Here is the situation:
Internet ------ TMG (DMZ not joined to Domain) ---- Exchange 2007
I can ping the exchange server from TMG and vice versa.
I have setup the following rules on TMG
Outlook Anywhere Rules
Lisener
General: HTTPS Exchange Listener
Networks: External Selected IP address xxx.xxx.xxx.xxx
Connections: Enable SSL HTTPS Connections on Port: 443 Checked Advanced: Unlimited Checked
Certificates: My UCC Certificate is selected and the Certificate has all the names for Subject. Have triple checked this
Authentication: no auth
Forms: All grey out
SSO: all grey out
Exchange Rule:
General: Exchange Outlook Anywhere (Name)
Action: Allow
From: Anywhere
To: exchange2007.abc.local
Forward the original host header instead of actual one is checked
Request appear to come from the Forefront TMG computer is checked
Traffic: HTTPS
Listener: Above settings and chosen
Public Name: autodiscover.abc.com
Paths: Default for Exchange 2007 /unifiedmessaging/* /rpc/* /OAB/* /ews/* /AutoDiscover/*
Authentication Delegation: No delegation, but client may authenticate directly
Users: All Users
Rest of the tabs are all default after rule is created.
Exchange 2007 side:
Outlook anywhere: Basic Authentiacation
Here is the problem:
I can run autodiscover test from Outlook Connection Test comes back successful
I can run testexchangeconnectivity: Logs here (I changed the domain to reflect abc.com as I do not want my info out on the web)
Now when I try to setup a new email account in Outlook 2010 I do the following
1. Create Profile
2. New Email account and type Name: EM Email: em@abc.com Password: xxxx (twice) and hit next.
3. I get prompted for username and password for AD abc\em Password: xxx
4. I can see it autheticates to the the exchange server in the security logs but after that it gives me errors on TMG logs and then back to the client it reports
I have enclosed the output for outlook anywhere from powershell test and auth settings.
Others steps I have done.
Put https://autodiscover.abc.com/autodiscover/autodiscover.xml in web browser and get prompted for username and password and then invalid 600 from TMG, Exchange, and External client and all the same which is normal.
TMG Log:
This is what happens after I get successful connection and after prompts me for username and password.
Exchange Output for Testing Outlook ANywhere powershell and Authentication Settings:
testexchangeconnectivity log:
ExRCA is attempting to test Autodiscover for em@abc.com.
Autodiscover was tested successfully
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL
https://abc.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name abc.com in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host abc.com couldn't be resolved in DNS InfoNoRecords.
Attempting to test potential Autodiscover URL https://autodiscover.abc.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.abc.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: xx.xx.xx.xx
Testing TCP port 443 on host autodiscover.abc.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.abc.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.abc.com, OU=IT, O=ABC, L=SOMEWHERE, S=NJ, C=US, Issuer: CN=ABC-ADDEV1-CA, DC=abc, DC=local.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.abc.com was found in the Certificate Subject Alternative Name entry.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 6/13/2012 2:50:46 PM, NotAfter = 6/13/2014 2:50:46 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Test Steps:
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://abc.zgaforge.com/AutoDiscover/AutoDiscover.xml for user em@abc.com.
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName></DisplayName>
<LegacyDN>/o=4sdev/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=em</LegacyDN>
<DeploymentId>0afee656-467c-4108-b4b3-e17f03dfd98f</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>EXCHANGEDEV1.abc.local</Server>
<ServerDN>/o=4sdev/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGEDEV1</ServerDN>
<ServerVersion>72038053</ServerVersion>
<MdbDN>/o=4sdev/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGEDEV1/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://autodiscover.abc.com/ews/Exchange.asmx</ASUrl>
<OOFUrl>https://autodiscover.abc.com/ews/Exchange.asmx</OOFUrl>
<UMUrl>https://autodiscover.abc.com/unifiedmessaging/Service.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<AD>addev3.4sdev.local</AD>
<EwsUrl>https://autodiscover.abc.com/ews/Exchange.asmx</EwsUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.abc.com</Server>
<ASUrl>https://legacy.abc.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://legacy.abc.com/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.abc.com/UnifiedMessaging/Service.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<EwsUrl>https://legacy.abc.com/EWS/Exchange.asmx</EwsUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.abc.com/owa</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://legacy.abc.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</External>
<Internal>
<OWAUrl AuthenticationMethod="Basic">https://webmail.abc.com/OWA</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://autodiscover.abc.com/ews/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</Protocol>
</Account>
</Response>
</Autodiscover>