where the mailbox is located, authenticating using Windows Integrated Authentication.

It is important to realize early in the planning stages of a deployment like this, that a single TMG listener cannot provide both certificate based authentication at the same time as Basic, Forms Based Authentication, or NTLM authentication. A listener can provide Forms Based Authentication with fallback to Basic, or Basic and NTLM can be used on the same listener, but certificate based authentication when used as the primary form of authentication cannot be combined with any other form of authentication.

This means it is not possible to share one external namespace/listener between clients such as Exchange ActiveSync, when it is using certificate based authentication, and Outlook Anywhere when it is using Basic Authentication. In a scenario such as this, two listeners, and therefore two namespaces and IP addresses must be used. For example, Outlook Anywhere could be configured to use mail.fabrikam.com and certificate based Exchange ActiveSync could be configured to use cert.fabrikam.com. This would require TMG to have two external facing IP addresses, two certificates (though one certificate with both names listed as SAN attributes could also be used) and two listeners.

 

Are you using TMG and having issues publishing Outlook Anywhere?

Ever tried to publish Outlook Anywhere using NTLM with TMG and use Kerberos Constrained Delegation? Many people have tried and failed, or at least had some major trouble before they were finally able to get things going.
To help make things a little easier, here is a simple checklist on how to publish Outlook Anywhere using NTLM with TMG, using Kerberos Constrained Delegation.

The simplest scenario is a single Exchange server and a single TMG server.

simplest scenario is a single Exchange server

1. TMG must be domain joined to use Kerberos Constrained Delegation (KCD), which can be a problem for some organizations. http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html. Domain where TMG is member of must be in Windows 2003 mode and it must be the same domain that your Exchange server is on.

    2. Configure KCD.

      With ADUC (Active Directory Users and Computers),
      Find the TMG computer object, select properties and the Delegation tab,
      click “Trust this computer for delegation to specified services only” and then select the “Use any authentication protocol”.

      Click Add button and then Click “Users or Computers” button and enter the Exchange server.

      Then click “OK” and scroll to find “http – servername”,
      click to select it, and then click OK twice to save the configuration.
      If you tick the checkbox “Expanded” while selecting protocol you will see that both the FQDN and host name will be in the list.

      What you have done now is allowed TMG computer to delegate credentials to the Exchange server, but only if it’s using HTTP, that’s why it’s called constrained delegation.

      Why do we mess with the Exchange computer object? Well, Exchange web services run under the local system account, if it was running using a service account, then we must use this account to delegate to instead.

      3. Create a Listener and publish rule on TMG.

        Start by creating a Listener. As the create Listener wizard goes by select these options:
        Select “Require SSL secured connections with clients”,
        Select an external IP and a certificate to be used by the listener.
        For Authentication you have several options and it all depends on what you want to do, but for this walkthrough select HTTP and Integrated. This means NTLM since we are connecting from internet where there is no Kerberos service is available (or have you put a Domain Controller on Internet?).

        Create the publishing rule by starting the Exchange Web Client Access publishing rule wizard.
        Select version of Exchange and Outlook Anywhere as the service, and also select “Publish additional folders…”. This will add paths for OAB, EWS and Autodiscover URL.
        Select “Publish a server farm of load balanced web servers”,
        “Use SSL to connect to the web server or server Farm”,
        Internal site name is important: enter a name that is on the certificate used by IIS on Exchange server, that is not the certificate clients “see” when connecting to TMG from internet. This certificate is seen only by TMG.
        Create a new Exchange server farm. Give it a name and add your Exchange server to it.
        For the connectivity monitoring, select “Send an HTTP/HTTPS Get request”.
        Farm is complete.

        For the public name, select a name that this publishing rule will accept traffic on.
        Select the Listener you created earlier.
        For the Authentication delegation select Kerberos constrained delegation and change the SPN to “http/*”.
        On user sets, select “All authenticated users”. This can be changed to an AD group to limit who is allowed to use the services you’re publishing.

        4. Configure Outlook Anywhere to use NTLM.
        Set-OutlookAnywhere -IISAuthenticationMethods ‘Ntlm’ -ClientAuthenticationMethod ‘Ntlm’

          Why do a farm of servers instead of just a single server? With a farm, you get the opportunity to do monitoring of the published server. This means that if you encounter that the published server doesn’t work while monitoring, it won’t even try to send traffic to the published server. Flexibility is another thing, you never know what will happen in the future, servers may be added, changed or removed and it’s easier to change the farm membership instead of redoing the publishing rule.

          “Test Rule” button. This function is really good but when using KCD it will often fail. One reason for failure is that there is a firewall running between or on the published server which blocks traffic to port 445 and 139. TechNet has a good post related to “test rule” button failure

          Another failure is when you set change configuration on the Authentication Delegation tab to use KCD and set the SPN to “http/*”, a star tell TMG to replace it with the published server FQDN when doing the KCD. Unfortunately, TMG doesn’t do this when you click “Test Rule” button. My thought on this is function behind “Test Rule” button only takes this text string and doesn’t translate the star to FQDN. KCD will fail because it is not allowed to delegate to http/*. To overcome this while testing your configuration,replace “http/*” with “http/x” where x is one of the previously allowed delegation. If you have multiple servers in your farm, you should change configuration and test every published server. When done, don’t forget to change back to “http/*”.

          One more plus is that even if you have Basic authentication enabled on the Listener, you can still use KCD on the Authentication Delegation tab, which is good for clients who don’t know how to use NTLM.

          More advanced configuration with multiple CAS servers and Load Balancer.

          advanced configuration with multiple CAS

          The difference with this configuration is that we have a Load Balancer between TMG and CAS. This provides us with a couple of options. Either a) configure TMG to send traffic to Load Balancer, or b) configure TMG to send traffic directly to CAS.

          The problem with the first option is that Load Balancer most likely thinks everything comes from TMG and therefore will not distribute traffic to all CAS, but instead sends it to only one of them. This can be fixed by using more sophisticated distribution algorithms on Load Balancer. But in order for that to work, we need to disable SSL between TMG and Load Balancer, and also allow HTTP to CAS. We also have another source to troubleshoot if something breaks. Another thing is the KCD configuration. Since there is no computer account for Load Balancer, the KCD needs to be configured with a name that TMG can use for the delegation. You must add the SPN string to the msDS-AllowedToDelegateTo attribute on the TMG computer account and finally this invented name must be configured in the publishing rule in the delegation tab as the SPN. This is a valid configuration, but with many variables’ in it I think it’s much too .The other option with TMG sending traffic to CAS servers directly and bypass Load Balancer is much easier to configure and to troubleshoot.

          Picture only shoving a single TMG and a single Load Balancer but they can in fact me multiple of them for redundancy and load distribution. Either way, it doesn’t matter when you use KCD.

          Connectivity monitoring

          TMG will periodically connect to the published server. How TMG connects depends on the connectivity monitoring configuration. We selected to “Send an HTTP/HTTPS Get request” together with a URL. This means that TMG will connect to this URL and if it gets a response back it will allow traffic on this rule.
          If you publish for example outlook anywhere you would most certain need to publish a couple of more URL’s than the /RPC such as /OAB, /EWS and /Autodiscover. Sad story here is that TMG cannot monitor more than one URL. If we monitor /rpc directory then all other can fail without TMG noticing it so TMG will still end traffic to one farm member even though for example the EWS service don’t work on it.

          Solution can be to have individual publishing rule for each service you publish. Another solution could be your own developed solution. Create a script that monitor services of your choice, and simply create a file in an IIS directory if every service is working or delete the file if something is not working. In TMG we can then configure the URL to point to this file.

          RPCping

          If you published Outlook Anywhere you verify configuration with rpcping.exe.
          Be aware of that rpcping has several parameters and you have to specify them correctly. Here is an example.

          rpcping -t ncacn_http -s mapi.corp.contoso.com -o RpcProxy=oa.contoso.com -P “billg,contoso,Password2” -I “billg,contoso,Password2” -H 2 -u 10 -a connect -F 3 -v 3 -a connect -e 6001

          This means connect to the rpcproxy name “oa.contoso.com” and the internal server name with mapi.corp.contoso.com. User name is billg, password is Password2,netbios domain name is contoso both for the rpcproxy auth and auth to internal server, e = 6001 means internal tcp port 6001 which is on out of the three ports used by outlook anywhere. The others are 6002 and 6004.

          The other parameters aren’t that easy to figure out but you can read everything about them here http://support.microsoft.com/kb/831051.