The purpose of this article to give some general guidance on how to configure TMG for use with Office 365 Exchange related components. The idea is to give some general guidance mainly around authentication settings needed on the TMG rule that will be used for things such as AutoDiscover for organization Relationships (Autodiscover.svc)and the EWS endpoints (used for things such as Free Busy/Mailbox Moves).

Non Goals:

  • End to end ISA configuration
  • Discuss every possible TMG deployment scenario
  • Discuss non TMG firewalls

 

The following details assume you have a Third-Party certificate for the Exchange endpoints in place on the TMG server. There is also an assumption that you already have the TMG configured with a listener for the on-premises Exchange 2010 server. For guidance on this configuration please look to the following white paper: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8946

 

Configuring TMG Rule

Now that you have your TMG setup for the on-premises Exchange environment you will need to make some modification to the TMG setup to allow the Office 365 integration for your Hybrid deployment.

The reason we may need to change the TMG configuration centers around the authentication Delegation setting used on the TMG rule for the other Exchange components. In many cases a customer will choose to pre-authenticate at the TMG. This is a fine solution for things such as Outlook Anywhere and OWA but this will cause issues for the Hybrid environment. We need to allow for pass-through authentication for certain endpoints. These are the endpoint that use token based authorization instead of standard basic/integrated authentication options. 

The solution is simple, you simply need to create a rule that uses the same listener as the other Exchange components but provide explicit paths. Then change the new rule so that it does not perform pre-authentication at the TMG. If implemented properly you will be able to continue to use the same external IP address and port (443) on the same listener for both rules.

 

Create the new Rule for use with the Hybrid components

  1. From Within TMG Management Console, right click on the FireWall Policy from the left tree
  2. Then select New
  3. Then select Web Publishing Rule

    4. From the Welcome to the New Web Publishing Rule Wizard window type in a name for the rule and select next

 

    5. On the select Rule Action screen select the Allow radio button then select next

 

    6. On the Publishing Type page select the appropriate option and then select next (in my case I have select the Publish a single Web site or load balancer option)

 

     7. On the Server Connection Security page select the Use SSL option then select next

 

    8. On the Internal Publishing Details page fill in the proper site name and IP address such as the example depicted below. If you are not sure what to put just take a look at your current Exchange publishing rule, once completed select the next option.

 

    9. From the Internal Publishing Details leave the defaults then select the next option. We will configure the paths later in the configuration

     10. On the Public Name Details section be sure that the EWS external web site names(for example Mail.Contoso.com) is listed as depicted below then select the next option

 

 

    11. Then from the Select Web Listener page select the listener used for the regular exchange rule from the drop down menu then select the next option

 

    12. Then from the Authentication Delegation page select the No Delegation, but client may authenticate directly option then select next

 

    13. Then from the Select User Sets page choose the All Users option then select next. Then select the finish option

 

 

 

Then we need to go to the properties of the newly created rule and modify the Paths and the public names within the rule.

  1. From the TMG management interface right click the newly created rule and select properties
  2. Then select the Public Names tab and add the autodiscover external URL (for example autodiscover.contoso.com) and apply that change

 

    3. Then select the paths tab and add the paths listed below , be sure to also remove the default “/*” path, then apply those changes

    • /ews/mrsproxy.svc
    • /ews/exchange.asmx/wssecurity
    • /autodiscover/autodiscover.svc/wssecurity
    •  /autodiscover/autodiscover.svc

 

 

 

    4. The last step it to ensure that this new rule is higher in the list than the primary exchange rule.  You can simply right click on the rule and select move up until it is above the primary exchange rule. Then apply the changes

More information

The task for setting up TMG is not very complex but there is some attention that needs to be made when configuring the hybrid deployment.

 

Issues you may run into

With a Hybird deployment (Exchange 2010 and Office 365) you will be using MRS/MRSProxy to perform the mailbox moves between premises. This operation can potentially fail (could be intermittent) when you traverse a TMG server. The reason for this is a defense mechanism built into TMG called Flood Mitigation.

For more information and the mitigation please read the following wiki:

http://community.office365.com/en-us/w/exchange/office-365-move-mailbox-fails-with-transient-exception.aspx

Timothy Heeney (MSFT)