All posts by jaapwesselius

Publish Lync Services in TMG

In an earlier blog post I explained how to setup a Lync Server 2010 in your Lync organization. Using a Lync Server you can give access to external users and implement federation services. You also might want to implement publishing rules on your Threat Management Server (TMG) 2010 to implement the following additional services:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.

Continue reading Publish Lync Services in TMG

Autodiscoverredirect and TMG

In my blogpost Autodiscover Redirect and SRV option I explained how to use the AutodiscoverRedirect or the SRV records method to use Autodiscover when using multiple primary SMTP addresses in an Exchange 2010 environment.

This works fine as long as your Exchange server is connected directly to the Internet (behind a firewall of course) and you have the possibility to add public IP addresses to your Exchange Server. When using a reverse proxy solution like Threat Management (TMG) Server in front of the Exchange 2010 Client Access Server, all Exchange services are published to the Internet, and this requires a different approach for the AutodiscoverRedirect method.

First thing, the Client Access Server no longer needs to the autodiscoverredirect website since this is now handled by the TMG Server. So the Client Access Server can be used in a default configuration. In this environment a certificate with two FQDNs are used: and but now this environment is published using TMG 2010 SP1.

The TMG Server now intercepts all autodiscoverredirect traffic so a new rule with a new listener (on a separate IP address) needs to be created. Please note that this traffic is unencrypted, so HTTP (port 80) needs to be used for this listener. For the Client Authentication Method when creating the Web Listener select No Authentication.


The next step is to create a web publishing rule that uses this listener. This rule should deny all traffic and redirect it to the ‘normal’ autodiscover URL on the TMG Server, i.e.


One thing to notice though, after creation of the web publishing rule you can select whether this rule listens to all requests or only for specific websites (select the Public Name tab). Also, don’t forget to change the redirection (select the Bridging tab) to port 80. Like the previous blog post you have to enter the in the public DNS, and for other domain create a CNAME autodiscover record (again in public DNS) and point this to the FQDN.

Now when you go to the Remote Connectivity Analyzer ( and test using another domain you’ll see that it again works, but now via the TMG Server.


The warnings in this screenshot is about root certificate not being able to verify. Also note that in this example the RCA doesn’t even try the SRV method since the redirect method is successful.

SRV Records

The autodiscover SRV records option I explained in my previous article works immediately through the TMG Server. This makes sense since the information is taken from public DNS directly and the autodiscover service is accessed directly without any redirection.


One thing I would like to mention. Quite a lot of people think that autodiscover fails because of the 3 failing attempts (in the above screenshot). While this is true autodiscover successfully finishes the fourth option so autodiscover is considered to be successful.

Now combine the autodiscover redirect and the SRV method with the Address Book Policies that will be available in Exchange 2010 Service Pack 2 and you’re one step closer to your own Exchange 2010 hosting solution.

To be continued, stay tuned…

Password Reset Tool and TMG

In Exchange Server 2010 SP1 there’s the password reset tool, a tool you can use when a user’s password has expired, or when the administrator has reset a password and checked the user must change password at next logon option.

The password reset tool can be set with a registry key:

  1. Login to the CAS Server;
  2. Open the Registry Editor and navigate to HLKM\SYSTEM\CurrentControlSet\services\MSExchange OWA
  3. Create a new DWORD (32-bits) and name it ChangeExpiredPasswordEnabled
  4. Give this DWORD a value 1
  5. Restart the Internet Information Server using IISRESET

When you logon to the Client Access Server (with Forms Based Authentication) after a password reset the following form is presented:


Using the password reset tool from the Internet when published using TMG2010 is a different story. By default this is not working so some changes have to be made to the TMG’s web listener. Logon to the TMG Server and select the appropriate web listener. Select the Forms tab and check the Use customized HTML forms instead of the default. The custom HTML form set directory must be set to forms, this is the directory on the CAS server where forms are stored. Also check the Allow users to change their passwords option.


Now when a user’s password is reset with the user must change password at next logon option the password can be changed via TMG.

Exchange /hosting discontinued

Everybody that has hosted Exchange 2010 running using the /hosting switch knows it is a real painful experience. It is difficult to implement, it is difficult to maintain and there quite a lot of functionality missing like UM, Public Folders, the Exchange Management Console and integration with other products like Lync Server 2010 or Sharepoint Server 2010.

There has been a lot of complaints from hosters about this situation at Microsoft and Microsoft had to make a painful decision: Microsoft will no longer invest in the /hosting version of Exchange Server 2010 and it will be discontinued in the next version of Exchange Server (code name Exchange 15).

Continue reading Exchange /hosting discontinued

Error 600 Invalid Request

It is possible to test the autodiscover configuration using a browser. But when navigating to the autodiscover URL you’ll see a 600 Invalid Request error message.


When you click the Show All content button the entire XML package is shown:


When you see this message your autodiscover configuration is absolutely fine! The reason you see this message is that the autodiscover service expects an HTTP POST command from Outlook, and not an HTTP GET command from Internet Explorer.

So, the service is good but the actual request that’s send to the autodiscover service is not good and therefore autodiscover returns the Error 600 Invalid Request message. So this error is good 🙂