How to Configure TMG for Office 365 (Exchange) Hybrid deployments

How to Configure TMG for Office 365 (Exchange) Hybrid deployments

 

The purpose of this article to give some general guidance on how to configure TMG for use with Office 365 Exchange related components. The idea is to give some general guidance mainly around authentication settings needed on the TMG rule that will be used for things such as AutoDiscover for organization Relationships (Autodiscover.svc)and the EWS endpoints (used for things such as Free Busy/Mailbox Moves).

Non Goals:

  • End to end ISA configuration
  • Discuss every possible TMG deployment scenario
  • Discuss non TMG firewalls

 

The following details assume you have a Third-Party certificate for the Exchange endpoints in place on the TMG server. There is also an assumption that you already have the TMG configured with a listener for the on-premises Exchange 2010 server. For guidance on this configuration please look to the following white paper: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8946

 

Configuring TMG Rule

Now that you have your TMG setup for the on-premises Exchange environment you will need to make some modification to the TMG setup to allow the Office 365 integration for your Hybrid deployment.

The reason we may need to change the TMG configuration centers around the authentication Delegation setting used on the TMG rule for the other Exchange components. In many cases a customer will choose to pre-authenticate at the TMG. This is a fine solution for things such as Outlook Anywhere and OWA but this will cause issues for the Hybrid environment. We need to allow for pass-through authentication for certain endpoints. These are the endpoint that use token based authorization instead of standard basic/integrated authentication options. 

The solution is simple, you simply need to create a rule that uses the same listener as the other Exchange components but provide explicit paths. Then change the new rule so that it does not perform pre-authentication at the TMG. If implemented properly you will be able to continue to use the same external IP address and port (443) on the same listener for both rules.

 

Create the new Rule for use with the Hybrid components

  1. From Within TMG Management Console, right click on the FireWall Policy from the left tree
  2. Then select New
  3. Then select Web Publishing Rule

    4. From the Welcome to the New Web Publishing Rule Wizard window type in a name for the rule and select next

 

    5. On the select Rule Action screen select the Allow radio button then select next

 

    6. On the Publishing Type page select the appropriate option and then select next (in my case I have select the Publish a single Web site or load balancer option)

 

     7. On the Server Connection Security page select the Use SSL option then select next

 

    8. On the Internal Publishing Details page fill in the proper site name and IP address such as the example depicted below. If you are not sure what to put just take a look at your current Exchange publishing rule, once completed select the next option.

 

    9. From the Internal Publishing Details leave the defaults then select the next option. We will configure the paths later in the configuration

     10. On the Public Name Details section be sure that the EWS external web site names(for example Mail.Contoso.com) is listed as depicted below then select the next option

 

 

    11. Then from the Select Web Listener page select the listener used for the regular exchange rule from the drop down menu then select the next option

 

    12. Then from the Authentication Delegation page select the No Delegation, but client may authenticate directly option then select next

 

    13. Then from the Select User Sets page choose the All Users option then select next. Then select the finish option

 

 

 

Then we need to go to the properties of the newly created rule and modify the Paths and the public names within the rule.

  1. From the TMG management interface right click the newly created rule and select properties
  2. Then select the Public Names tab and add the autodiscover external URL (for example autodiscover.contoso.com) and apply that change

 

    3. Then select the paths tab and add the paths listed below , be sure to also remove the default “/*” path, then apply those changes

    • /ews/mrsproxy.svc
    • /ews/exchange.asmx/wssecurity
    • /autodiscover/autodiscover.svc/wssecurity
    •  /autodiscover/autodiscover.svc

 

 

 

    4. The last step it to ensure that this new rule is higher in the list than the primary exchange rule.  You can simply right click on the rule and select move up until it is above the primary exchange rule. Then apply the changes

More information

The task for setting up TMG is not very complex but there is some attention that needs to be made when configuring the hybrid deployment.

 

Issues you may run into

With a Hybird deployment (Exchange 2010 and Office 365) you will be using MRS/MRSProxy to perform the mailbox moves between premises. This operation can potentially fail (could be intermittent) when you traverse a TMG server. The reason for this is a defense mechanism built into TMG called Flood Mitigation.

For more information and the mitigation please read the following wiki:

http://community.office365.com/en-us/w/exchange/office-365-move-mailbox-fails-with-transient-exception.aspx

Timothy Heeney (MSFT)

 

 

1 out of 1 people found this post helpful.

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Hi Timothy, thank you for this great information. we have a hybrid deployment setup via TMG.All of our tests are successful including test-federation, test-exchangeconnectivity, test-organizationrelationship and sharing policies appear to be correct as well. We are able to move mailboxes to the cloud. Access them via autodiscover and outlook anywhere. Mail routing works great. We are facing an issue with free/busy. Cloud mailboxes can view free/busy with on-premise 2010 and 2003 mailboxes. However the On-premise mailboxes cannot view free/busy of the cloud mailboxes. The only error we see when viewing the free/busy in OWA is the following:  no information available with error code -2146233088. Any help that you can provide is greatly appreciated.

  • Hello Politi,

    First off you will not be able to use OWA on Exchange 2003 to see cloud users free busy so be sure to test that with outlook. For 2010 users OWA should work just fine. I would need to see your organization relationship settings to see what is going on. I would start by getting the 2010 on-prem mailbox to see the Office 365 mailbox Free Busy since that is easier. Then when that is working we can move on to the 2003 lookups. The On-premise Org Relationship should have the primary and remote routing addresses listed in it. The ApplicationURI should be set to outlook.com and the URL for autodiscover should point to a pod URL. Sometimes the lack of being able to retrieve free busy information can be because of a Proxy in the on-premises environment, If you have a proxy be sure to add the proxy using the "set-ExchangeServer" cmdlet with the "-internetWebProxy" parameter.

    I think it may be best to post this on the regular forum so we can get others input as well. I do not believe this is a TMG issues since the cloud to on-prem fb is working.

    -Timothy Heeney (MSFT)

  • Hi Timothy I re-posted this to the forum and added the org relationship output  here: community.office365.com/.../81251.aspx

  • Can you add details about the listener?  My listener requires authentication so I cannot build this rule to allow All Users. If I turn off the authentication activesync stops working.

    thanks

  • Hello - this may seem stupid... but is this configuration in addition to autodiscover publishing for Exchange 2010?  Or if we already have an autodiscover rule, do I edit it to match the above information?

    Thanks!

Page 1 of 1 (5 items)