Tag Archives: TMG

Change OWA Logon Page in TMG

Normally when you use OWA you see the initial logon page where the credentials are asked like Domain\User name:

image

When you want to use the UPN (in most cases identical to the e-mail address) you can set this on the OWA Virtual Directory in the Exchange Management Console:

image

When you select “Use forms-based authentication” and select “User principal name (UPN)” the initial login page changes accordingly:

image

When using TMG2010 in front of Exchange 2010 things are different. The logon form is now generated by TMG, and the Exchange server itself is set to basic authentication. By default the TMG logon page for Exchange is set to show the Domain\Username format and unfortunately there’s no easy way to change the logon page to show something different.

Please note that although the default page shows Domain\Username you still can use the UPN to logon!

To change the logon page to show a different text (or change the layout completely) you have to change the HTML pages. These pages can be found on the TMG server in directory C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange\HTML. The various languages files can be found in subdirectories here, for example the Dutch language component can be found in subdirectory nls\nl. Open the strings.txt file, search for the L_UserName_Text string and change its value.

image

Restart the TMG Firewall service and open Outlook Web App. You’ll see that the logon page has now changed:

image

Publish Lync Services in TMG

In an earlier blog post I explained how to setup a Lync Server 2010 in your Lync organization. Using a Lync Server you can give access to external users and implement federation services. You also might want to implement publishing rules on your Threat Management Server (TMG) 2010 to implement the following additional services:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Microsoft Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.

Continue reading Publish Lync Services in TMG

Autodiscoverredirect and TMG

In my blogpost Autodiscover Redirect and SRV option I explained how to use the AutodiscoverRedirect or the SRV records method to use Autodiscover when using multiple primary SMTP addresses in an Exchange 2010 environment.

This works fine as long as your Exchange server is connected directly to the Internet (behind a firewall of course) and you have the possibility to add public IP addresses to your Exchange Server. When using a reverse proxy solution like Threat Management (TMG) Server in front of the Exchange 2010 Client Access Server, all Exchange services are published to the Internet, and this requires a different approach for the AutodiscoverRedirect method.

First thing, the Client Access Server no longer needs to the autodiscoverredirect website since this is now handled by the TMG Server. So the Client Access Server can be used in a default configuration. In this environment a certificate with two FQDNs are used: webmail.exchange14.nl and autodiscover.exchange14.nl but now this environment is published using TMG 2010 SP1.

The TMG Server now intercepts all autodiscoverredirect traffic so a new rule with a new listener (on a separate IP address) needs to be created. Please note that this traffic is unencrypted, so HTTP (port 80) needs to be used for this listener. For the Client Authentication Method when creating the Web Listener select No Authentication.

image

The next step is to create a web publishing rule that uses this listener. This rule should deny all traffic and redirect it to the ‘normal’ autodiscover URL on the TMG Server, i.e. https://autodiscover.exchange14.nl/autodiscover/autodiscover.xml.

image

One thing to notice though, after creation of the web publishing rule you can select whether this rule listens to all requests or only for specific websites (select the Public Name tab). Also, don’t forget to change the redirection (select the Bridging tab) to port 80. Like the previous blog post you have to enter the autodiscoverredirect.exchange14.nl in the public DNS, and for other domain create a CNAME autodiscover record (again in public DNS) and point this to the autodiscoverredirect.exchange14.nl FQDN.

Now when you go to the Remote Connectivity Analyzer (www.testexchangeconnectivity.com) and test using another domain you’ll see that it again works, but now via the TMG Server.

image

The warnings in this screenshot is about root certificate not being able to verify. Also note that in this example the RCA doesn’t even try the SRV method since the redirect method is successful.

SRV Records

The autodiscover SRV records option I explained in my previous article works immediately through the TMG Server. This makes sense since the information is taken from public DNS directly and the autodiscover service is accessed directly without any redirection.

image

One thing I would like to mention. Quite a lot of people think that autodiscover fails because of the 3 failing attempts (in the above screenshot). While this is true autodiscover successfully finishes the fourth option so autodiscover is considered to be successful.

Now combine the autodiscover redirect and the SRV method with the Address Book Policies that will be available in Exchange 2010 Service Pack 2 and you’re one step closer to your own Exchange 2010 hosting solution.

To be continued, stay tuned…

Password Reset Tool and TMG

In Exchange Server 2010 SP1 there’s the password reset tool, a tool you can use when a user’s password has expired, or when the administrator has reset a password and checked the user must change password at next logon option.

The password reset tool can be set with a registry key:

  1. Login to the CAS Server;
  2. Open the Registry Editor and navigate to HLKM\SYSTEM\CurrentControlSet\services\MSExchange OWA
  3. Create a new DWORD (32-bits) and name it ChangeExpiredPasswordEnabled
  4. Give this DWORD a value 1
  5. Restart the Internet Information Server using IISRESET

When you logon to the Client Access Server (with Forms Based Authentication) after a password reset the following form is presented:

image

Using the password reset tool from the Internet when published using TMG2010 is a different story. By default this is not working so some changes have to be made to the TMG’s web listener. Logon to the TMG Server and select the appropriate web listener. Select the Forms tab and check the Use customized HTML forms instead of the default. The custom HTML form set directory must be set to forms, this is the directory on the CAS server where forms are stored. Also check the Allow users to change their passwords option.

image

Now when a user’s password is reset with the user must change password at next logon option the password can be changed via TMG.

The certificate is invalid for Exchange Server usage

When you have an Internet facing Exchange 2010 Client Access Server you most likely will have a 3rd party certificate installed on this CAS Server. Every time the certificate is requested it is checked for validity, and this is checked against a webserver of the Certificate Authority.

When you have Threat Management Gateway (TMG) 2010 Server in front of the CAS Server all HTTP(S) traffic is routed via the TMG Server. The TMG Server is the default gateway on the network interface and in Internet Explorer you have to configure the TMG server as the HTTP proxy.

Continue reading The certificate is invalid for Exchange Server usage