White Paper

Publishing Exchange Server 2010 with Forefront UAG an Forefront !"G

Stan ar Publishing Scenarios
Greg Taylor, Senior Program Manager, Exchange Server Date: November 2010

Contents
................................................................................................................................... 1 hite Pa!er P"bli#hing Exchange Server 2010 $ith %ore&ront '(G an) %ore&ront TMG.................1 Stan)ar) P"bli#hing Scenario#................................................................................... 1 *ontent#..................................................................................................................... 2 Exec"tive S"mmary................................................................................................ 2 *hoo#ing +et$een %ore&ront TMG or %ore&ront '(G................................................, +a#ic %ore&ront TMG an)-or %ore&ront '(G *once!t#............................................... *ommon to both %ore&ront TMG an) %ore&ront '(G.............................................. %ore&ront TMG *once!t#....................................................................................... / %ore&ront '(G *once!t#....................................................................................... 0 Exchange P"bli#hing Scenario#...............................................................................1 P"bli#hing 2"tloo3 eb (!!, 2"tloo3 (ny$here, an) Exchange (ctiveSync '#ing %ore&ront TMG............................................................................................. 1 P"bli#hing 2"tloo3 eb (!!, 2"tloo3 (ny$here, an) Exchange (ctiveSync '#ing %ore&ront '(G........................................................................................... ,. (!!en)ix.................................................................................................................. 0/ '#ing (lternative ("thori4ation an) (cce## Provi)er#.......................................0/ ())itional 5n&ormation........................................................................................... 12 6egal Notice........................................................................................................... 12

Executive Summary
+y allo$ing remote acce## to Micro#o&t Exchange to "#er# $ho are ba#e) o"t#i)e the #a&ety o& the cor!orate net$or3, an organi4ation enable# it# em!loyee# to ta3e 2

&"ll a)vantage o& the technology their com!any !rovi)e#. 7emote acce## let# em!loyee# "#e many )evice# to comm"nicate $ith their !eer# an) c"#tomer# &rom any !lace an) at any time. (llo$ing acce## to cor!orate re#o"rce# &rom any location, !erha!# "#ing )evice# that are not controlle) by the organi4ation, !re#ent# a))itional ri#3 to the #ec"rity o& the )ata an) #ervice# being acce##e). There&ore it8# critical to ta3e mea#"re# to en#"re that the )ata i# being acce##e) #ec"rely, $hich mean# im!lementing technologie# #"ch a# certi&icate#, &ire$all#, en&orcing !re9a"thentication, an) )evice or en)!oint vali)ation. The 3ey conce!t to "n)er#tan) i# that a!!lying #ec"rity to any #ol"tion i# a m"lti9layere) ta#3 that incl")e# i)enti&ying the threat#, re)"cing the attac3 #"r&ace area, removing "nnece##ary acce## !oint#, an) en&orcing a"thentication. The ca#"al attac3er $ill "#"ally give "! a&ter a &e$ &aile) attem!t# to acce## a re#o"rce. hen yo" !"bli#h Exchange, Micro#o&t o&&er# t$o #o&t$are9ba#e) o!tion#: Micro#o&t %ore&ront Threat Management Gate$ay 2010 :%ore&ront TMG; an) Micro#o&t %ore&ront 'ni&ie) (cce## Gate$ay 2010 :%ore&ront '(G;. +oth o!tion# o&&er !"bli#hing $i4ar)# an) #ec"rity &eat"re# to !rovi)e #ec"re acce## to Exchange $hen it8# acce##e) &rom o"t#i)e the #a&ety o& the cor!orate net$or3. There are other $ay# to !"bli#h Exchange be#i)e# "#ing %ore&ront TMG or %ore&ront '(G. Thi# technical g"i)e i#n<t inten)e) to !rovi)e the only in&ormation yo" "#e &or a com!lex organi4ation or one $ith #!ecial #ec"rity con#traint#. 5n#tea), it<# inten)e) only a# a $al3thro"gh to hel! yo" !"bli#h Exchange on both the#e !lat&orm#, "#ing ba#ic con&ig"ration o!tion#. 5& yo" have a large organi4ation, it<# li3ely that yo"<ll nee) a))itional a!!lication# or have to &actor in a))itional #ec"rity con#i)eration#. S"ch a!!lication# an) #ec"rity con#i)eration# are beyon) the #co!e o& thi# )oc"ment. Thi# $hite !a!er !rovi)e# )etaile) in&ormation abo"t !"bli#hing Micro#o&t Exchange Server 2010 "#ing %ore&ront TMG or %ore&ront '(G, incl")ing ho$ to choo#e bet$een them &or )i&&erent #cenario#, an) !rovi)e# #!eci&ic #te!# yo" can ta3e to con&ig"re %ore&ront TMG an) %ore&ront '(G to !"bli#h Exchange 2010. Document Reviewers: =im >arri#on Michel +iton 7o## Smith 5? %ernan)o *ima 7amon 5n&ante

Choosing Between Forefront TMG or Forefront U G

Ao"r &ir#t )eci#ion $hen !lanning to !"bli#h Exchange "#ing %ore&ront TMG or %ore&ront '(G i# to )etermine $hich o& the t$o !ro)"ct# be#t &it# the nee)# o& the )e!loyment. +oth %ore&ront TMG an) %ore&ront '(G can #ec"rely !"bli#h Exchange to the 5nternet, b"t each o&&er# #ome &eat"re# or #"!!ort# #cenario# that the other )oe# not. So, the &ir#t #te! in choo#ing $hich !ro)"ct to "#e i# )eci)ing $hat &eat"re# yo" nee) or thin3 yo" may nee). Some )e!loyment# may act"ally "#e both %ore&ront TMG an) %ore&ront '(G to #ati#&y #!eci&ic reB"irement#. %or exam!le, yo" might "#e %ore&ront '(G to !rovi)e a "ni&ie) !ortal ex!erience &or yo"r inbo"n) eb9ba#e) client acce##, "#e %ore&ront TMG to !rotect 5nternet acce## &or yo"r internal "#er#, an) "#e %ore&ront TMG to !rovi)e certi&icate9ba#e) a"thentication to yo"r mobile )evice9enable) $or3&orce. Exchange Re!ate" De#!oyment Scenario or Feature $u%!ish Microsoft &ffice &ut!oo' (e% ## an" the Exchange Contro! $ane! )EC$* using forms+%ase" authentication $u%!ish &ut!oo' nywhere using Basic or ,T-M authentication $u%!ish Microsoft Exchange ctiveSync using Basic authentication $rovi"e !oa" %a!ancing for .TT$+%ase" #rotoco! accessing from the /nternet Su##ort two+factor authentication for &ut!oo' (e% ## Su##ort two+factor authentication for Exchange ctiveSync $rovi"e certificate+%ase" authentication for Exchange ctiveSync0 &ut!oo' (e% ##0 an" EC$ $erform mai! hygiene for Exchange with insta!!ation of the E"ge Trans#ort server ro!e an" Microsoft Forefront $rotection 1232 for Exchange Server $rotect an" fi!ter /nternet access for interna! users from ma!ware an" other (e%+%ase" threats $rovi"e su##ort for sca!e" u# &ut!oo' nywhere "e#!oyments %y using mu!ti#!e source /$ a""resses Chec' a c!ient com#uter accessing &ut!oo' (e% ## for #resence of a##rove" antivirus software0 u#"ates0 etc4 Thorough!y c!ean u# the c!ient fo!!owing an &ut!oo' Forefro nt TMG Forefron tU G

(e% ## session with settings configura%!e %y the a"min

5t<# recommen)e) that yo" revie$ the in&ormation at the %ore&ront Threat Management Gate$ay 2010: >ome Page an) the %ore&ront 'ni&ie) (cce## Gate$ay 2010: >ome Page.

Basic Forefront TMG an"5or Forefront U G Conce#ts

5t8# im!ortant to "n)er#tan) #ome 3ey conce!t# an) terminology "#e) in %ore&ront TMG an) %ore&ront '(G. *ommon to both Forefront TMG and Forefront UAG The#e conce!t# or term# are "#e) in both %ore&ront TMG an) %ore&ront '(G an) may al#o be "#e) in other !ro)"ct# or #cenario#. Farm ( farm i# a collection o& !"bli#he) #erver#, #"ch a# all the *lient (cce## #erver# in one (ctive Directory #ite. Even i& a )e!loyment c"rrently contain# C"#t one *lient (cce## #erver, it8# "#"ally a goo) i)ea to !lan an) b"il) a &arm o& one #erver. ())ing #erver# to an exi#ting &arm in a !"bli#hing r"le in %ore&ront TMG i# m"ch ea#ier than converting !"bli#hing r"le# to !"bli#h a &arm o& #erver#. %ore&ront '(G treat# all !"bli#he) #erver# a# a &arm an) ma3e# the a))itional or removal o& #erver# #im!le. 6er%eros Constraine" De!egation Derbero# con#traine) )elegation :D*D; i# a in)o$# exten#ion to the M5T9create) a"thentication !rotocol, Derbero# ?.. 5n an Exchange !"bli#hing #cenario, D*D an) !rotocol tran#ition allo$# %ore&ront TMG or %ore&ront '(G to ta3e "#er cre)ential# in +a#ic, NT6M, Negotiate, or Derbero# certi&icate or &orm, then reB"e#t or tran#late that into a Derbero# #ervice tic3et on the "#er<# behal& &rom (ctive Directory, an) then !re#ent the #ervice tic3et to the *lient (cce## #erver in or)er to acce## the "#er# mailbox. Thi# #ervice tic3et i# only &or the )e#tination #ervice reB"ire) an), there&ore, Econ#traine)<. There are many )etaile) )oc"ment# available )e#cribing ho$ D*D an) !rotocol tran#ition &"nction. %or more in&ormation, #ee the Protocol Tran#ition $ith *on#traine) Delegation Technical S"!!lement. Domain 7oining Forefront TMG5Forefront U G or -eaving in a (or'grou# 5n mo#t organi4ation#, the )eci#ion $hether to )omain Coin the #erver ho#ting %ore&ront TMG-%ore&ront '(G to yo"r !ro)"ction )omain may be one o& the more contentio"# !art# o& the )e!loyment.

%or %ore&ront '(G )e!loyment#, the g"i)ance i# clear. +eca"#e %ore&ront '(G i# not a &ire$all, it #ho"l) be !lace) behin) #ome other )evice that act# a# a &ire$all on the cor!orate net$or3. (l#o, it8# recommen)e) that %ore&ront '(G be )omain Coine) to ma3e a"thentication #im!le an) &lexible. %ore&ront TMG i# in#talle) on the %ore&ront '(G com!"ter )"ring in#tallation, b"t that8# )one only to !rotect the ho#t #y#tem an) &or the "n)erlying &"nctionality it !rovi)e# to %ore&ront '(G. %ore&ront TMG )e!loyment# are more com!lex to )i#c"## beca"#e %ore&ront TMG i# con#i)ere) a &ire$all an) can !rotect the net$or3 e)ge. Domain Coining %ore&ront TMG o&&er# many a)vantage#: it allo$# certi&icate ba#e) a"thentication to be "#e) at %ore&ront TMG, "#ing Derbero# *on#traine) Delegation to comm"nicate to ExchangeF it allo$# ea#y "#e o& (ctive Directory gro"!# an) "#er obCect# in !"bli#hing r"le# to re#trict acce##F an) it !rovi)e# other bene&it#. %or an im!artial vie$ on $hether to )omain Coin %ore&ront TMG, #ee Deb"n3ing the Myth that the 5S( %ire$all Sho"l) Not be a Domain Member. %or more in&ormation abo"t i)enti&ying yo"r in&ra#tr"ct"re )e#ign reB"irement#, #ee Domain an) $or3gro"! reB"irement# . Even i& %ore&ront TMG i# not )omain Coine), it can "#e (ctive Directory a# an a"thori4ation an) a"thentication #o"rce thro"gh the 6D(P or 7(D5'S !rotocol#. Some a))itional con&ig"ration i# reB"ire), an) tho#e #te!# are containe) in the a!!en)ix o& thi# g"i)e. The #im!le #cenario $al3thro"gh# )i#c"##e) $ithin thi# article a##"me %ore&ront TMG an) %ore&ront '(G are )omain Coine) to the !ro)"ction &ore#t that contain# the Exchange re#o"rce# being acce##e). %ore&ront TMG Concepts The#e conce!t# or term# are #!eci&ic to %ore&ront TMG. -istener ( li#tener i# an obCect in %ore&ront TMG that tie# together #everal other obCect#: (t lea#t one 5P a))re##, tran#!ort an) !ort. ( certi&icate. (n a"thentication metho). *ommon exam!le# are +a#ic, in)o$# 5ntegrate), 7S( Sec"r5D, an) &orm#9ba#e) a"thentication.

6i#tener# )o have other con&ig"ration o!tion# #"ch a# coo3ie management, b"t &rom an Exchange !"bli#hing #tan)!oint, the li#tener )etermine# $here the !"blic DNS recor)# that relate to Exchange #ervice# #ho"l) !oint, the certi&icate "#e) &or Sec"re Soc3et# 6ayer :SS6; &or tho#e connection#, an) the a"thentication choice# the "#er $ill have. %or exam!le, &orm#9ba#e) a"thentication &or 2"tloo3 eb (!! an) +a#ic a"thentication &or 2"tloo3 (ny$here an) Exchange (ctiveSync. /

$u%!ishing Ru!e ( !"bli#hing r"le tie# a li#tener, $here the connection i# acce!te), an) ho$ it8# a"thenticate), to the con)ition# that )etermine acce## limitation#. 5n a))ition, the r"le #!eci&ie# the )e#tination reB"e#t# that !a## the con)ition# o& the r"le #ho"l) be #ent to. %ore&ront TMG ha# many o!tion# in each !"bli#hing r"le that #!eci&y $hether %ore&ront TMG $ill act"ally a!!ly that #!eci&ic r"le an) $hether the reB"e#t meet# the con)ition# o& the r"le. Exam!le# o& r"le# an) con)ition# are a# &ollo$#: The #aths re8ueste" %y the c!ient %or exam!le, -o$a or -a"to)i#cover. ( reB"e#t &or -oa$ i# not !roce##e) by the r"le meant &or "#e by 2"tloo3 eb (!!. The sche"u!e "uring which the ru!e is avai!a%!e The r"le can be #et to only re#!on) an) !roce## reB"e#t# at certain ho"r# o& the )ay. The #ermission of the user to access the ru!e %ore&ront TMG can allo$ or )eny acce## ba#e) on the "#er obCect it#el& or gro"!# that "#er i# a member o&.

>aving #"ch control over each r"le let# an a)mini#trator a!!ly very &ine9graine) con)ition# to their !"bli#hing o& Exchange thro"gh %ore&ront TMG. %or exam!le, yo" can "#e #e!arate r"le# &or )i&&erent "#er gro"!#. Thi# enable# yo" to #erve #!eci&ic "#er# &rom )i&&erent Exchange &arm#, &or exam!le, )"ring a migration !roce##, a# )e#cribe) later in thi# $hite !a!er. uthentication De!egation ("thentication Delegation i# con&ig"re) on a !"bli#hing r"le an) #!eci&ie# ho$ %ore&ront TMG $ill a"thenticate to the #erver it8# !"bli#hing. The metho) #!eci&ie) by the ("thentication Delegation )ialog on the !"bli#hing r"le m"#t match an a"thentication metho) allo$e) by the *lient (cce## #erver that %ore&ront TMG i# !"bli#hing. %or exam!le, i& TMG i# con&ig"re) to "#e +a#ic a"thentication )elegation to an Exchange #erver, the corre#!on)ing virt"al )irectorie# on Exchange :-o$a, -r!c etc; m"#t have +a#ic a"thentication enable) on them. %ore&ront TMG can )elegate a"thentication "#ing a )i&&erent metho) than the client "#e) to a"thenticate to %ore&ront TMG. %or exam!le, an 2"tloo3 eb (!! client a"thenticate# to %ore&ront TMG "#ing &orm#9ba#e) a"thentication. >o$ever, %ore&ront TMG can )elegate cre)ential# to Exchange by "#ing +a#ic or NT6M a"thentication, or even D*D. %or more in&ormation, #ee (bo"t a"thentication in eb !"bli#hing. G

%ore&ront TMG al#o o&&er# t$o o!tion#: to allo$ the "#er to a"thenticate )irectly to the eb #erver it#el& :,o "e!egation0 %ut c!ient may authenticate "irect!y ; or to com!letely !revent )elegation :,o "e!egation0 an" c!ient cannot authenticate "irect!y;. The &ir#t o& the#e choice#, No )elegation, b"t client may a"thenticate )irectly, allo$# the client to a"thenticate )irectly to the client acce## #erver. Thi# can be "#e&"l in a certi&icate9ba#e) a"thentication #cenario, $here %ore&ront TMG i# not )omain Coine), or i& yo" $ant to "#e a c"#tom, &orm#9ba#e) a"thentication #ol"tion on the *lient (cce## #erver an) not en&orce any a"thentication at %ore&ront TMG. %ore&ront '(G Concepts The#e conce!t# or term# are #!eci&ic to %ore&ront '(G. Trun' ( %ore&ront '(G !ortal tr"n3 i# a tran#&er channel that allo$# client#, or en)!oint#, to connect to the tr"n3<# !ortal home !age or a!!lication# over >TTP or >TTPS. $orta! ( !ortal i# a eb #ite create) by %ore&ront '(G to !rovi)e acce## to a!!lication# !"bli#he) in a tr"n3. (# #oon a# the "#er a"thenticate# to the !ortal, they can #eamle##ly acce## all a!!lication# in the !ortal $itho"t having to re9a"thenticate. Thi# i# 3no$n a# #ingle #ign9on :SS2;. En"#oint (n en)!oint i# a %ore&ront '(G term &or a client com!"ter or a!!lication. Per#onal com!"ter#, a eb bro$#er#, an) mobile )evice# are all en)!oint# to %ore&ront '(G.

Exchange $u%!ishing Scenarios

Thi# #ection #ho$# the #te!# that are reB"ire) to con&ig"re Exchange, %ore&ront TMG, or %ore&ront '(G to meet #im!le !"bli#hing #cenario#. The#e #cenario# are inten)e) a# g"i)ance only, an) a))itional #te!# may be reB"ire) &or yo"r #!eci&ic )e!loyment. $u%!ishing &ut!oo' (e% ##0 &ut!oo' nywhere0 an" Exchange ctiveSync Using Forefront TMG 5n thi# $al3thro"gh $e $ill con&ig"re %ore&ront TMG to !"bli#h Exchange Server 2010 to the 5nternet. e $ill "#e &orm#9ba#e) a"thentication at %ore&ront TMG &or 2"tloo3 eb (!! an) +a#ic a"thentication &or 2"tloo3 (ny$here an) Exchange (ctiveSync. +oth are !re9a"thenticate) at %ore&ront TMG. %ore&ront TMG $ill !"bli#h a &arm o& *lient (cce## #erver# in one (ctive Directory #ite. The &ollo$ing )iagram o"tline# the to!ology.

Server and software prerequisites The &ollo$ing are !rereB"i#ite# &or the con&ig"ration an) #ho"l) alrea)y be con&ig"re): Exchange 2010 )e!loye) into one :or more; (ctive Directory #ite#. %ore&ront TMG 2010 in#talle) onto a in)o$# Server 2000 :SP2 or 72; )omain9Coine) com!"ter that ha# t$o net$or3 inter&ace#: one &acing the internal net$or3 an) one &acing the !"blic net$or3. The %ore&ront TMG in#tallation $i4ar)# ma3e in#talling an) con&ig"ring %ore&ront TMG &or ba#ic acce## #im!le. 5t8# goo) !ractice to name each net$or3 a)a!ter in the %ore&ront TMG #erver accor)ing to the net$or3 it8# connecte) to, &or exam!le Einternal< an) Eexternal<. Thi# ma3e# con&ig"ring them in %ore&ront TMG m"ch ea#ier. 5n thi# $al3thro"gh %ore&ront TMG ha# been Coine) to the #ame 1

)omain a# a *lient (cce## #erver to enable (ctive Directory to !rovi)e a"thentication an) a"thori4ation $itho"t any a))itional con&ig"ration. Certificate Prerequisites 5n or)er to hel! #ec"re tra&&ic cro##ing the 5nternet SS6, certi&icate# are "#e) on the #erver that !"bli#he# Exchange. %or )etaile) in&ormation on ho$ to !lan certi&icate#, #ee hite Pa!er: Exchange 200G *lient (cce## an) SS6. %or the !"r!o#e# o& thi# $al3thro"gh, it8# a##"me) the !lanning exerci#e ha# re#"lte) in the &ollo$ing con&ig"ration: S!lit DNS i# con&ig"re). That i#, the #ame )omain name exi#t# both in#i)e an) o"t#i)e the com!any net$or3 in DNS. The )omain name "#e) &or thi# $al3thro"gh i# &abri3am.com. ( ho#t recor), or mail, ha# been create) to enable Exchange to be !"bli#he) to the 5nternet, mail.&abri3am.com. (ll client# "#e thi# name to reach 2"tloo3 eb (!!, 2"tloo3 (ny$here, an) Exchange (ctiveSync. The certi&icate li#t# the mail.&abri3am.com name a# the &ir#t name on the certi&icate, al#o 3no$n a# the !rinci!al name, or the *ommon Name. Thi# i# im!ortant $hen the certi&icate i# "#e) to !rovi)e 2"tloo3 (ny$here. ( ho#t recor), ("toDi#cover, ha# been create) in external DNS to allo$ 2"tloo3 (ny$here an) Exchange (ctiveSync client# &rom o"t#i)e the net$or3 to reach the ("to)i#cover #ervice. %or more in&ormation, #ee hite Pa!er: Exchange 200G ("to)i#cover Service. The certi&icate incl")e# a"to)i#cover.&abri3am.com a# a S"bCect (lternative Name :S(N; attrib"te on the certi&icate.

Ao" #ho"l) be a$are that the certi&icate "#e) on %ore&ront TMG can be &rom a thir)9 !arty certi&ication a"thority :*(; an) the certi&icate "#e) internally can be &rom a )i&&erent *(, !erha!# an internal, (ctive DirectoryHintegrate) certi&ication a"thority. >o$ever &or thi# $al3thro"gh, altho"gh the certi&icate "#e) on %ore&ront TMG $ill be &rom an internal a"thority, the certi&icate i# not the #ame certi&icate a# the one &rom the *(. The certi&icate $ill only contain the name# reB"ire) by %ore&ront TMG to !"bli#h Exchange. *reating a certi&icate $ith C"#t the name# reB"ire) by %ore&ront TMG avoi)# !"bli#hing a certi&icate $ith "nnece##ary %IDN# to the 5nternet. hatever choice# are ma)e abo"t the i##"er o& the certi&icate#, the %ore&ront TMG #erver m"#t tr"#t the *( that i##"e) the certi&icate# that are "#e) by the *lient (cce## #erver. 5& the certi&icate# the *lient (cce## #erver "#e# are &rom an internal (ctive DirectoryHintegrate) *(, an) %ore&ront TMG i# a )omain member, the choice i# "#"ally a"tomatic. 5& %ore&ront TMG i# not a )omain member, or i& the certi&icate# $ere not i##"e) &rom an (ctive DirectoryHintegrate) *(, then the certi&icate chain m"#t be in#talle) on the %ore&ront TMG local com!"ter8# Tr"#te) 7oot# Store. 10

5t8# al#o very im!ortant that the client that i# trying to acce## Exchange thro"gh %ore&ront TMG tr"#t the *( that i##"e) the certi&icate "#e) by %ore&ront TMG. Notice that it8# not nece##ary that the client tr"#t the *( that i##"e) the certi&icate in#talle) on the *lient (cce## #erver, only the certi&icate in#talle) on %ore&ront TMG. 5& the SS6 t"nnel en)# on %ore&ront TMG :a# it m"#t &or eb !"bli#hing;, the client m"#t tr"#t the *( that i##"e) the certi&icate in#talle) in that %ore&ront TMG eb li#tener. 5& the %ore&ront TMG #erver then re9encry!t# that tra&&ic to *lient (cce## #erver# in#i)e another SS6 t"nnel, the %ore&ront TMG #erver m"#t then tr"#t the *( that i##"e) the certi&icate in#talle) on the *lient (cce## #erver. 5n each ca#e, one com!"ter i# the client, the com!"ter reB"e#ting acce## to re#o"rce#, an) the other i# the #erver, the com!"ter that ha# the re#o"rce#. The client m"#t al$ay# tr"#t the *( that i##"e) the certi&icate "#e) by the #erver in an SS6 conver#ation. 5& yo" are "#ing an internal *( to generate certi&icate#, yo" might have to in#tall that root certi&icate on yo"r client com!"ter or mobile )evice in or)er to enable it to connect to %ore&ront TMG. 5& the com!"ter i# a member o& the )omain $here the (ctive DirectoryHintegrate) *( $a# in#talle), thi# i# "#"ally a"tomatic. 5& not, the client com!"ter may have to bro$#e to the *erti&icate Service# eb #ite, i& there i# one, or co!y it &rom a com!"ter that ha# the root certi&icate #o that it can be tr"#te). 5t8# ea#y to chec3 $hether a com!"ter or )evice tr"#t# the certi&icate in#talle) on the #erver by "#ing a bro$#er to connect to a !"bli#he) #ervice on that #erver. 5& a certi&icate $arning !o!9"! $in)o$ a!!ear# $ith C"#t the &ir#t o& the three chec3# !er&orme) &ailing, the certi&icate i# "ntr"#te).

5& yo" are $or3ing in 2"tloo3 eb (!!, yo" can C"#t clic3 Ae# a# #ho$n in the #creen#hot to contin"e. 2"tloo3 (ny$here an) Exchange (ctiveSync client# )o not "#"ally !rovi)e thi# o!tion an) #o $ill not connect. 5& yo" #ee thi# $arning, yo" #ho"l) re#olve it be&ore yo" try to contin"e. Configuration Ste#s 11

There are m"lti!le #te!# reB"ire) to con&ig"re %ore&ront TMG to !"bli#h Exchange 2010. The &ollo$ing #te!# are incl")e) in thi# $al3thro"gh )oc"ment: *reating an) in#talling the SS6 certi&icate onto the %ore&ront TMG #erver *reating a li#tener *reating a eb &arm

*reating !"bli#hing r"le# *reating DNS recor)# *on&ig"ring a"thentication on the *lient (cce## #erver Te#ting the con&ig"ration

Creating and Installing the SS Certificate on the Forefront TMG Server %ore&ront TMG reB"ire# a certi&icate be "#e) to #ec"re comm"nication# $ith client#. The client con&ig"ration reB"ire# that the certi&icate be create) by "#ing the#e name#, mail.&abri3am.com an) a"to)i#cover.&abri3am.com. The certi&icate reB"e#t can be generate) any$here an) then im!orte) to %ore&ront TMG, in thi# $al3thro"gh $e "#e the certi&icate $i4ar) in Exchange to generate the certi&icate on a *lient (cce## #erver in#i)e the net$or3, then ex!ort it to a &ile, co!y it to %ore&ront TMG, an) then in#tall it to the local com!"ter certi&icate #tore on %ore&ront TMG. The Exchange certi&icate $i4ar) in Exchange ma3e# it very ea#y to !"t the correct name# on the certi&icate. The $i4ar) can be "#e) to generate certi&icate reB"e#t# &or either internal or thir)9!arty *(#. Thi# $al3thro"gh $ill generate the certi&icate on the *lient (cce## #erver. *reating the Certificate !equest 1. '#ing either the Exchange Management Shell or Exchange Management *on#ole, create a certi&icate reB"e#t &or a certi&icate $ith the name# mai!4fa%ri'am4com an) auto"iscover4fa%ri'am4com.

12

'#ing the Exchange Management Shell: Set-Content -path "C:\mail_fabrikam_com" -Value (NewExchangeCertificate - enerate!e"ue#t -$e%Si&e '()* -Sub+ectName "c,-S. #,/a#hington. l,!e0mon0. o,1abrikam. ou,23. cn,mail4fabrikam4com" -5omainName mail4fabrikam4com. auto0i#co6er4fabrikam4com -7ri6ate$e%Exportable 83rue9 ,&TE: Ao" m"#t "#e PrivateDeyEx!ortable to allo$ the certi&icate to be ex!orte) &rom the *lient (cce## #erver an) im!orte) to another com!"ter. Sa&e han)ling o& certi&icate# that contain !rivate 3ey material, #"ch a# tho#e generate) by "#ing thi# !roce##, i# nece##ary to en#"re they are not mi#"#e).

2. '#e the re#"lting reB"e#t &ile to reB"e#t a certi&ication a"thority yo" have cho#en. @.

eb Server certi&icate at the

hen yo" receive the re#"lting &ile &rom the *(, right9clic3 the !en)ing certi&icate reB"e#t in the Exchange Management *on#ole :EM*; an) #elect E*om!lete Pen)ing 7eB"e#t<. 2r, yo" can "#e the 5m!ort9Exchange*erti&icate cm)let, #!eci&ying the &ile the *( !rovi)e) to com!lete the reB"e#t.

,&TE: 5t8# im!ortant at thi# !oint not to a##ign thi# certi&icate to any Exchange #ervice# beca"#e thi# certi&icate $ill be "#e) on %ore&ront TMG, not on the *lient (cce## #erver.

1@

,. 7ight9clic3 the certi&icate in EM* or "#e the Ex!ort9Exchange*erti&icate cm)let to ex!ort the certi&icate to a .!&x &ile, #!eci&ying a !a##$or) a# reB"ire). .. Tran#&er the re#"lting .!&x &ile to the %ore&ront TMG #erver. /. 2n the %ore&ront TMG #erver, o!en a blan3 Management Micro#o&t Management *on#ole :MM*; by clic3ing Start, Run an) ty!ing mmc &ollo$e) by Enter. G. *lic3 Fi!e, ""5Remove Sna#+in0 an) then a)) the Certificates Sna!9in. hen yo" are !rom!te) &or the choice o& management location, #elect Com#uter account0 clic3 Finish0 an) then clic3 &6. 0. Ex!an) the *erti&icate# :6ocal *om!"ter; no)e, an) then clic3 Per#onal. 1. 7ight9clic3 the Per#onal container, an) then #elect (ll ta#3# J 5m!ort. 10.'#e the i4ar) to locate an) im!ort the &ile that yo" tran#&erre) &rom the *lient (cce## #erver. Ao" may have to change the &ile ty!e that the i4ar) i# #earching &or &rom K.cer to K.!&x. 11.(# #oon a# the certi&icate i# im!orte), )o"ble9clic3 the certi&icate to ma3e #"re that it o!en#, i# tr"#te) to the root, an) that the certi&icate #ho$# yo" have the !rivate 3ey &or the certi&icate.

1,

12.No$ yo" can choo#e to remove the certi&icate &rom *lient (cce## #erver i& yo" no longer nee) it. 6eaving a certi&icate there, $ith it# !rivate 3ey, $hen it i#n8t "#e) by Exchange, $on8t )o any harm. +"t i& that certi&icate i# acci)entally a##igne) to #ervice# or i# ta3en an) "#e) el#e$here, it co"l) ca"#e !roblem#. *reating a istener 5n the#e #te!# $e $ill con&ig"re a #ingle eb li#tener on the %ore&ront TMG #erver an) bin) the certi&icate $e create) to that li#tener. ( li#tener i# a %ore&ront TMG obCect that a##ociate# a combination o& an 5P a))re## :the external9&acing net$or3 a)a!ter o& %ore&ront TMG;, a !ort :T*P ,,@ &or htt!#;, a certi&icate :mail.&abri3am.com;, an) an a"thentication !rovi)er :(ctive Directory &or thi# )omain9Coine) %ore&ront TMG com!"ter;. 1. 2!en the %ore&ront TMG management con#ole. 2n the Firewa!! $o!icy no)e, on the right #i)e o& the con#ole, clic3 the Toolbox tab.

2. 7ight9clic3 the (e% -istener net$or3 obCect, an) then #elect ,ew (e% -istener4

1.

@. Provi)e a name that )e#cribe# the obCect that yo" are creating, &or exam!le Exchange 6i#tener, an) then clic3 ,ext4 ,. Ta3e the )e&a"lt o!tion to ma3e #"re client# connect "#ing >TTPS, an) then clic3 ,ext.

.. 2n the eb 6i#tener 5P ())re##e# !age, clic3 to #elect the EExternal< net$or3, a# %ore&ront TMG $ill be li#tening to reB"e#t# &rom client# on the external inter&ace. 5& yo" $ant to !oint all internal client# to %ore&ront TMG an) !rovi)e a common ex!erience &or both internal an) external client#, yo" co"l) )o #o here by #electing the E5nternal< net$or3 obCect al#o an) ma3ing #"re that DNS i# con&ig"re) a!!ro!riately. hen yo" #elect an obCect, the Select 5P ())re##e# b"tton become# available. Thi# enable# yo" to #co!e the li#tener to one #!eci&ic 5P a))re##, or to a gro"! o& 5P a))re##e# i& yo"r %ore&ront TMG #erver ha# m"lti!le external or internal 5P a))re##e#.

1/

/. 2n the -istener SS- Certificates !age o& the $i4ar), clic3 the Se!ect Certificate b"tton to )i#!lay the certi&icate !ic3er an) #elect the certi&icate yo" in#talle) earlier. 5& the certi&icate i# not li#te), or the 9a!i"ity i# not #ho$n a# 9a!i", chec3 the certi&icate im!ort #te!# that yo" com!lete) earlier.

G. 2n the uthentication Settings !age o& the $i4ar), clic3 the )ro!9)o$n arro$ an) #elect >TM6 %orm ("thentication. Thi# !rovi)e# &orm#9ba#e) a"thentication to 2"tloo3 eb (!! b"t al#o !rovi)e# +a#ic a"thentication to 2"tloo3 (ny$here an) Exchange (ctiveSync.

1G

0. 2n the Sing!e Sign &n Settings !age, enter &abri3am.com, an) then clic3 ,ext. (ltho"gh not #trictly nece##ary &or the to!ology an) #cenario that thi# $al3thro"gh !rovi)e#, thi# chec3 box an) &iel) are very im!ortant &or migration &rom Micro#o&t Exchange Server 200@ an) Exchange 200G to Exchange 2010, a# )i#c"##e) later in thi# )oc"ment, beca"#e thi# #etting allo$# %ore&ront TMG to )o the #ingle #ign9on :SS2; re)irection &or Exchange 200@ an) Exchange 200G "#er# $hen they try to log on to Exchange 2010. 1.

10.*lic3 ,ext, an) then clic3 Finish to com!lete the

eb 6i#tener $i4ar).

Creating a "eb Far# 5n the#e #te!# $e $ill create a eb &arm. That i#, $e $ill #!eci&y the #erver or #erver# that %ore&ront TMG i# !"bli#hing, Exchange 2010 *lient (cce## #erver# in o"r $al3thro"gh. Thi# involve# #!eci&ying the #erver# by name an) #!eci&ying the metho) %ore&ront TMG "#e# to en#"re they are available &or "#e :health chec3ing;. Ao" #ho"l) con&ig"re a &arm an) a &arm9!"bli#hing r"le even i& yo" only )e!loy one *lient (cce## #erver at &ir#t. 5& yo" then )e!loy a))itional *lient (cce## #erver#, yo" can a)) them to the &arm an) avoi) any !olicy recon&ig"ration. Ao" can create the &arm a# a !art o& the !"bli#hing r"le $i4ar). Some a!!lication #!eci&ic #etting# are a!!lie) a"tomatically $hen yo" )o thi#, b"t a# they are #e!arate obCect# an) can be con&ig"re) in)e!en)ently, thi# $al3thro"gh $ill create each one #e!arately.

10

1. 2!en the %ore&ront TMG management con#ole. 2n the Firewa!! $o!icy no)e, on the right #i)e o& the con#ole, clic3 the Toolbox tab.

2. 7ight9clic3 the Server Farms obCect, #elect ,ew Server Farm, an) then give the &arm a meaning&"l name, *(S 2010 %arm in thi# exam!le.

@. *lic3 ,ext0 an" then clic3 "" to a)) #erver# to the &arm. No$ one a)vantage o& %ore&ront TMG being a )omain member i# clear. Ao" can #earch (ctive Directory &or the *lient (cce## #erver# an) ea#ily !o!"late the &iel) $itho"t having to 3no$ the 5P a))re##e# o& the #erver# them#elve#.

11

,. (t the Server Farm Connectivity Monitoring #creen the )e&a"lt #election i# to #en) an >TTP GET reB"e#t to the *lient (cce## #erver to chec3 $hether 5nternet 5n&ormation Service# :55S; i# re#!on)ing. Thi# )e&a"lt o!tion allo$# %ore&ront TMG to i##"e >TTP reB"e#t# to the &arm member#F !rovi)ing a more acc"rate !ict"re o& the &arm member<# health. The available health chec3 o!tion# !rovi)e #erver availability a# &ollo$#: a. Send an HTTP/HTTPS request: %ore&ront TMG $ill create a connection on the !ort )e&ine) in the !"bli#hing r"le L+ri)gingM tab an) i##"e an >TTP GET reB"e#t. ( re#!on#e &rom the #erver that i# not !art o& the L#erver errorM #et a# )e&ine) in 7%*92/1/ :.xx re#!on#e co)e#; or any ,xx re#!on#e other than ,01 or ,0G $ill be inter!rete) a# a L#"cce##M #tate. Notice that connectivity veri&ier# cannot a"thenticate to the #erver#, altho"gh the lac3 o& a"thentication )oe# not a&&ect the veri&ier. +eing !rom!te) &or a"thentication #ho$# that the #erver i# re#!on)ing. b. Send a Ping request: %ore&ront TMG $ill #en) 5*MP Echo 7eB"e#t# to the &arm member# to )etermine their availability. 5& %ore&ront TMG receive# a re#!on#e to thi# reB"e#t, the #erver i# con#i)ere) available. c. Establish a TCP connection: %ore&ront TMG $ill create a connection to the &arm member on the !ort #!eci&ie). 5& thi# !roce## i# #"cce##&"l, %ore&ront TMG $ill tear )o$n the #e##ion an) con#i)er the #erver to be available. The )e&a"lt choice !re#ente) $hen yo" r"n thi# $i4ar) on it# o$n $on8t enable the veri&ier to $or3 correctly $hen !"bli#hing Exchange. The )e&a"lt, an >TTP GET reB"e#t to the root o& the eb #erver :>TTP:--K-;, $ill re#"lt in an >TTP ,0@ %orbi))en re#!on#e beca"#e SS6 i# reB"ire) to acce## the re#o"rce. Thi# re#"lt# in the #erver being mar3e) a# )o$n.

20

hen the eb %arm $i4ar) i# invo3e) a# !art o& a !"bli#hing r"le $i4ar) &or Exchange, %ore&ront TMG #et# the veri&ier to "#e >TTPS GET to a !ath o& -2 (- :>TTPS:--K-2 (-;. Thi# re#"lt# in a ,01 'na"thori4e) re#!on#e an) mar3# the #erver a# available. There&ore, i& yo" create the eb &arm on it# o$n, a# thi# $al3thro"gh )oe#, an) not a# !art o& an Exchange P"bli#hing $i4ar), yo" #ho"l) mo)i&y the )e&a"lt #etting# a# #ho$n here, altho"gh yo" may choo#e to #"b#tit"te -2 (&or -7P*- or -Micro#o&t9Server9(ctiveSync- i& yo" are only !"bli#hing one #!eci&ic !rotocol.

21

Thi# #etting re#"lt# in the connectivity veri&ier ma3ing an >TTPS GET reB"e#t to each member o& the &arm, #!eci&ically )irecte) at the -o$a virt"al )irectory. 5t8# not nece##ary that a certi&icate $ith the %IDN being te#te) :the %IDN o& each #erver in the &arm; be in#talle) on the *lient (cce## #erver. The &ollo$ing table #"mmari4e# the te#t# an) their relative te#t &"nctionality. Test ,etwo r' Serve r Servic e $/, G TC $ .TT$ 5S

'n)er#tan)ing that %ore&ront TMG can te#t &or the health o& a #!eci&ic a!!lication en)!oint, #"ch a# -2 (- or -7P*-, might lea) yo" to con&ig"re &arm# $ith a!!lication9#!eci&ic veri&ication '76# &or each a!!lication yo" are !"bli#hing. The#e &arm# an) veri&ier# can contain the #ame #erver#. So yo" might con&ig"re a &arm $ith t$o *lient (cce## #erver# &or 2 (, te#ting the -2 (- !ath, an) a &arm $ith the #ame *lient (cce## #erver &or 2"tloo3 (ny$here, te#ting the -7P*- !ath. hen yo" have con&ig"re) the veri&ier# yo" nee), clic3 Finish to com!lete the Ne$ Server %arm $i4ar) an) a!!ly the change# to %ore&ront TMG. Creating Publishing !ules ( !"bli#hing r"le tie# together the li#tener, the &arm, the "#er# $ho can acce## the re#o"rce, $hat !ath# are vali) in the '76, an) more. Ao" can create both the li#tener an) the &arm $hen the !"bli#hing r"le i# create). >o$ever, the#e ta#3# are #!lit o"t here to ma3e them )i#tinct &rom one another #o that they can each be in)e!en)ently con&ig"re). 5t8# al#o im!ortant to "n)er#tan) that the Exchange eb !"bli#hing r"le $i4ar) $ill be r"n three time#: &or 2"tloo3 eb (!!, 2"tloo3 (ny$here, an) Exchange (ctiveSync. >o$ever, all three $ill "#e the #ame li#tener an) &arm. Then, %ore&ront TMG can correctly #et "! the !ath# each "#e an) the loa) balancing each $ill "#e :coo3ie &or 2"tloo3 eb (!!, 5P ba#e) &or 2"tloo3 (ny$here an) Exchange (ctiveSync;. Ao" #ho"l) not mo)i&y one r"le to accommo)ate all three client#. Ao" #ho"l) create three #e!arate r"le# to ma3e #"re that the con&ig"ration i# o!timal. Ao" #ho"l) al#o 3no$ that !"bli#hing r"le# &or Exchange that are create) $itho"t "#ing the Exchange P"bli#hing $i4ar) are "n#"!!orte). 22

1. 5n the %ore&ront TMG con#ole, right9clic3 the %ire$all Policy no)e, clic3 Ne$, clic3 Exchange eb *lient (cce## P"bli#hing 7"le, an) then give it a meaning&"l name. %or thi# #te!9by9#te! exam!le, $e $ill con&ig"re the 2"tloo3 eb (!! !"bli#hing r"le.

2. *lic3 Next. %rom the )ro!9)o$n li#t #elect the ver#ion o& Exchange $e are !"bli#hing, #elect the 2"tloo3 eb (cce## :2"tloo3 eb (!!; chec3 box, an) then clic3 ,ext.

@. 2n the P"bli#hing Ty!e !age, clic3 $u%!ish a server farm of !oa" %a!ance" (e% servers, an) then clic3 ,ext.

2@

,. 2n the Server *onnection Sec"rity !age, leave the )e&a"lt o!tion, Use SS-, an) then clic3 ,ext.

.. 2n the 5nternal P"bli#hing Detail# !age, enter the name internal "#er# "#e to acce## 2"tloo3 eb (!!. +eca"#e #!lit DNS ha# been con&ig"re), thi# i# mail.&abri3am.com, it8# im!ortant that %ore&ront TMG be able to re#olve the name in thi# &iel), b"t not that it re#olve# to a loa) balancer, altho"gh it ty!ically $ill i& a loa) balancer i# "#e) in#i)e the organi4ation. 5& %ore&ront TMG can re#olve thi# to C"#t one ho#t, the !"bli#hing r"le $ill $or3 correctly, an) correctly balance the loa) bet$een the *lient (cce## #erver# con&ig"re) in the &arm. 5& the name cannot be re#olve) in DNS by %ore&ront TMG, the r"le

2,

$ill #till $or3. >o$ever, thi# "#"ally re#"lt# in many event log error# an) #ome )ecrea#e in !er&ormance.

/. 2n the S!eci&y Server %arm !age o& the $i4ar), clic3 the )ro!9)o$n li#t, an) then #elect the &arm create) earlier. G. 2n the P"blic Name Detail# !age, enter the name external "#er# $ill "#e to acce## 2"tloo3 eb (!!. (gain, mail.&abri3am.com.

0. 2n the Select eb 6i#tener !age, clic3 the )ro!9)o$n li#t, an) then #elect the li#tener yo" con&ig"re) earlier. 2.

1. The ("thentication Delegation !age i# &reB"ently one o& the more con&"#ing !age# o& the $i4ar) &or tho#e $ho are not %ore&ront TMG ex!ert#. Thi# !age a#3# $hether %ore&ront TMG #ho"l) a"thenticate to the *lient (cce## #erver on behal& o& the "#er or let the "#er a"thenticate )irectly, an) then, i& %ore&ront TMG )oe# )elegate cre)ential#, $hat a"thentication metho) %ore&ront TMG #ho"l) "#e $hen !re#enting the cre)ential# to the *lient (cce## #erver. %or a #im!le 2"tloo3 eb (!!, 2"tloo3 (ny$here, or Exchange (ctiveSync )e!loyment, the mo#t li3ely choice# are +a#ic or NT6M. Thi# mean# that the corre#!on)ing virt"al )irectory on the target *lient (cce## #erver m"#t al#o #"!!ort that &orm o& a"thentication. 5& %ore&ront TMG i# con&ig"re) to "#e +a#ic a"thentication then the 2"tloo3 eb (!! virt"al )irectory on the target *lient (cce## #erver m"#t al#o have +a#ic a"thentication enable).

%ore&ront TMG cannot )elegate cre)ential# correctly to a *lient (cce## #erver i& the *lient (cce## #erver ha# &orm#9ba#e) a"thentication con&ig"re). There&ore, i& the )e&a"lt #etting o& %+( a"thentication i# enable) on the *lient (cce## #erver, )elegation $ill &ail, the "#er $ill #ee &orm#9ba#e) a"thentication generate) by the *lient (cce## #erver, an) then have to enter their cre)ential# again. Ma3ing #"re that the correct a"thentication #cheme i# con&ig"re) on the *lient (cce## #erver i# covere) later thi# #ection.

2/

,&TE: 5& the goal o& the )e!loyment i# to have %+( &or both internal an) external "#er#, yo" have the &ollo$ing o!tion#: Point internal "#er# to the internal inter&ace o& %ore&ront TMG an) "#e %ore&ront TMG %+(. 6eave %+( enable) on the *lient (cce## #erver. 2n the ("thentication Delegation !age o& the $i4ar) in %ore&ront TMG, #elect the No )elegation, b"t client may a"thenticate )irectly o!tion. Thi# mean# that %ore&ront TMG i# not !er&orming &orm#9ba#e) a"thentication at all. Add an additional IP address and an additional Outloo !eb A"" !eb site to the Client Access ser#er$ and then use %&S to ensure users inside and outside the net'or connect to the correct !eb site.

10.2n the '#er Set# !age o& the $i4ar), the )e&a"lt, (ll ("thenticate) '#er#, i# #"&&icient i& yo" $ant to enable all "#er# $ho #"cce##&"lly a"thenticate to acce## the re#o"rce. >o$ever, i& yo" "#e (ctive Directory gro"!#, &or exam!le, to limit acce##, yo" can #elect tho#e gro"!# on thi# !age. 11.%ini#h the $i4ar), an) a!!ly the change# to %ore&ront TMG. *om!lete the #ame $i4ar) again &or Exchange (ctiveSync, "#ing the #ame !arameter# a# &or 2"tloo3 eb (!!. 2G

*om!lete the $i4ar) again &or 2"tloo3 (ny$here, #electing the box to P"bli#h a))itional &ol)er# on the Exchange Server &or 2"tloo3 200G client, an) then #electing +a#ic a"thentication &or the )elegation metho). +"t, $hen the r"le i# com!lete an) be&ore yo" a!!ly the change# to %ore&ront TMG, o!en the !ro!ertie# )ialog &or the r"le that yo" C"#t create).

(# #ho$n, a)) a"to)i#cover.&abri3am.com to the li#t o& name# on the P"blic Name tab o& the r"le !ro!ertie#. The ("toDi#cover !ath i# "#e) to !rovi)e the ("to)i#cover #ervice to both 2"tloo3 (ny$here an) Exchange (ctiveSync client#. +y )e&a"lt, the ("to)i#cover !ath i# containe) in the 2"tloo3 (ny$here r"le. 5& yo" $ant to "#e Exchange (ctiveSync b"t not 2"tloo3 (ny$here an) al#o $ant to !rovi)e ("to)i#cover #ervice &"nctionality to tho#e Exchange (ctiveSync client#, yo" can )o one o& the &ollo$ing: ()) the -("to)i#cover-K !ath o& the Exchange (ctiveSync r"le that yo" have create), an) then a)) the ("to)i#cover name#!ace to the P"blic Name# tab o& the r"le a# #ho$n. Thi# !"t# both Exchange (ctiveSync an) the ("to)i#cover #ervice on the #ame !"bli#hing r"le. 7"n the 2"tloo3 (ny$here !"bli#hing $i4ar) an), $hen com!lete, remove the -r!c-K, -oab-K, an) other !ath# that are not reB"ire). (gain, ma3e #"re that the P"blic name# tab o& the r"le i# correct.

(!!ly the#e #etting# to %ore&ront TMG.

20

Creating $%S !ecords 5n external DNS create t$o ( recor)# &or mail an) the ("to)i#cover #ervice in the &abri3am.com DNS 4one, !ointing at the external 5P a))re## o& the li#tener yo" con&ig"re) earlier. Configuring Authentication on the Client Access Server (# mentione) earlier, %ore&ront TMG $ill be )elegating cre)ential# to the *lient (cce## #erver by "#ing +a#ic a"thentication. So, the o$a an) E*P virt"al )irectorie#, $hich "#e %+( by )e&a"lt, m"#t be con&ig"re) to #"!!ort +a#ic a"thentication. Ao" can "#e the EM* to o!en the o$a an) E*P virt"al )irectorie# an) #et the a"thentication to +a#ic. Then r"n iisreset on each *lient (cce## #erver yo" have change).

Enable 2"tloo3 (ny$here on each !"bli#he) *lient (cce## #erver, #electing +a#ic a"thentication a# the *lient a"thentication metho). (&ter all change# are ma)e, r"n iisreset on each *lient (cce## #erver con&ig"re), an) then veri&y that event 5D @00/ ha# been logge) an) #ho$# the a!!ro!riate regi#try 3ey# are #et.

21

5& thi# i# the &ir#t time 2"tloo3 (ny$here ha# been enable), #everal more #te!# are reB"ire) to en#"re that "#er# o"t#i)e %ore&ront TMG can &"lly "#e 2"tloo3. (l#o, one more #te! i# reB"ire) #o that Exchange (ctiveSync can "#e the ("to)i#cover #ervice. Ao" #ho"l) r"n the#e on each #erver in the (ctive Directory #ite yo" are !"bli#hing, re!lacing the #erver ho#t name a# a!!ro!riate. a; Set the external '76 &or the o&&line a))re## boo3 :2(+; virt"al )irectory. 5t i# a##"me) that the 2(+ i# alrea)y enable) &or eb9!"bli#hing. 5& it8# not, #ee *on&ig"re 2&&line ())re## +oo3 Di#trib"tion Pro!ertie#.
Set-OABVirtualDirectory RED-CAS-1\* -ExternalURL https !!"ail#$a%ri&a"#co"!OAB

b; Set the external '76 &or the Exchange eb Service# virt"al )irectory to htt!#:--mail.&abri3am.com-E S-Exchange.a#mx.
Set-'e%Ser(icesVirtualDirectory RED-CAS-1\* -ExternalURL https !!"ail#$a%ri&a"#co"!E'S!Exchan)e#as"x

c; Set the external '76 &or the Exchange (ctiveSync virt"al )irectory to allo$ the ("to)i#cover #ervice to !rovi)e )evice# $ith the correct val"e.
Set-Acti(esyncVirtualDirectory re*-cas-1\* -externalurl https !!"ail#$a%ri&a"#co"!+icroso$t-Ser(er-Acti(esync

); Set the a"thentication !ro!erty &or the 2(+ an) Exchange eb Service# virt"al )irectorie# to incl")e +a#ic a# an o!tion i& yo" are "#ing +a#ic )elegation on the !"bli#hing r"le.
Set-Oa%VirtualDirectory re*-cas-1\* -BasicAuthentication ,true Set-'e%Ser(icesVirtualDirectory RED-CAS-1\* -BasicAuthentication ,true

@0

Testing the Configuration Testing &ut!oo' (e% ## The &ir#t te#t )etermine# $hether a "#er connecte) to the 5nternet can log on to an Exchange 2010 mailbox "#ing 2"tloo3 eb (!! thro"gh %ore&ront TMG. 1. 2!en a bro$#er an) bro$#e to the '76 2"tloo3 thi# exam!le, htt!#:--mail.&abri3am.com-2 (. eb (!! i# !"bli#he) to, in

2. The 2"tloo3 eb (!! #ign9in !age i# )i#!laye). (t the &oot o& the !age, the $or)# Sec"re) by Micro#o&t %ore&ront Threat Management Gate$ay 2010 are )i#!laye), in)icating thi# &orm $a# generate) by %ore&ront TMG. @. Try to acce## an Exchange 2010 mailbox by "#ing the )omainN"#ername &ormat an) !a##$or). ,. 5& the attem!t $a# #"cce##&"l, the mailbox $ill be )i#!laye). Testing Exchange ctiveSync

The next te#t )etermine# $hether a mobile )evice i# able to #ynchroni4e to an Exchange mailbox. 1. *on&ig"re a mobile )evice to a"tomatically con&ig"re a !ro&ile, or man"ally #et the #erver a# mail.&abri3am.com an) en#"re the )evice can #"cce##&"lly #ynchroni4e $ith a mailbox. Testing &ut!oo' nywhere an" the uto"iscover service @1

1. '#ing a com!"ter o"t#i)e the cor!orate net$or3, o!en 2"tloo3 an) con&ig"re a ne$ !ro&ile. The $i4ar) ta3e# a)vantage o& the ("to)i#cover #ervice, an) $ill try to connect to a"to)i#cover.&abri3am.com :a##"ming the SMTP a))re## o& yo"r te#t "#er acco"nt en)# $ith O&abri3am.com;. 2. 5& yo" receive @ chec3 mar3# in the ()) Ne$ (cco"nt $i4ar), yo" have #"cce##&"lly con&ig"re) 2"tloo3 (ny$here an) !roven that the ("to)i#cover #ervice i# correctly con&ig"re).

Troubleshooting There are many common con&ig"ration error# ma)e $hen !"bli#hing Exchange, "#e thi# li#t to vali)ate an) con&irm yo"r #etting#. Certificates The mo#t common rea#on one or more o& the#e client# i# "nable to log on, or %ore&ront TMG i# "nable to !"bli#h, i# a certi&icate error. *hec3 the &ollo$ing: Trust Doe# the client tr"#t the i##"er o& the certi&icate on %ore&ront TMGP (n) )oe# %ore&ront TMG tr"#t the i##"er o& the certi&icate on the *lient (cce## #erverP ,ame Mismatch Ao" may receive a !o!9"! $in)o$ beca"#e the name on the certi&icate )oe# not match the name the client $a# ex!ecting to #ee. %ir#t ma3e #"re all External'76 #etting# are correct an) tho#e name# are !re#ent on the certi&icate. Then try to re#olve the !roblem by rei##"ing the certi&icate $ith the correct name# an) te#t again. Ex#iration Dates & the certi&icate# have ex!ire), the client $ill not acce!t their "#e. *hec3 the ex!iration )ate# an) rei##"e the certi&icate#, i& it8# nece##ary. @2

Matching uthentication Schemes 5& %ore&ront TMG i# con&ig"re) &or +a#ic Delegation then the a!!ro!riate virt"al )irectorie# on the *lient (cce## #erver #ho"l) be con&ig"re) to #"!!ort +a#ic a"thentication. Similarly, i& NT6M )elegation $a# #et at %ore&ront TMG, in)o$# 5ntegrate) a"thentication m"#t be enable) on the *lient (cce## #erver. D,S (re the recor)# &or mail an) ("to)i#cover in the correct 4one, an) )o they have the correct 5P a))re##P The 5P #ho"l) re#olve to the external net$or3 a)a!ter o& %ore&ront TMG an), more #!eci&ically, to the 5P a))re## o& the li#tener con&ig"re) on the Exchange !"bli#hing r"le#. Use the Test Emai! utoConfiguration too! in &ut!oo' *on&irm that the ("to)i#cover #ervice can be contacte) an) that the '76# ret"rne) by ("to)i#cover are correct. To "#e the tool, hol) )o$n the *T76 3ey, an) then right9clic3 the 2"tloo3 icon on the ta#3bar.

Use the Exchange Remote Connectivity na!y:er too! 5& the environment i# 5nternet9&acing, #ee Micro#o&t Exchange 7emote *onnectivity (naly4er to te#t the con&ig"ration &rom the 5nternet. E!iminate sing!e server issues 5& yo" are !"bli#hing a &arm o& *lient (cce## #erver#, re)"ce the &arm #i4e to C"#t one *lient (cce## #erver an) te#t again. Thi# ma3e# tro"ble#hooting m"ch ea#ier beca"#e it8# ea#y to )etermine $hich #erver# are involve) in the connection attem!t.

@@

Additional Configuration Steps for &'change ()*) and+or ,utloo- ()*) Users 5& yo" are not !"bli#hing 2"tloo3 eb (!! in yo"r environment b"t )o allo$ the !"bli#hing o& 2"tloo3 (ny$here :an) !o##ibly Exchange (ctiveSync; an) are "#ing 2"tloo3 2010, yo" $ill have to ma3e #ome a)C"#tment# to the con&ig"ration to allo$ an 2"tloo3 2010 "#er to be able to acce## the Exchange *ontrol Panel :E*P;. Exchange 2010 "#er# reB"ire acce## to the E*P &or certain con&ig"ration #etting#, #"ch a# voice mail an) me##age trac3ing in&ormation. The E*P i# acce##e) by "#ing a eb bro$#er an) i# invo3e) by a lin3 in the Micro#o&t 2&&ice +ac3#tage area o& 2"tloo3 2010 or $ithin the !ro!ertie# o& a me##age. 5n %ore&ront TMG there are #everal choice#, )e!en)ing on the exi#ting con&ig"ration. Ao" can create a ne$ li#tener an) !"bli#hing r"le &or the E*P an) then mo)i&y it. 2r yo" can mo)i&y the exi#ting li#tener an) !"bli#hing r"le yo" have con&ig"re) &or !"bli#hing 2"tloo3 (ny$here. 5n thi# #cenario, it8# li3ely that the exi#ting li#tener $ill not be enable) &or &orm#9ba#e) a"thentication beca"#e 2"tloo3 (ny$here #"!!ort# only +a#ic or NT6M a"thentication at thi# time. The choice bet$een the#e )e!en)# on #everal &actor#, b"t #ome recommen)ation# are a# &ollo$#: 5& 2"tloo3 (ny$here i# alrea)y con&ig"re) &or +a#ic a"thentication yo" can either: o Enable &orm#9ba#e) a"thentication on the #ame li#tener. The E*P $ill then "#e %+(, an) 2"tloo3 (ny$here $ill contin"e to "#e +a#ic a"thentication. Thi# reB"ire# yo" to enable +a#ic a"thentication on the -E*P virt"al )irectory o& all !"bli#he) *lient (cce## #erver#. 6eave +a#ic only enable) an) acce!t a +a#ic a"thentication !rom!t $hen the "#er acce##e# the E*P. Thi# reB"ire# yo" to enable +a#ic a"thentication on the -E*P virt"al )irectory o& all !"bli#he) *lient (cce## #erver#.

5& 2"tloo3 (ny$here i# con&ig"re) &or NT6M yo" can either: o *ontin"e to "#e NT6M a"thentication an) D*D to the *lient (cce## #erver. Thi# reB"ire# yo" to enable in)o$# 5ntegrate) a"thentication on the -E*P virt"al )irectory o& all !"bli#he) *lient (cce## #erver#. ()) +a#ic a"thentication to the li#tener an) ex!ect "#er# to #ee a +a#ic a"thentication !o!9"! $in)o$. Thi# reB"ire# yo" to enable +a#ic a"thentication on the -E*P virt"al )irectory o& all !"bli#he) *lient (cce## #erver#.

@,

()) an a))itional eb li#tener to %ore&ront TMG, con&ig"re %+(, an) then !"bli#h the E*P "#ing yo"r choice o& )elegation !rotocol.

5n a))ition to the choice yo" ma3e on a"thentication, yo" may al#o have to con#i)er #ome a))itional &actor#: 5& yo" $ant to "#e +a#ic, NT6M or D*D )elegation to the *lient (cce## #erver, yo" have to )i#able &orm#9ba#e) a"thentication on the -E*P virt"al )irectory on the *lient (cce## #erver. 5& yo" $ant to o&&er %+( &or internal "#er# at the #ame time, yo" can either en#"re their DNS reB"e#t# &or the E*P #ervice re#olve to %ore&ront TMG :i& yo" are "#ing a &orm#9ba#e) li#tener; or a)) a #econ)ary eb #ite $hich reB"ire# an a))itional 5P a))re##. Either #te! $ill enable yo" to "#e )i&&erent a"thentication metho)#. %or )etaile) in#tr"ction#, #ee Ne$9Ec!?irt"alDirectory. 5& yo" )o not $ant to allo$ any "#er to acce## 2"tloo3 eb (!!, b"t )o $ant allo$ all "#er# to acce## the E*P, yo" can )i#able 2"tloo3 eb (!! acce## !er "#er $ith the Set9*(SMailbox cm)let. 5& yo" $ant to allo$ 2"tloo3 eb (!! acce## &or internal "#er#, b"t )on8t $ant to allo$ 2"tloo3 eb (!! acce## &rom o"t#i)e the cor!orate net$or3, then yo" m"#t re#trict the re#o"rce# yo" !"bli#h to allo$ only tho#e re#o"rce<# reB"ire) by the E*P to be acce##e). Thi# i# beca"#e the E*P "#e# the 2"tloo3 eb (!! a"thentication mo)el an) there&ore "#e# #ome 2"tloo3 eb (!! re#o"rce# to &"nction. eb (!!, the &ollo$ing

To ma3e #"re only the E*P can be acce##e) b"t not 2"tloo3 !ath# m"#t be allo$e) by %ore&ront TMG: -ec!-K -o$a-a"th-logon.a#!x -o$a-a"th-logo&&.a#!x -o$a-logo&&.o$a -o$a-a"th.o$a -o$a-lang"age#election.a#!x -o$a-lang.o$aK -o$a-1,K

The#e !ath# are in a))ition to the &ollo$ing !ath#, $hich are reB"ire) by 2"tloo3 (ny$here 2010: -r!c-K -2(+-K -e$#-K -("toDi#cover-K @.

The#e are con&ig"re) on the !"bli#hing r"le con&ig"re) #imilar to that #ho$n here.

(# #oon a# con&ig"re), $hether the li#tener "#e# &orm#9ba#e) a"thentication, +a#ic or NT6M, the E*P #ho"l) be able to be acce##e). 5t8# al$ay# im!ortant to remember that the )elegation ty!e cho#en on the !"bli#hing r"le matche# the metho) enable) on the *lient (cce## #erver a# )e#cribe) el#e$here in thi# g"i)e. Migration Considerations 5& yo" are migrating &rom an earlier ver#ion o& Exchange an) are &ollo$ing the #tan)ar) Exchange migration g"i)ance at '!gra)e to Exchange 2010 an) "#ing an a))itional Elegacy< name#!ace, #ome change# are reB"ire) in %ore&ront TMG to en#"re a #mooth migration. The exact con&ig"ration reB"ire) $ill )e!en) on the client# an) !rotocol# that are "#e). 2"tloo3 eb (!!, &or exam!le, ha# a b"ilt in Single Sign 2n :SS2; ca!ability $hen it8# )e!loye) along#i)e Micro#o&t Exchange Server 200G in the #ame (ctive Directory #ite or $hen an 2"tloo3 eb (!! reB"e#t &or a 200@ mailbox i# receive). (cce##ing a mailbox ho#te) on Exchange 200@ or Exchange 200G "#ing Exchange (ctiveSync or 2"tloo3 (ny$here can be !er&orme) thro"gh an Exchange 2010 *lient (cce## #erver. >o$ever, in #ome #cenario#, yo" may choo#e to !rovi)e acce## thro"gh an Exchange 200G *lient (cce## #erver to "#er# $ho have mailboxe# on Exchange 200G. T$o ba#ic a!!roache# can be "#e) $hen %ore&ront TMG i# being "#e) to !"bli#h Exchange. Ao" can either con&ig"re %ore&ront TMG to )irect tra&&ic to the a!!ro!riate ver#ion o& Exchange &or the "#er reB"e#ting acce##. 2r yo" can rely on @/

Exchange to either !rovi)e acce## )irectly to a )o$n level ver#ion o& Exchange or re)irect the "#er to an a!!ro!riate '76. 5n either ca#e, the #tan)ar) a!!roach i# to move the exi#ting name#!ace to Exchange 2010, an) "#e the ne$ly create) Elegacy< name#!ace to acce## earlier ver#ion# o& Exchange. Using Forefront TMG $u%!ishing Ru!es to Direct Traffic %ore&ront TMG can be con&ig"re) to a"tomatically ro"te client reB"e#t# to the correct ver#ion o& Exchange in#tea) o& "#ing the b"ilt9in Exchange SS2 logic at all. '#ing thi# a!!roach, $hich relie# on con&ig"ring gro"!# in (ctive Directory an) a##ociating tho#e gro"!# $ith #!eci&ic !"bli#hing r"le#, i# very e&&ective. >o$ever it relie# on gro"! member#hi! being 3e!t "! to )ate, $hich can be har) )"ring a migration, an) i# a&&ecte) by (ctive Directory re!lication latency. +eca"#e %ore&ront TMG i# re#!on#ible &or a"thentication to )etermine $hich !"bli#hing r"le# $ill be a!!lie), i)eally, %ore&ront TMG #ho"l) be either con&ig"re) a# a )omain member or to "#e 6D(P a"thentication again#t (ctive Directory. Using ,ative Exchange SS& Re"irection Com%ine" with Forefront TMG -istener SS& Ao" can rely on Exchange to re)irect the "#er to the correct en)!oint. There are #everal #te!# reB"ire) to con&ig"re thi# #cenario: En#"re the certi&icate# have the correct name#. *reate a eb &arm &or the legacy ver#ion o& Exchange.

*reate a !"bli#hing r"le &or the legacy ver#ion o& Exchange. *on&ig"re Exchange to !rovi)e the re)irection '76#. En#"re SS2 i# enable) on the li#tener.

5n thi# #cenario, &orm#9ba#e) a"thentication i# #till being !er&orme) on %ore&ront TMG. So &orm#9ba#e) a"thentication m"#t be )i#able) on Exchange 200@, Exchange 200G, an) Exchange 2010, an) either +a#ic or in)o$# 5ntegrate) a"thentication enable), )e!en)ing on the !"bli#hing r"le )elegation #etting#. 5t8# im!ortant to "n)er#tan) that "#ing %ore&ront TMG in combination $ith Exchange to !er&orm the SS2 reB"ire# that both ho#t name# be "n)er the #ame common root, &or exam!le, mail.&abri3am.com an) legacy.&abri3am.com. 5t i#n8t !o##ible to con&ig"re %ore&ront TMG SS2 bet$een mail.&abri3am.com an) legacy.conto#o.com. Thi# i# the #cenario covere) )"ring thi# $al3thro"gh. @G

Ensure Certificates .ave the Correct ,ames The &ir#t #te! in enabling SS2 $hen yo" "#e %ore&ront TMG i# to en#"re that the certi&icate yo" are "#ing on the %ore&ront TMG li#tener ha# all the name# yo" nee) to #"!!ort the #cenario. 5n thi# exam!le, $e $ill a)) legacy.&abri3am.com to the certi&icate an) "#e that %IDN to re)irect "#er# $ho have mailboxe# on Exchange 200@ or Exchange 200G to acce## their mailbox.

Create a (e% Farm to $u%!ish the -egacy Servers (# #oon a# the certi&icate i# in !lace on %ore&ront TMG, a)C"#t the !ro!ertie# on the li#tener to "#e the ne$ certi&icate in#tea) o& the !revio"# one, an) then create a eb &arm. %ollo$ the #te!# that $ere )e#cribe) earlier, b"t "#e the legacy Exchange 200@ &ront9en) #erver# or Exchange 200G *lient (cce## #erver# a# the target#.

@0

(t thi# !oint, al#o ma3e #"re that the certi&icate on the Exchange 200@ &ront9en) #erver# or Exchange 200G *lient (cce## #erver# are vali) an) have the correct name :legacy.&abri3am.com;. 5t8# common an) #im!li&ie# the )e!loyment to "#e the #ame certi&icate a# "#e) on the Exchange 2010 *lient (cce## #erver# in yo"r organi4ation. &ut!oo' (e% ## Migration

2n %ore&ront TMG, create a P"bli#hing r"le &or the legacy ver#ion o& Exchange, "#ing legacy.&abri3am.com a# the !"blic name client# "#e to connect, choo#ing the #ame li#tener a# "#e) &or Exchange 2010, b"t ma3ing #"re that yo" "#e the 6egacy %arm yo" create) in the !revio"# #te!. (gain, ma3e #"re that the )elegation yo" #elect i# con&ig"re) on the -Exchange virt"al )irectory on the Exchange 200@ #erver# in the &arm an) on the -o$a virt"al )irectory on the Exchange 200G *lient (cce## #erver i& yo" are re)irecting to Exchange 200G.

@1

2n %ore&ront TMG, ma3e #"re that SS2 i# enable) &or the .&abri3am.com )omain. Thi# i# the )e&a"lt.

,0

Configure Exchange 1232 to $rovi"e the Re"irection UR-s Next, i& yo" are migrating &rom Exchange 200@ to Exchange 2010, on all the Exchange 2010 *lient (cce## #erver# being !"bli#he), #et the Exchange 200@ '76 !ro!erty on the o$a virt"al )irectory to match the val"e o& the legacy %IDN an) '76 yo" are "#ing, in thi# ca#e, htt!#:--legacy.&abri3am.com-exchange.
Set-O-aVirtualDirectory RED-CAS-1\* -Exchan)e.//0URL https !!le)acy#$a%ri&a"#co"!exchan)e

5& yo" are migrating &rom Exchange 200G to Exchange 2010, ma3e #"re that the external"rl !arameter on the Exchange 200G *lient (cce## #erver o$a virt"al )irectory i# #et correctly.
Set-O-aVirtualDirectory RED-CAS-.//1\* -ExternalURL https !!le)acy#$a%ri&a"#co"!o-a

5& yo" are migrating &rom mixe) Exchange 200@ - Exchange 200G to Exchange 2010, yo" #ho"l) &ir#t ma3e #"re that all Exchange 200@ acce## i# thro"gh the Exchange 200G *lient (cce## #erver#. Thi# i# the norm $hen migrating &rom Exchange 200@ to Exchange 200G. 5n thi# #cenario, an) $hen both the !revio"# comman)# are exec"te), Exchange 200@ "#er# $ill be re)irecte) to the -exchange virt"al )irectory on the Exchange 200G *lient (cce## #erver an) Exchange 200G "#er# $ill be re)irecte) to the -o$a virt"al )irectory on the Exchange 200G *lient (cce## #erver. Thi# allo$# all three ver#ion# o& Exchange to be acce##e) thro"gh a #ingle '76, htt!#:--mail.&abri3am.com-o$a. ,ote: 5& a "#er trie# to bro$#e to htt!#:--mail.&abri3am.com-exchange, a# $o"l) be the ca#e i& they $ere an Exchange 200@ "#er $ho ha) boo3mar3e) a !age they ha) "#e) earlier, they $ill be a"tomatically re)irecte) to htt!#:--mail.&abri3am.com-o$a an) !rovi)e) $ith a &orm to log on $ith. ,1

Ensure D,S is Correct an" Test the Configuration En#"re the ( recor) &or legacy.&abri3am.com in external DNS re#olve# to the #ame 5P a))re## a# mail.&abri3am.com. Te#t the Exchange 200@ con&ig"ration by going to htt!#:--mail.&abri3am.com-o$a, an) logging in to an Exchange 200@ mailbox. Ao" #ho"l) be #ilently re)irecte) to htt!#:--legacy.&abri3am.com-Exchange an) a"tomatically logge) in $itho"t any !rom!t# &or cre)ential#.

Te#t the 200G con&ig"ration by going to htt!#:--mail.&abri3am.com-o$a, an) logging on to an Exchange 200G mailbox. Ao" #ho"l) be #ilently re)irecte) to htt!#:--legacy.&abri3am.com-o$a an) a"tomatically logge) in $itho"t any a))itional !rom!t# &or cre)ential#. Exchange ctiveSync Migration

T$o o!tion# exi#t &or !rovi)ing acce## to "#er# $ho have mailboxe# on Exchange 200@ or Exchange 200G an) $ho#e mailboxe# have not yet been migrate) to Exchange 2010. %ir#t, )o nothing an) allo$ the Exchange 2010 *lient (cce## #erver to !roxy the reB"e#t internally to Exchange 200G &or Exchange 200G "#er#, or )irectly acce## the mailbox &or Exchange 200@ "#er#. 5n thi# ca#e, all acce## i# thro"gh Exchange 2010. 5t8# im!ortant to !lan yo"r migration #o that #"&&icient Exchange 2010 *lient (cce## #erver# exi#t to !rovi)e acce## to all "#er# a# #oon a# yo" )e!loy them. 2r, yo" can )eci)e to !"bli#h more than one ver#ion o& Exchange an) rely on Exchange to re)irect client# bet$een ver#ion# a# reB"ire). >o$ever, the latter a!!roach only $or3# &or: ,2

'#er# $ho have mailboxe# on Exchange 200G. Device# that are r"nning in)o$# Mobile /.1 or a later ver#ion.

Device# that #"!!ort the >TTP ,.1 re)irect mechani#m "#e) by Exchange (ctiveSync to in&orm the )evice $hich en)!oint it #ho"l) be "#ing.

5& yo"r )e!loyment i# &airly #mall or i# bet$een Exchange 200@ an) Exchange 2010, or i& yo" cannot ma3e #"re that all )evice# #"!!ort the >TTP ,.1 re)irect, it8# recommen)e) that yo" !rovi)e acce## to all ver#ion# o& Exchange thro"gh an Exchange 2010 *lient (cce## #erver. >o$ever, i& yo" $ant to !"bli#h the Exchange 200G an) Exchange 2010 #erver# #e!arately in the #ame (ctive Directory #ite, yo" have to create a ne$ P"bli#hing 7"le in %ore&ront TMG &or Exchange (ctiveSync, "#ing the legacy.&abri3am.com ho#t name together $ith a &arm o& Exchange 200G *lient (cce## #erver# a# the target &or the r"le. Then yo" can "#e a comman), #"ch a# the &ollo$ing, to correctly #et the external '76 &or the Exchange 200G *lient (cce## #erver to the legacy val"e.
Set-Acti(eSyncVirtualDirectory CAS-.//1-/1\* -externalurl https !!le)acy#$a%ri&a"#co"!"icroso$t-ser(er-acti(esync

(# #oon a# thi# comman) i# com!lete, any "#er $ho "#e# a )evice on Exchange 200G an) connect# thro"gh an Exchange 2010 *lient (cce## #erver #ho"l) receive an >TTP ,.1 re#!on#e &rom the #erver that incl")e# the ne$ '76. The )evice #ho"l) recon&ig"re it#el&, an) the "#er $ill reconnect "#ing the ne$ly create) !"bli#hing r"le in %ore&ront TMG. (&ter the "#er<# mailbox i# migrate) to Exchange2010, the Exchange 200G *lient (cce## #erver $ill i##"e another >TTP,.1 re#!on#e, an) the )evice $ill again recon&ig"re it#el&. %or the#e rea#on# yo" m"#t ma3e #"re that the legacy name#!ace i# not remove) be&ore all )evice# are "!)ate). 2ther$i#e the )evice $on8t be able to reach the legacy en)!oint in or)er to receive the re)irection. &ut!oo' nywhere Migration

Migrating client# $ho connect by "#ing 2"tloo3 (ny$here )irect to Exchange 200@ or Exchange 200G i# &airly #traight&or$ar). ="#t a# $ith Exchange (ctiveSync, yo"r a!!roach )e!en)# on the ver#ion o& client# yo" $ant to #"!!ort an) yo"r ability to !rovi#ion all yo"r Exchange 2010 #erver# at the beginning o& the migration. The recommen)e) #cenario i# to move the exi#ting 2"tloo3 (ny$here en)!oint yo"r client# "#e to Exchange 2010 an) allo$ the Exchange 2010 *lient (cce## #erver to !roxy connection# bac3 to legacy ver#ion# o& Exchange $hen it8# nece##ary. Exchange 200@, Exchange 200G an) Exchange 2010 2"tloo3 (ny$here "#er# can acce## their mailboxe# by "#ing Exchange 2010 *lient (cce## #erver, #o the #im!le#t a!!roach i# to !"bli#h C"#t Exchange 2010 a# the 2"tloo3 (ny$here ,@

en)!oint. Then, the con&ig"ration o& the client )oe#n8t have to change either at the beginning o& the )e!loyment, $hen Exchange 2010 *lient (cce## #erver i# intro)"ce), or later, $hen their mailbox i# move) to an Exchange 2010 mailbox #erver. 5& yo" )eci)e yo" m"#t have #e!arate name#!ace# &or 2"tloo3 (ny$here, yo" have #everal thing# to con#i)er: '#er# $ith mailboxe# on Exchange 2010 cannot "#e 2"tloo3 (ny$here via an Exchange 200@ &ront9en) #erver or a an Exchange 200G *lient (cce## #erver, a# neither o& the#e ver#ion# o& Exchange "n)er#tan) the 7P* *lient (cce## Service com!onent in Exchange 2010, #o they )o not con#i)er the en)!oint the client i# trying to reach a# vali). 2"tloo3 200@ )oe# not "#e the ("to)i#cover #ervice to "!)ate or change any con&ig"ration #etting#, #o i& a mailbox i# move) bet$een ver#ion# o& Exchange an) )i&&erent 2"tloo3 (ny$here en)!oint# are "#e), the client !ro&ile may brea3 an) !revent acce##. 2"tloo3 200G client# #ometime# )on8t correctly "!)ate the 2"tloo3 (ny$here #etting# &ollo$ing a move bet$een t$o 2"tloo3 (ny$hereHenable) en)!oint#. %or exam!le, i& yo" $ere !"bli#hing Exchange 200G an) Exchange 2010 "#ing )i&&erent 2"tloo3 (ny$here ho#t name#, an) a "#er<# mailbox $ere move) bet$een Exchange 200G an) Exchange 2010, the client may not correctly "!)ate the ho#t name "#e) by 2"tloo3 (ny$here.

The #tan)ar) recommen)ation o& moving the exi#ting name#!ace to Exchange 2010 an) allo$ing the Exchange 2010 *lient (cce## #erver to !rovi)e acce## to all legacy ver#ion# o& Exchange mean# very little "#er im!act, an) minimal client con&ig"ration change#. 2ne common rea#on &or "#ing t$o name#!ace# &or 2"tloo3 (ny$here may be to allo$ a !ilot )e!loyment o& Exchange 2010 along#i)e an exi#ting Exchange200@ or Exchange 200G )e!loyment. 5& thi# i# the rea#on &or the a))itional name#!ace, it8# recommen)e) that yo" create a ne$ name#!ace &or Exchange 2010 an) man"ally con&ig"re !ilot "#er# to "#e tho#e #etting# i& nece##ary, creating a ne$ !"bli#hing r"le C"#t &or Exchange 2010 2"tloo3 (ny$here. ())itionally, it8# recommen)e) that yo" con#i)er )e!loying Exchange 2010 in a #e!arate (ctive Directory #ite &or the !ilot !ha#e o& the !roCect. Thi# $ill com!letely avoi) the !o##ibility o& the Exchange 200G ("to)i#cover #ervice ret"rning Exchange 2010 '76# to 2"tloo3 client#. S"!!orting thi# con&ig"ration in %ore&ront TMG C"#t reB"ire# a))itional !"bli#hing r"le#, $ith a))itional eb &arm# &or each ver#ion o& Exchange, the #te!# &or $hich are )i#c"##e) earlier in thi# $al3thro"gh. ,,

$u%!ishing &ut!oo' (e% ##0 &ut!oo' nywhere0 an" Exchange ctiveSync Using Forefront U G 5n thi# $al3thro"gh $e $ill be con&ig"ring %ore&ront '(G to !"bli#h Exchange Server 2010 to the 5nternet. e $ill again be "#ing &orm#9ba#e) a"thentication at %ore&ront '(G &or 2"tloo3 eb (!!, +a#ic a"thentication &or 2"tloo3 (ny$here an) Exchange (ctiveSync, both a"thenticate) at %ore&ront '(G. %ore&ront '(G $ill be !"bli#hing a &arm o& *lient (cce## #erver# in one (ctive Directory #ite. The &ollo$ing )iagram o"tline# the to!ology.

Server and Software Prerequisites The &ollo$ing !rereB"i#ite# &or the con&ig"ration #ho"l) alrea)y have been con&ig"re): Exchange 2010 )e!loye) in one :or more; (ctive Directory #ite#. %ore&ront '(G 2010 in#talle) on a in)o$# Server 72 )omain9Coine) com!"ter $ith t$o net$or3 inter&ace#: one &acing the internal net$or3, an) one &acing the !"blic net$or3. The %ore&ront '(G in#tallation $i4ar)# ma3e in#talling %ore&ront '(G #im!le. 5t8# goo) !ractice to name each net$or3 a)a!ter in the %ore&ront '(G #erver accor)ing to the net$or3 it8# connecte) to, &or exam!le Einternal< an) Eexternal<, Thi# ma3e# con&ig"ring them in %ore&ront '(G m"ch ea#ier.

Certificate Prerequisites ="#t li3e $hen yo" con&ig"re %ore&ront TMG, certi&icate# are "#e) on the #erver !"bli#hing Exchange. %or )etaile) in#tr"ction# abo"t ho$ to !lan certi&icate#, #ee the TechNet 6ibrary, incl")ing hite Pa!er: Exchange 200G *lient (cce## an) SS6. %or the !"r!o#e# o& thi# $al3thro"gh, it8# a##"me) the !lanning exerci#e ha# re#"lte) in the &ollo$ing con&ig"ration:

,.

S!lit DNS i# con&ig"re), that i# the #ame )omain name exi#t# both in#i)e an) o"t#i)e the com!any net$or3 in DNS. The )omain name "#e) &or thi# $al3thro"gh i# &abri3am.com. ( ho#t recor)QmailQha# been create) to enable Exchange to be !"bli#he) to the 5nternet. Mail.&abri3am.com $ill be the name all client# "#e to reach 2"tloo3 eb (!!, 2"tloo3 (ny$here an) Exchange (ctiveSync. The certi&icate li#t# the mail.&abri3am.com name a# the &ir#t name on the certi&icate, al#o 3no$n a# the !rinci!al name, or the *ommon Name. Thi# i# im!ortant $hen the certi&icate $ill be "#e) to !rovi)e 2"tloo3 (ny$here. ( ho#t recor)Q("toDi#coverQha# been create) in external DNS to allo$ 2"tloo3 (ny$here an) Exchange (ctiveSync client# &rom o"t#i)e the net$or3 to reach the ("to)i#cover #ervice. %or more in&ormation, #ee hite Pa!er: Exchange 200G ("to)i#cover Service. The certi&icate $ill incl")e a"to)i#cover.&abri3am.com a# a S(N attrib"te on the certi&icate.

Ao" #ho"l) be a$are that the certi&icate "#e) on %ore&ront '(G can be &rom a thir)9 !arty certi&ication a"thority :*(; an) the certi&icate "#e) internally can be &rom a )i&&erent *(, !erha!# an internal, (ctive DirectoryHintegrate) certi&ication a"thority. >o$ever &or thi# $al3thro"gh, altho"gh the certi&icate "#e) on %ore&ront '(G $ill be &rom an internal certi&ication a"thority, the certi&icate i#n8t the #ame certi&icate a# that "#e) on the *lient (cce## #erver. The certi&icate $ill only contain the name# reB"ire) by %ore&ront '(G to !"bli#h Exchange. *reating a certi&icate $ith C"#t the name# reB"ire) by %ore&ront '(G avoi)# !"bli#hing a certi&icate $ith "nnece##ary %IDN# to the 5nternet. hatever choice# are ma)e abo"t the i##"er o& the certi&icate#, the %ore&ront '(G #erver m"#t tr"#t the certi&ication a"thority that i##"e) the certi&icate# that are "#e) by the *lient (cce## #erver it8# !"bli#hing. 5& the certi&icate# that the *lient (cce## #erver# are "#ing are &rom an internal (ctive DirectoryHintegrate) certi&ication a"thority, an) %ore&ront '(G i# a )omain member, thi# $ill "#"ally be a"tomatic. 5& %ore&ront '(G i# not a )omain member, or i& the certi&icate# $ere not i##"e) &rom an (ctive DirectoryHintegrate) *(, then the certi&icate chain m"#t be in#talle) into the %ore&ront '(G local com!"ter tr"#te) root certi&icate #tore. 5t8# al#o very im!ortant that the client that i# trying to acce## Exchange thro"gh %ore&ront '(G tr"#t the *( that i##"e) the certi&icate "#e) by %ore&ront '(G. Notice that it8# not nece##ary that the client tr"#t the *( that i##"e) the certi&icate in#talle) on the *lient (cce## #erver, only the certi&icate in#talle) on %ore&ront '(G. 5& the SS6 t"nnel en)# on %ore&ront '(G :a# it m"#t &or eb !"bli#hing;, the client m"#t tr"#t the *( that i##"e) the certi&icate in#talle) in that %ore&ront '(G tr"n3. 5& ,/

the %ore&ront '(G #erver then re9encry!t# that tra&&ic to *lient (cce## #erver# in#i)e another SS6 t"nnel, the %ore&ront '(G #erver m"#t then tr"#t the *( that i##"e) the certi&icate in#talle) on the *lient (cce## #erver. 5n each ca#e, one com!"ter i# the client, the com!"ter reB"e#ting acce## to re#o"rce#, an) the other i# the #erver, the com!"ter that ha# the re#o"rce#. The client m"#t al$ay# tr"#t the *( that i##"e) the certi&icate "#e) by the #erver in an SS6 conver#ation. 5& yo" are "#ing an internal *( to generate certi&icate# then yo" might have to in#tall that root certi&icate onto yo"r client com!"ter or mobile )evice in or)er to allo$ it to connect to %ore&ront '(G. 5& the com!"ter i# a member o& the )omain $here the (ctive DirectoryHintegrate) *( $a# in#talle), thi# i# "#"ally a"tomatic. 5& not, the client com!"ter may have to bro$#e to the *erti&icate Service# eb #ite i& there i# one, or co!y it &rom a com!"ter that ha# the root certi&icate #o that it can be tr"#te). 5t8# ea#y to chec3 $hether a com!"ter or )evice tr"#t# the certi&icate in#talle) on the #erver. ="#t "#e a bro$#er to connect to a !"bli#he) #ervice on that #erver. 5& a certi&icate $arning a!!ear# $ith C"#t the &ir#t o& the three chec3# !er&orme) #ho$n a# &ailing, the certi&icate i# "ntr"#te).

5& yo" are $or3ing in 2"tloo3 eb (!!, yo" can C"#t clic3 ;es a# #ho$n in the #creen#hot to contin"e. 2"tloo3 (ny$here an) Exchange (ctiveSync client# )o not "#"ally !rovi)e thi# o!tion an) #o $ill not connect. 5& yo" #ee thi# $arning, yo" #ho"l) re#olve it be&ore yo" try to contin"e. Configuration Ste#s There are m"lti!le #te!# reB"ire) to con&ig"re %ore&ront '(G to !"bli#h Exchange 2010. The &ollo$ing #te!# are incl")e) in thi# $al3thro"gh )oc"ment: *reating an) in#talling the SS6 certi&icate onto the %ore&ront '(G #erver Deci)ing to "#e a !ortal to acce## 2"tloo3 eb (!! ,G

*reating a !ortal tr"n3 an) !"bli#hing the &ir#t a!!lication P"bli#hing a))itional a!!lication# Te#ting the con&ig"ration

Creating and Installing the SS Certificate on the Forefront UAG Server %ore&ront '(G reB"ire# a certi&icate be "#e) to #ec"re comm"nication# $ith client#. The client con&ig"ration reB"ire# that the certi&icate be create) that "#e# the name# mail.&abri3am.com an) a"to)i#cover.&abri3am.com. The certi&icate reB"e#t can be generate) any$here an) then im!orte) to %ore&ront '(G, in thi# $al3thro"gh $e "#e the certi&icate $i4ar) in Exchange to generate the certi&icate on a *lient (cce## #erver in#i)e the net$or3, then ex!ort it to a &ile, co!y it to %ore&ront '(G, an) then in#tall it to the local com!"ter certi&icate #tore on %ore&ront '(G. The Exchange certi&icate $i4ar) in Exchange ma3e# it very ea#y to !"t the name# on the certi&icate correctly. The $i4ar) can be "#e) to generate certi&icate reB"e#t# &or either internal or thir)9!arty *(#. *reating the *erti&icate 7eB"e#t 1. +y "#ing either the Exchange Management Shell or the Exchange Management *on#ole, yo" can create a certi&icate reB"e#t &or a certi&icate $ith the name# mai!4fa%ri'am4com an) auto"iscover4fa%ri'am4com.

'#ing the Exchange Management Shell: Set-Content -path "C:\mail_fabrikam_com" -Value (NewExchangeCertificate - enerate!e"ue#t -$e%Si&e '()* -Sub+ectName "c,-S. #,/a#hington. l,!e0mon0. o,1abrikam. ou,23. cn,mail4fabrikam4com" -5omainName mail4fabrikam4com. auto0i#co6er4fabrikam4com -7ri6ate$e%Exportable 83rue9 ,0

,&TE: The "#e o& EPrivateDeyEx!ortable< i# e##ential to allo$ the certi&icate to be ex!orte) &rom the *lient (cce## #erver an) im!orte) to another com!"ter. Sa&e han)ling o& certi&icate# that contain !rivate 3ey material, #"ch a# tho#e generate) by "#ing thi# !roce##, i# im!ortant to en#"re they are not mi#"#e).

2. '#e the re#"lting reB"e#t &ile to reB"e#t a have cho#en to "#e. @.

eb Server certi&icate at the *( yo"

hen yo" receive the re#"lting &ile &rom the *(, right9clic3 the !en)ing certi&icate reB"e#t in the EM*, an) then #elect E*om!lete Pen)ing 7eB"e#t<. 2r, yo" can "#e the 5m!ort9Exchange*erti&icate cm)let, #!eci&ying the &ile that the *( !rovi)e) to com!lete the reB"e#t.

,&TE: (t thi# !oint, it8# im!ortant not to a##ign thi# certi&icate to any Exchange #ervice# beca"#e thi# certi&icate $ill be "#e) on %ore&ront '(G, not on the *lient (cce## #erver.

,. 7ight9clic3 the certi&icate in the EM* or "#e the Ex!ort9Exchange*erti&icate cm)let to ex!ort the certi&icate to a .!&x &ile, #!eci&ying a !a##$or) a# reB"ire). .. Tran#&er the re#"lting .!&x&ile to the %ore&ront '(G #erver. /. 2n the %ore&ront '(G #erver, o!en a blan3 MM* by clic3ing Start an) then Run. 5n the 2!en box, ty!e mmc, an) then clic3 &6. G. *lic3 Fi!e, ""5Remove Sna#+in an) a)) the Certificates Sna!9in, hen Ao" (re Prom!te) &or the choice o& management location, #elect Com#uter account, clic3 Finish an) then &6. 0. Ex!an) the *erti&icate# :6ocal *om!"ter; no)e, an) then clic3 $ersona!. 1. 7ight9clic3 the Per#onal container, an) then #elect (ll ta#3# J 5m!ort. 10.'#e the i4ar) to locate an) im!ort the &ile that yo" tran#&erre) &rom the *lient (cce## #erver. Ao" may have to change the &ile ty!e the i4ar) #earche# &or &rom K.cer to K.!&x. 11.(# #oon a# the certi&icate i# im!orte), )o"ble9clic3 the certi&icate to en#"re that it o!en#, i# tr"#te) to the root, an) #ho$# that yo" have the !rivate 3ey &or the certi&icate.

,1

12.No$ yo" can choo#e to remove the certi&icate &rom the *lient (cce## #erver i& yo" no longer nee) it. 6eaving a certi&icate there, $ith it# !rivate 3ey, $hen it i#n8t "#e) by Exchange, $on8t )o any harm. +"t, i& that certi&icate i# acci)entally a##igne) to #ervice# or ta3en an) "#e) el#e$here, it co"l) ca"#e !roblem#. $eciding to Use a Portal %ore&ront '(G o&&er# t$o $ay# to !"bli#h a eb9ba#e) a!!lication #"ch a# 2"tloo3 eb (!! to the 5nternet, either )irectly, $here the "#er ex!erience re#emble# that in %ore&ront TMG or $hen the "#er connect# )irectly to the *lient (cce## #erver, or by "#ing the %ore&ront '(G !ortal a!!lication, $here the "#er log# on to the %ore&ront '(G !ortal, an) then clic3# an a))itional b"tton to o!en 2"tloo3 eb (!!. The )eci#ion $hether to "#e a !ortal or not )e!en)# on yo"r !lan# &or %ore&ront '(G an) $hether yo" !lan to !"bli#h a))itional a!!lication# "#ing %ore&ront '(G. 5& yo" only inten) to !"bli#h 2"tloo3 eb (!! yo" may choo#e not to "#e a !ortal, an) C"#t !re#ent "#er# $ith &orm#9ba#e) a"thentication at %ore&ront '(G an) their mailbox once they a"thenticate. 5& yo" )eci)e that yo" may )eci)e to !"bli#h a))itional a!!lication# thro"gh %ore&ront '(G, #"ch a# SharePoint, creating a !ortal $ill enable the "#er to log on once to the !ortal an) then o!en other a!!lication# $ithin that !ortal, there&ore ta3ing a)vantage o& the SS2 ca!abilitie# b"ilt into %ore&ront '(G.

.0

Thi# $al3thro"gh $ill )etail the )irect !"bli#hing o!tion, $here no !ortal i# &ir#t acce##e). 2nly 2"tloo3 eb (!! i# vi#ibly a&&ecte) $hen a !ortal i# "#e), both 2"tloo3 (ny$here an) Exchange (ctiveSync al$ay# "#e +a#ic or NT6M :2"tloo3 (ny$here only; a"thentication to %ore&ront '(G an) by!a## the !ortal. Configuring Authentication and Authori.ation Servers The &ir#t #te! i# telling %ore&ront '(G $hich #erver# to "#e &or a"thentication an) a"thori4ation. 1. 2!en the %ore&ront '(G management con#ole, clic3 the "min men", an) then #elect uthentication an" uthori:ation Servers. 2. 5n the re#"lting )ialog box, clic3 "".

.1

@. 6eave the )e&a"lt choice o& ctive Directory #electe), enter a val"e &or the Server name &iel) that re!re#ent# the a"thentication #o"rce, clic3 Use !oca! ctive Directory forest authentication, an) enter the ba#e DN in (ctive Directory $here %ore&ront '(G $ill loo3 &or "#er obCect#. To incl")e an entire )omain, "#e #omething #imilar to D*R%(+75D(M,D*R*2M, an) then #elect the /nc!u"e su%fo!"ers chec3 box. %inally enter the )etail# o& a "#er acco"nt that ha# acce## to (ctive Directory. 5t8# recommen)e) that thi# "#er<# !a##$or) be #et to not ex!ire an) that thi# acco"nt be treate) a# a #!ecial #ec"rity ca#e, not #"bCect to the "#"al !a##$or) ex!iration !olicie#.

.2

,. (# #oon a# it i# com!lete, clic3 &6 an), a##"ming yo" receive) no error#, clo#e the uthentication an" uthori:ation Servers )ialog box. Creating a Trun- and Publishing /our First Application The next ta#3 in %ore&ront '(G to com!lete i# creating a tr"n3 an) !"bli#hing an a!!lication. e $ill !"bli#h 2"tloo3 eb (!! only )"ring thi# $al3thro"gh. 1. 5n the %ore&ront '(G management con#ole, right9clic3 .TT$S connections an) #elect ,ew Trun' 2. *lic3 ,ext at the &ir#t !age o& the Create Trun' (i:ar" @. Select $orta! Trun' a# the tr"n3 ty!e an) chec3 the box #tating that yo" $ill be !"bli#hing Exchange a!!lication# via the !ortal. The $or)ing &or thi# chec3 box #"gge#t# $e $ill be "#ing a !ortal to acce## Exchange. >o$ever, con&ig"ring %ore&ront '(G "#ing thi# $i4ar) $ill re#"lt in an 2"tloo3 eb (!! "#er )irectly acce##ing 2"tloo3 eb (!! $itho"t &ir#t logging in to a !ortal.

.@

,. Enter a name &or yo"r tr"n3. Ao" cannot "#e #!ace# or any non9al!han"meric character#. Enter the !"blic ho#t name o& the !ortal, mail.&abri3am.com in o"r exam!le, an) ma3e #"re that the 5P a))re## the tr"n3 $ill li#ten to reB"e#t# on i# correct, that i#, the external net$or3 inter&ace o& %ore&ront '(G.

.. *lic3 ,ext, an) on Ste# < = that yo" create) earlier.

uthentication, clic3

"" an) #elect the entry

.,

/. 2n Ste# > = Certificate, ma3e #"re the certi&icate that yo" in#talle) earlier i# #electe), an) then clic3 ,ext. G. 2n Ste# ? = En"#oint Security, i& yo" have alrea)y )e!loye) Net$or3 (cce## Protection :N(P; !olicie# on yo"r net$or3, yo" may #elect them here or el#e leave the )e&a"lt o& Use Forefront U G access #o!icies, an) then clic3 ,ext. +e a$are that En)!oint Sec"rity !olicie# only a!!ly to eb bro$#er client# an) not to client# li3e 2"tloo3 (ny$here or Exchange (ctiveSync. 0. 2n Ste# @ = En"#oint $o!icies, leave the )e&a"lt# &or no$ an) then clic3 ,ext 1. 2n Ste# A = Se!ect Exchange Services, #elect Exchange Server 2010, an) chec3 the box next to &ut!oo' (e% ccess only. 5t8# recommen)e) that yo" )o not #elect all the chec3 boxe# to #elect all the Exchange #ervice#. The loa)9balancing metho) con&ig"re) $hen !"bli#hing a &arm in thi# manner i# not o!timal &or Exchange. There&ore, it8# recommen)e) that yo" !"bli#h 2"tloo3 eb (!! &ir#t an) ret"rn to the $i4ar) &or 2"tloo3 (ny$here an) Exchange (ctiveSync &ollo$ing that.

..

10.2n Ste# B = Configure ##!ication, enter an (!!lication nameHExchange 2010 2 ( in o"r exam!le.

11.2n Ste# C = Se!ect En"#oint $o!icies, leave the )e&a"lt o!tion#, an) then clic3 ,ext. 12.2n Ste# 32 = De#!oying an ##!ication, clic3 Configure a Farm of a##!ication servers, an) then clic3 ,ext.

./

1@.2n Ste# 33 = -oa"+Ba!ance" (e% Servers, enter the %IDN# o& the *lient (cce## #erver# yo" $ill be !"bli#hing, an) then change the Ba!ance re8uest %y #etting by clic3ing Coo'ie+%ase" affinity. : hen yo" r"n the $i4ar) &or 2"tloo3 (ny$here an) Exchange (ctiveSync, clic3 /$+%ase" affinity.;. 5n the $aths &iel), yo" #ho"l) revie$ an) remove !ath# yo" )o not reB"ire.

1,.2n Ste# 31 = Configure Connectivity 9erifiers, choo#e the ty!e o& veri&ier yo" $i#h to "#e. %or the !"r!o#e# o& thi# $al3thro"gh, an) &or #im!licity, $e have cho#en to "#e Esta%!ish a TC$ session, $hich #im!ly te#t# to #ee i& the #erver re#!on)# to reB"e#t# on T*P ,,@, an) mar3# the #erver a# active i& it )oe#. %ore&ront '(G "#e# the "n)erlying %ore&ront TMG health monitoring &eat"re#, #o all con&ig"ration choice# yo" ma3e here are vi#ible in the .G

%ore&ront TMG management con#ole, in the Monitoring, Connectivity 9erifiers #ection o& the con#ole. (# %ore&ront TMG i# "#e) &or connectivity veri&ication, m"ch o& the )etail !rovi)e) earlier in thi# )oc"ment in the %ore&ront TMG $eb &arm #ection a!!lie#, $ith the notable )i&&erence that %ore&ront '(G )oe# not create eb %arm obCect# in TMG. 7e&er to the earlier #ection &or a))itional in&ormation an) in&ormation abo"t con&ig"ration choice#.

1..*lic3 ,ext0 an) on Ste# 3< = uthentication, clic3 "" to a)) the a"thori4ation #erver# that yo" !revio"#ly con&ig"re) to the li#t. The lo$er o!tion b"tton# )etermine ho$ %ore&ront '(G $ill a"thenticate to the *lient (cce## #erver. The )e&a"lt >23 re8uest mean# %ore&ront '(G $ill "#e +a#ic a"thentication to the *lient (cce## #erver. There&ore the *lient (cce## #erver m"#t have +a#ic enable) on the -o$a virt"al )irectory.

.0

1/.2n Ste# 3> = $orta! -in'0 the )e&a"lt #etting# $ill create icon# in the !ortal &or 2"tloo3 eb (!! acce##, i& a !ortal i# "#e). (l#o, i& the lo$er chec3 box i# #electe), the !ortal $ill o!en 2"tloo3 eb a!! in a ne$ $in)o$ $hen it i# acce##e). *lic3 ,ext.

1G.2n Ste# 3? = Exchange ##!ication uthori:ation, yo" can leave the )e&a"lt, $hich enable# all a"thenticate) "#er# to acce## Exchange. Thi# only mean# that they can try to acce## 2"tloo3 eb (!!. (ny 2"tloo3 eb (!! !olicie# yo" create) in Exchange #till a!!ly, incl")ing 2 (Enable) #et to &al#e. 2r, yo" can re#trict $ho can acce## 2"tloo3 eb (!! at %ore&ront '(G

.1

by #electing &rom a li#t o& gro"!# or even re#trict acce## )o$n to the "#er level by a))ing in)ivi)"al "#er# to thi# li#t.

10.*lic3 Finish on the &inal !age o& the $i4ar) to ret"rn to the management con#ole.

11.*lic3 the Save icon to #ave the con&ig"ration. *lic3 the ctivate icon to bac39"! the exi#ting con&ig"ration an) activate thi# ne$ con&ig"ration.

/0

20.5& yo" cho#e >23 re8uest on Ste! 1@, "#e the EM* to o!en the !ro!ertie# o& the o$a an) E*P virt"al )irectorie# &or each *lient (cce## #erver being !"bli#he), #et the a"thentication to +a#ic, an) then r"n iisreset on each *lient (cce## #erver yo" have change).

No$ yo" can te#t client acce## to 2"tloo3 eb (!! $or3# &rom a client connecte) to #ame net$or3 a# the external inter&ace o& %ore&ront '(G hen a client &ir#t bro$#e# to the '76 yo" are !"bli#hing, htt!#:--mail.&abri3am.com-o$a in o"r exam!le, the &ir#t action i# &or %ore&ront '(G to )o$nloa) to the client the En)!oint *om!onent Manager. Thi# allo$# %ore&ront '(G to !er&orm in#!ection o& the client com!"ter to ma3e #"re it meet# the !olicie# #!eci&ie) &or the !ortal. The "#er #ho"l) acce!t the )e&a"lt o!tion# the )i&&erent )ialog boxe# !re#ent an), $hen com!lete, they $ill #ee the 2"tloo3 eb (!! #ign9 in !age.

/1

/2

(&ter 2"tloo3 eb (!! i# $or3ing, $e can a)) 2"tloo3 (ny$here an) Exchange (ctiveSync to the con&ig"ration. 5& yo" cannot o!en 2"tloo3 eb (!! no$, revie$ the tro"ble#hooting #te!# later in thi# )oc"ment, then ret"rn to com!lete the 2"tloo3 (ny$here an) Exchange (ctiveSync con&ig"ration. 1. 2!en the %ore&ront '(G management con#ole, an) navigate to the !ro!ertie# o& the tr"n3 yo" !revio"#ly create).

2. 5n the (!!lication #ection o& the !age, clic3 "" to o!en the elcome to the ()) (!!lication i4ar) )ialog box, an) then clic3 ,ext. 5n (e% !ist, clic3 Microsoft Exchange Server )a!! versions*4

/@

@. 2n Ste# 1 = Se!ect Exchange Services, in the Exchange versions li#t, clic3 Microsoft Exchange Server 1232, an) then #elect the &ut!oo' nywhere )R$C over .TT$* an) Exchange ctiveSync chec3 boxe#. 5& yo" vie$ the con&ig"ration later an) )eci)e yo" $ant more control over in)ivi)"al #etting# &or 2"tloo3 (ny$here an) Exchange (ctiveSync, yo" can r"n thi# $i4ar) once &or each !rotocol. e 3ee! them together in thi# $al3thro"gh beca"#e, mo#t o& the time, $hen 2"tloo3 (ny$here an) Exchange (ctiveSync "#e the #ame a"thentication #cheme, the #etting# &or both are com!atible.

,. 2n Ste# < = Configure a!!lication

##!ication0 #elect a )e#cri!tive name &or the

/,

.. 2n Ste# > = Se!ect En"#oint $o!icies, leave the )e&a"lt# &or no$, an) then clic3 ,ext.

/. 2n Ste# ? = De#!oying an a##!ication servers.

##!ication, #elect Configure a farm of

/.

G. 2n Ste# @ = -oa"+Ba!ance" (e% Servers0 enter the %IDN# o& the #erver# in the *lient (cce## #erver array yo" are !"bli#hing.

0. 2n Ste# A = Configure Connectivity 9erifiers0 clic3 Esta%!ish a TC$ connection &or the rea#on# )e#cribe) earlier.

//

1. 2n Ste# B = uthentication0 #elect the ("thori4ation #o"rce yo" have !revio"#ly con&ig"re).

10.(cce!t the $arning me##age, $hich e&&ectively #tate# that 2"tloo3 (ny$here an) Exchange (ctiveSync client# cannot "#e &orm#9ba#e) a"thentication or the !ortal an) #o $ill "#e +a#ic or NT6M a"thentication.

/G

11.2n Ste# C = &ut!oo' nywhere0 notice that the )e&a"lt P"blic >o#t Name val"e# have been com!lete). *lic3 Use Basic authentication to change the )e&a"lt &ut!oo' nywhere uthentication o!tion &or both #ervice# #o that %ore&ront '(G can )elegate cre)ential# to the *lient (cce## #erver correctly.

12.2n the uthori:ation !age o& the $i4ar), either leave the )e&a"lt o& allo$ing all "#er# to connect or clic3 to re#trict the #ervice to #!eci&ic gro"!# or "#er#. (gain, a# $ith 2"tloo3 eb (!!, any o!tion# #et $ithin Exchange by "#ing the Set9*(SMailbox cm)let $ill #till a!!ly. 1@.*lic3 Finish on the $i4ar) com!letion !age.

1,.?ie$ing the management con#ole, yo" $ill no$ #ee the a))itional a!!lication entrie# the $i4ar) ha# create). ("to)i#cover an) E S have been !"t into r"le# #e!arate &rom 2"tloo3 (ny$here an) E(S.

/0

hen yo" have activate) the con&ig"ration, the next #te! i# to con&ig"re Exchange to correctly allo$ +a#ic a"thentication to be "#e) again#t the )i&&erent virt"al )irectorie# reB"ire) &or 2"tloo3 (ny$here an) Exchange (ctiveSync. 1..Enable 2"tloo3 (ny$here on each !"bli#he) *lient (cce## #erver, clic3ing Basic authentication a# the C!ient authentication metho". (&ter all change# are ma)e, iisreset ha# been r"n, an) event 5D @00/ i# logge) #ho$ing that the a!!ro!riate regi#try 3ey# have been #et.

5& thi# i# the &ir#t time 2"tloo3 (ny$here ha# been enable), #everal more #te!# are reB"ire) to en#"re "#er# o"t#i)e %ore&ront '(G can &"lly "#e 2"tloo3. (l#o, one more #te! i# reB"ire) #o that Exchange (ctiveSync can /1

"#e the ("to)i#cover #ervice. Ao" #ho"l) r"n the#e on each #erver in the (ctive Directory #ite yo" are !"bli#hing, re!lacing the #erver ho#t name a# a!!ro!riate. a; Set the external '76 &or the o&&line a))re## boo3 :2(+; virt"al )irectory. 5t i# a##"me) that the 2(+ i# alrea)y enable) &or eb9!"bli#hing. 5& it8# not, #ee *on&ig"re 2&&line ())re## +oo3 Di#trib"tion Pro!ertie#.
Set-OABVirtualDirectory RED-CAS-1\* -ExternalURL https !!"ail#$a%ri&a"#co"!OAB

b; Set the external '76 &or the Exchange eb Service# :E S; virt"al )irectory to htt!#:--mail.&abri3am.com-E S-Exchange.a#mx.
Set-'e%Ser(icesVirtualDirectory RED-CAS-1\* -ExternalURL https !!"ail#$a%ri&a"#co"!E'S!Exchan)e#as"x

c; Set the external '76 &or the Exchange (ctiveSync virt"al )irectory to allo$ the ("to)i#cover #ervice to !rovi)e )evice# $ith the correct val"e.
Set-Acti(esyncVirtualDirectory re*-cas-1\* -externalurl https !!"ail#$a%ri&a"#co"!+icroso$t-Ser(er-Acti(esync

); Set the a"thentication !ro!erty &or the 2(+ an) E S virt"al )irectorie# to incl")e +a#ic a# an o!tion i& yo" are "#ing +a#ic a"thentication.
Set-Oa%VirtualDirectory re*-cas-1\* -BasicAuthentication ,true Set-'e%Ser(icesVirtualDirectory RED-CAS-1\* -BasicAuthentication ,true

1/.(t thi# !oint that yo" #ho"l) te#t thi# con&ig"ration to ma3e #"re it $or3# a# ex!ecte). %rom an 2"tloo3 200G or 2"tloo3 2010 client on the external net$or3, &ir#t ma3e #"re that an ( recor) &or a"to)i#cover.&abri3am.com exi#t# in DNS, then ma3e #"re that 2"tloo3 (ny$here i# enable) on the *lient (cce## #erver in the #ite yo" are !"bli#hing an) that all relevant '76# are correct, an) then try to create a ne$ 2"tloo3 !ro&ile. 5t8# very im!ortant to en#"re that the ("to)i#cover #ervice $or3# correctly &or an 2"tloo3 client beca"#e the ("to)i#cover #ervice !rovi)e# 2"tloo3 $ith the location o& the )i&&erent eb #ervice# it reB"ire# &or "#"al o!eration, #"ch a# 2"t o& 2&&ice #etting# an) o&&line a))re## boo3 )o$nloa)#. 1G.5& 2"tloo3 (ny$here $or3#, try to connect by "#ing a mobile )evice, either $ith the ("to)i#cover #ervice con&ig"ring the !ro&ile or man"ally, by entering the #erver name :mail.&abri3am.com in thi# exam!le;. Additional Configuration Steps for &'change ()*) and+or ,utloo- ()*) Users 5& yo" are not !"bli#hing 2"tloo3 eb (!! in yo"r environment b"t )o allo$ the !"bli#hing o& 2"tloo3 (ny$here :an) !o##ibly Exchange (ctiveSync; an) are "#ing G0

2"tloo3 2010, yo" $ill have to ma3e #ome a)C"#tment# to the con&ig"ration to allo$ an 2"tloo3 2010 "#er to be able to acce## the Exchange *ontrol Panel :E*P;. Exchange 2010 "#er# reB"ire acce## to the E*P &or certain con&ig"ration #etting#, #"ch a# voice mail an) me##age trac3ing in&ormation. The E*P i# acce##e) by "#ing a eb bro$#er an) i# invo3e) by a lin3 in the Micro#o&t 2&&ice +ac3#tage area o& 2"tloo3 2010 or $ithin the !ro!ertie# o& a me##age. 5n %ore&ront '(G, the recommen)ation i# to !"bli#h a ne$ a!!lication to the !ortal in the tr"n3 by "#ing 2"tloo3 eb (!! a# the a!!lication, an) then to mo)i&y that con&ig"ration to allo$ the E*P to be acce##e). Thi# a!!roach i# "#e) to en#"re that the '769analy#i# logic b"ilt in to %ore&ront '(G i# correctly con&ig"re). Ao" #ho"l) al#o con#i)er the &ollo$ing &actor#: 5& yo" $ant to "#e +a#ic, NT6M or D*D to a"thenticate to the *lient (cce## #erver thi# reB"ire# yo" to )i#able &orm#9ba#e) a"thentication on the -E*P virt"al )irectory on the *lient (cce## #erver. 5& yo" $ant to o&&er %+( &or internal "#er# at the #ame time, yo" can either ma3e #"re their DNS reB"e#t# &or the E*P #ervice re#olve to %ore&ront '(G or a)) a #econ)ary eb #ite. Thi# allo$# yo" to "#e )i&&erent a"thentication metho)# on each an) reB"ire# an a))itional 5P a))re##. %or more in&ormation, #ee Ne$9Ec!?irt"alDirectory. 5& yo" )o not $ant to allo$ any "#er to acce## 2"tloo3 eb (!!, b"t )o $ant allo$ all "#er# to acce## the E*P, yo" can )i#able 2"tloo3 eb (!! acce## !er "#er by "#ing the Set9*a#Mailbox cm)let. 5& yo" $ant to allo$ 2"tloo3 eb (!! acce## &or internal "#er#, b"t not allo$ 2"tloo3 eb (!! acce## &rom o"t#i)e the cor!orate net$or3, yo" m"#t re#trict the re#o"rce# that yo" !"bli#h to allo$ acce## to only tho#e re#o"rce# that are reB"ire) by the E*P. Thi# i# beca"#e the E*P "#e# the 2"tloo3 eb (!! a"thentication mo)el an) "#e# #ome 2"tloo3 eb (!! re#o"rce# to &"nction.

To en#"re only that the E*P can be acce##e) via a %ore&ront '(G a!!lication r"le, b"t not 2"tloo3 eb (!!, r"n the ()) (!!lication $i4ar), #electing Exchange Server 2010 a# the generic a!!lication an) 2"tloo3 eb (!! a# the #!eci&ic a!!lication to !"bli#h. 2n Ste# @ = -oa"+Ba!ance" (e% Servers, e)it the Path# li#t to en#"re that only the &ollo$ing !ath# are allo$e) by %ore&ront '(G to allo$ acce## to the E*P b"t not 2"tloo3 eb (!!: -ec!-o$a-a"th-logon.a#!x -o$a-a"th-logo&&.a#!x -o$a-logo&&.o$a G1

-o$a-a"th.o$a -o$a-lang"age#election.a#!x -o$a-lang.o$aK -o$a-1,K

7emove any other !ath# a))e) by the $i4ar), #"ch a# -o$a, -exchange.

2ne a))itional #te! may be reB"ire) i& the tr"n3 i# only "#e) &or 2"tloo3 (ny$here !"bli#hing. *hanging the #etting &or the initial internal a!!lication that i# "#e) by the tr"n3 $ill ma3e #"re that the E*P i# o!ene) $hen the "#er log# on, not a !ortal containing one a!!lication, the E*P. To )o thi#, in the /nitia! /nterna! ##!ication li#t, clic3 the ##!ication ,ame yo" !revio"#ly create), EC$ 1232 in the exam!le #ho$n.

G2

hen the "#er ta3e# the lin3 to the E*P, the "#"al en)!oint )etection chec3# r"n. Then, they $ill be !re#ente) $ith the 2"tloo3 eb (!!H#tyle #ign9in &orm. hen they log in, the E*P #ho"l) be )i#!laye). Troubleshooting Forefront UAG There are many common con&ig"ration error# ma)e $hen !"bli#hing Exchange. '#e thi# li#t to vali)ate an) con&irm yo"r #etting#. Certificates The mo#t common rea#on one or more o& the#e client# i# "nable to log on, or %ore&ront '(G i# "nable to !"bli#h i# beca"#e o& a certi&icate error. *hec3 the &ollo$ing: Trust Doe# the client tr"#t the i##"er o& the certi&icate on %ore&ront '(GP (n) )oe# %ore&ront '(G tr"#t the i##"er o& the certi&icate on the *lient (cce## #erverP 5& yo" receive a certi&icate $arning me##age beca"#e the certi&icate i# not tr"#te), re#olve the !roblem by ma3e #"re the client !o##e##e# the relevant root certi&icate an) te#t again. ,ame Mismatch 5& yo" receive a $arning me##age beca"#e the name on the certi&icate )oe# not match the name the client $a# ex!ecting to #ee, re#olve the !roblem by rei##"ing the certi&icate $ith the correct name# an) te#t again. Ex#iration Dates 5& the certi&icate# have ex!ire), the client $ill not acce!t their "#e. *hec3 the ex!iration )ate# an) rei##"e the certi&icate# i& nece##ary. Matching uthentication Schemes 5& %ore&ront '(G i# con&ig"re) &or +a#ic :or ,01 in %ore&ront '(G terminology;, the a!!ro!riate virt"al G@

)irectorie# on the *lient (cce## #erver #ho"l) be con&ig"re) to #"!!ort +a#ic a"thentication. D,S (re the ( recor)# &or mail an) a"to)i#cover in the correct 4oneP (n) )o they have the correct 5P a))re##P The 5P #ho"l) re#olve to the external net$or3 a)a!ter o& %ore&ront TMG an), more #!eci&ically, to the 5P a))re## o& the li#tener con&ig"re) on the Exchange !"bli#hing r"le#. The Test Emai! utoConfiguration too! '#e thi# 2"tloo3 tool to con&irm that the ("to)i#cover #ervice can be contacte) an) that the '76# it ret"rn# are correct. To "#e the tool, hold down the CTRL key, and then right9clic3 the 2"tloo3 icon on the ta#3bar.

Use the Exchange Remote Connectivity na!y:er too! 5& the environment i# 5nternet &acing, #ee Micro#o&t Exchange 7emote *onnectivity (naly4er to te#t the con&ig"ration &rom the 5nternet. E!iminate sing!e server issues 5& yo" are !"bli#hing a &arm o& *lient (cce## #erver#, re)"ce the &arm #i4e to C"#t one *lient (cce## #erver an) te#t again. Thi# ma3e# tro"ble#hooting m"ch ea#ier beca"#e it8# ea#y to )etermine $hich #erver# are involve) in the connection attem!t. Use the Forefront U G (e% Monitor too! Ao" can "#e thi# tool to vie$ the #tate o& each member o& the &arm an) loo3 &or error# me##age# in the event log. G,

Chec' whether Forefront U G is %!oc'ing UR-s or content within UR-s 5& yo" #ee a me##age #imilar to Lyo" have trie) to acce## a re#tricte) '76M, try the &ollo$ing a!!roache# to narro$ the !roblem )o$n: Use the Forefront U G (e% Monitor 6oo3 &or event# that relate# to the !roblem an) that in)icate the r"le or &ilter that i# bloc3ing the content by "#ing the %ore&ront '(G eb Monitor :htt"://localhost:()))* on the +orefront ,A- ser#er;. By#ass UR- set+chec'ing for a #articu!ar a##!ication Thi# $ill narro$ )o$n the #o"rce o& the i##"e. Ao" can )i#able '76 #et9chec3ing !er a!!lication by clic3ing Eva!uate with enforcement on the eb Setting# tab o& the a!!lication being !"bli#he).

Migration Considerations 5& yo" are migrating &rom an earlier ver#ion o& Exchange an) are &ollo$ing the #tan)ar) Exchange migration g"i)ance at '!gra)e to Exchange 2010 are "#ing an a))itional legacy name#!ace, #ome change# are reB"ire) in %ore&ront '(G to en#"re a #mooth migration. The exact con&ig"ration that i# reB"ire) $ill )e!en) on the client# an) !rotocol# in "#e. 2"tloo3 eb (!! &or exam!le ha# a b"ilt in Single Sign 2n :SS2; ca!ability $hen yo" )e!loy it along#i)e Exchange 200G in the #ame (ctive Directory #ite, or $hen an 2"tloo3 eb (!! reB"e#t &or a 200@ mailbox i# receive). (cce##ing a mailbox ho#te) on Exchange 200@ or Exchange 200G "#ing Exchange (ctiveSync or 2"tloo3 (ny$here can be !er&orme) thro"gh an Exchange 2010 *lient (cce## #erver, altho"gh in #ome #cenario#, yo" may choo#e to !rovi)e acce## thro"gh an Exchange 200G *lient (cce## #erver to "#er# $ho have mailboxe# on Exchange 200G. 5t8# &airly #im!le in %ore&ront '(G to #"!!ort the Exchange SS2 &"nctionality &or 2"tloo3 eb (!! $ithin the context o& one tr"n3. >o$ever, it8# not !o##ible to !"bli#h m"lti!le ver#ion# o& Exchange (ctiveSync or 2"tloo3 (ny$here thro"gh one tr"n3. There&ore, it8# recommen)e) that yo" !rovi)e acce## to legacy client# "#ing 2"tloo3 (ny$here or Exchange (ctiveSync thro"gh Exchange 2010. 5t8# im!ortant to "n)er#tan) that at a ba#ic level, the #tan)ar) a!!roach i# to move the exi#ting external name#!ace to !oint to Exchange 2010, an) "#e the ne$ly create) Elegacy< name#!ace to acce## earlier ver#ion# o& 2"tloo3 eb (!!. (ll acce## to Exchange (ctiveSync an) 2"tloo3 (ny$here $ill be thro"gh the exi#ting name#!ace, an) Exchange 2010. Using ,ative Exchange SS& Re"irection There are #everal #te!# reB"ire) to con&ig"re thi# #cenario:

G.

1. En#"re that the certi&icate# have the correct name#. 2. *reate a ne$ a!!lication &or !"bli#hing the legacy ver#ion o& Exchange. @. *on&ig"re Exchange to !rovi)e the re)irection '76#. 5n thi# #cenario, &orm#9ba#e) a"thentication i# #till being !er&orme) on %ore&ront '(G. There&ore, &orm#9ba#e) a"thentication on both Exchange 200@-Exchange 200G an) Exchange 2010 m"#t be )i#able), an) either +a#ic or in)o$# 5ntegrate) m"#t be enable), )e!en)ing on the )elegation #etting#, or %ore&ront '(G m"#t be con&ig"re) to )elegate &orm#9ba#e) a"thentication a# )i#c"##e) earlier in thi# )oc"ment. 5t8# im!ortant to "n)er#tan) that "#ing the b"ilt in %ore&ront '(G metho) o& SS2 reB"ire# both ver#ion# o& Exchange be !"bli#he) on the #ame tr"n3. Ensure Certificates .ave the Correct ,ames The &ir#t #te! in enabling SS2 $hen "#ing %ore&ront '(G i# to en#"re that the certi&icate yo" are "#ing on the %ore&ront '(G tr"n3 ha# all the name# yo" m"#t have to #"!!ort the #cenario. 5n thi# exam!le, $e $ill a)) legacy.&abri3am.com to the certi&icate, an) "#e that %IDN to re)irect "#er# $ho have mailboxe# on Exchange 200@ or Exchange 200G to acce## their mailbox.

"" a ,ew

##!ication to $u%!ish the -egacy 9ersion of Exchange G/

5n or)er to enable the legacy ver#ion o& Exchange to be acce##e) thro"gh %ore&ront '(G, it m"#t be a))e) to the !ortal, $ith the ne$ ho#t name an) m"#t be con&ig"re) to !"bli#h the legacy Exchange *lient (cce## #erver or &ront9en) #erver#. 1. 5n the (!!lication# #ection o& the tr"n3 yo" !revio"#ly create), clic3 "" to a)) the ne$ a!!lication, an) then clic3 ,ext at the elcome #creen.

2. 5n the (e% li#t, clic3 Microsoft Exchange Server )a!! versions* .

@. 2n Ste# 1 = Se!ect Exchange Services, in the Exchange version li#t, clic3 Microsoft Exchange Server 122A, $hether yo" are !"bli#hing Exchange 200Gor Exchange 200@. 5& yo" #elect Exchange 200@, yo" $ill not be able to #elect a )i&&erent ho#t name :legacy; later in the $i4ar). Notice GG

ho$ the ability to #elect m"lti!le Exchange #ervice# i# "navailable $hen !"bli#hing legacy ver#ion# o& Exchange.

,. 2n Ste# < = Configure

##!ication, name the a!!lication.

.. 2n Ste# > = Se!ect En"#oint $o!icies, clic3 ,ext. /. 2n Ste# ? = De#!oying an ##!ication, clic3 Configure a farm of a##!ication servers, an) then clic3 ,ext. G. 2n Ste# @ = -oa"+Ba!ance" (e% Servers, enter the %IDN# o& the Exchange 200@ or Exchange 200G #erver# that yo" are !"bli#hing. 5n the $u%!ic host name box, change the )e&a"lt val"e to E!egacyD :or the name yo" are "#ing &or the legacy ver#ion o& Exchange $hen acce##e) &rom o"t#i)e the net$or3.

G0

0. 2n Ste# A = Configure Connectivity 9erifiers, #elect Esta%!ish a TC$ connection, an) then clic3 ,ext. 1. 2n Ste# B = uthentication, #elect the a"thentication #erver #o"rce that yo" !revio"#ly )e&ine), an) then clic3 ,ext. 10.2n Ste# C = $orta! -in', leave the )e&a"lt#, an) then clic3 ,ext. 11.2n Ste# 32 = uthori:ation, again leave the )e&a"lt# :or change them i& yo" choo#e to )o thi#;, an) then clic3 ,ext. 12.%ini#h the $i4ar), an) yo" $ill be ret"rne) to the %ore&ront '(G con#ole. 1@.*lic3 the ctivate Configuration b"tton an) !rom!t to bac3 "! the con&ig"ration $hen it i# reB"e#te). Configure Exchange 1232 to $rovi"e the Re"irection UR-s Next, i& yo" are migrating &rom Exchange 200@ to Exchange 2010, on all the Exchange 2010 *lient (cce## #erver# being !"bli#he), #et the Exchange200@ '76 !ro!erty on the o$a virt"al )irectory to match the val"e o& the legacy '76 yo" are "#ing, 5n thi# ca#e, htt!#:--legacy.&abri3am.com-exchange.
Set-O'AVirtualDirectory RED-CAS-1\* -Exchan)e.//0URL https !!le)acy#$a%ri&a"#co"!exchan)e

5& yo" are migrating &rom Exchange 200G to Exchange2010, ma3e #"re that the external"rl !arameter on the Exchange 200G *lient (cce## #erver 2 ( virt"al )irectory i# #et correctly.
Set-O'AVirtualDirectory RED-CAS-.//1\* -ExternalURL https !!le)acy#$a%ri&a"#co"!o-a

G1

5& yo" are migrating &rom a mixe) Exchange 200@ an) Exchange 200G environment to Exchange 2010, yo" #ho"l) &ir#t ma3e #"re that all Exchange 200@ acce## i# thro"gh the Exchange 200G *lient (cce## #erver#. Thi# i# the norm $hen yo" migrate &rom Exchange 200@ to Exchange 200G. 5n thi# #cenario, an) $hen both the !revio"# comman)# are exec"te), Exchange 200@ "#er# $ill be re)irecte) to the -exchange virt"al )irectory on the Exchange 200G *lient (cce## #erver an) Exchange 200G "#er# $ill be re)irecte) to the -o$a virt"al )irectory on the Exchange 200G *lient (cce## #erver. Thi# allo$# all three ver#ion# o& Exchange to be acce##e) thro"gh a #ingle '76, htt!#:--mail.&abri3am.com-o$a. ,ote: 5& a "#er trie# to bro$#e to htt!#:--mail.&abri3am.com-exchange, a# $o"l) be the ca#e &or an Exchange 200@ "#er $ho ha) boo3mar3e) the !age they !revio"#ly "#e), they $ill be a"tomatically re)irecte) to htt!#:--mail.&abri3am.com-o$a an) !rovi)e) $ith a &orm they can "#e to log in. Configure uthentication

2n all the Exchange 200@ an) Exchange 200G &ront9en) or *lient (cce## #erver# being !"bli#he) by the ne$ a!!lication, yo" #ho"l) )i#able &orm#9ba#e) a"thentication an) enable +a#ic a"thentication to enable %ore&ront '(G to )elegate cre)ential# correctly. 2n Exchange 200@, yo" )i#able &orm#9ba#e) a"thentication by navigating to the ()mini#trative Gro"!, Server#, Ser#ername, Protocol#, >TTP, Exchange ?irt"al Server obCect, then #electing !ro!ertie# an) clearing the chec3 box. +a#ic a"thentication i# enable) by )e&a"lt, #o no change# other than r"nning iisreset are nece##ary.

2n Exchange 200G *lient (cce## #erver#, yo" can )i#able &orm#9ba#e) a"thentication an) enable +a#ic a"thentication by changing the !ro!ertie# o& the &o"r relevant virt"al )irectorie#, either in the Exchange Management *on#ole or the Exchange Management Shell. 00

The change &rom %+( to +a#ic a"thentication m"#t be com!lete) on the o$a, Exchange, Exch$eb, an) P"blic virt"al )irectorie#. (&ter ma3ing the#e change# yo" m"#t r"n iisreset. Ensure D,S is Correct an" Test the Configuration En#"re that the ( recor) &or legacy.&abri3am.com in external DNS re#olve# to the #ame 5P a))re## a# mail.&abri3am.com. Te#t the 200G con&ig"ration by navigating to htt!#:--mail.&abri3am.com-o$a an) logging on to an Exchange 200G mailbox. Ao" #ho"l) be #ilently re)irecte) to htt!#:--legacy.&abri3am.com-o$a an) a"tomatically logge) on $itho"t a))itional !rom!t# &or cre)ential# altho"gh yo" $ill li3ely be !rom!te) to acce!t the ne$ %IDN o& the !ortal a# tr"#te).

Te#t the Exchange 200@ con&ig"ration by navigating to htt!#:--mail.&abri3am.com-exchange or htt!#:--mail.&abri3am.com-o$a, an) then logging on to an Exchange 200@ mailbox. Ao" #ho"l) be #ilently re)irecte) to htt!#:--legacy.&abri3am.com-Exchange an) a"tomatically logge) in $itho"t !rom!t# &or cre)ential#.

01

5& yo" acce## Exchange 200@ thro"gh an Exchange 200G *lient (cce## #erver an), $hen yo" log on to Exchange 200@, are re)irecte) an) logge) on b"t #ee i##"e# $ith the image# $ithin the #e##ion, a# #ho$n, yo" #ho"l) ta3e one a))itional #te!.

5n the %ore&ront '(G management con#ole, o!en the 2 ( 200@-G a!!lication an) navigate to the eb Setting# tab. *hec3 the box &or Eval"ate $itho"t en&orcement, "n)er the ?eri&y '76# chec3 box, then clic3 2D an) a!!ly the con&ig"ration to %ore&ront '(G. Ao" #ho"l) then be able to acce## Exchange 200@ mailboxe# thro"gh Exchange 200G $itho"t any i##"e#.

02

Thi# i##"e occ"r# beca"#e the b"ilt9in '76 &iltering mechani#m %ore&ront '(G "#e# &or 2 ( 200G )oe# not correctly a!!ly $hen an Exchange 200@ mailbox i# acce##e) thro"gh an Exchange 200G *lient (cce## #erver. Exchange ctiveSync Migration

(# !revio"#ly )i#c"##e), $hen !"bli#hing Exchange "#ing %ore&ront '(G an) migrating &rom legacy ver#ion# o& Exchange to Exchange 2010, it8# generally recommen)e) that yo" !rovi)e all acce## to Exchange (ctiveSync client# thro"gh Exchange 2010. 5t8# not !o##ible to !"bli#h more than one a!!lication !rovi)ing Exchange (ctiveSync $ithin the #ame tr"n3. 0@

>o$ever, yo" may )eci)eQ!erha!# &or !ilot an) te#ting rea#on#Qthat yo" )o have to !"bli#h m"lti!le ver#ion# o& Exchange (ctiveSync thro"gh %ore&ront '(G at the #ame time. 2& co"r#e, yo" can )o thi# i& yo" create a ne$ tr"n3, $ith a ne$ 5P a))re##, certi&icate, an) #o on, an) con&ig"re the a!!lication a!!ro!riately. ="#t &ollo$ the #te!# )e#cribe) earlier in thi# $al3thro"gh to create a ne$ tr"n3 an) !"bli#h a ne$ a!!lication. &ut!oo' nywhere Migration

(# !revio"#ly )i#c"##e), $hen !"bli#hing Exchange by "#ing %ore&ront '(G an) migrating &rom legacy ver#ion# o& Exchange to Exchange 2010, it8# generally recommen)e) that yo" !rovi)e all acce## to 2"tloo3 (ny$here client# thro"gh Exchange 2010. 5t8# not !o##ible to !"bli#h more than one a!!lication !rovi)ing 2"tloo3 (ny$here $ithin the #ame tr"n3. >o$ever, yo" may )eci)eQ!erha!# &or !ilot an) te#ting rea#on#Qthat yo" )o have to !"bli#h m"lti!le ver#ion# o& 2"tloo3 (ny$here thro"gh %ore&ront '(G at the #ame time. 2& co"r#e, yo" can )o thi# i& yo" create a ne$ tr"n3, $ith a ne$ 5P a))re##, certi&icate, an) #o on, an) con&ig"re the a!!lication a!!ro!riately. ="#t &ollo$ the #te!# )e#cribe) earlier in thi# $al3thro"gh to create a ne$ tr"n3 an) !"bli#h a ne$ a!!lication. 7emember that the recommen)e) #cenario &or the migration it#el& i# to C"#t move the exi#ting 2"tloo3 (ny$here en)!oint that yo"r client# "#e to Exchange 2010, an) allo$ Exchange 2010 *lient (cce## #erver# to !roxy connection# bac3 to legacy ver#ion# o& Exchange $hen nee)e). Exchange 200@, Exchange 200G, an) Exchange 2010 "#er# can acce## their mailboxe# by "#ing Exchange 2010 *lient (cce## #erver#. There&ore, the #im!le#t a!!roach i# to !"bli#h C"#t Exchange 2010 a# the 2"tloo3 (ny$here en)!oint beca"#e the con&ig"ration o& the client )oe# not have to changeQeither at the beginning o& the )e!loyment $hen the Exchange 2010 *lient (cce## #erver i# intro)"ce) or $hen their mailbox i# move) to an Exchange 2010 mailbox #erver. 5& yo" )eci)e, &or $hatever rea#on, yo" have to have #e!arate name#!ace# &or 2"tloo3 (ny$here, con#i)er the &ollo$ing: '#er# $ho have mailboxe# on Exchange Server 2010 cannot "#e 2"tloo3 (ny$here thro"gh an Exchange 200@ &ront9en) #erver or an Exchange 200G *lient (cce## #erver, beca"#e neither o& the#e ver#ion# o& Exchange "n)er#tan) the 7P* *lient (cce## Service com!onent in Exchange 2010, an). So, they )o not con#i)er the en)!oint the client i# trying to reach a# vali). 2"tloo3 200@ )oe# not "#e the ("to)i#cover #ervice to "!)ate or change any con&ig"ration #etting#. So, i& a mailbox i# move) bet$een ver#ion# o& Exchange an) )i&&erent 2"tloo3 (ny$here en)!oint# are "#e), the client !ro&ile $ill brea3 an) !revent acce##. 0,

2"tloo3 200G client# #ometime# cannot correctly "!)ate the 2"tloo3 (ny$here #etting# &ollo$ing a move bet$een t$o 2"tloo3 (ny$hereHenable) en)!oint#. %or exam!le, i& yo" $ere !"bli#hing Exchange 200G an) Exchange 2010 by "#ing )i&&erent 2"tloo3 (ny$here ho#t name#, an) a "#er<# mailbox $ere move) bet$een Exchange 200G an) Exchange 2010, the client may not correctly "!)ate the ho#t name "#e) by 2"tloo3 (ny$here.

The #tan)ar) recommen)ation o& moving the exi#ting name#!ace to Exchange 2010 an) allo$ing Exchange 2010 *lient (cce## #erver# to acce## all legacy ver#ion# o& Exchange mean# very little "#er im!act an) minimal client con&ig"ration change#.

0.

##en"ix
Using !ternative uthori:ation an" ccess $rovi"ers 5& yo" )eci)e not to Coin %ore&ront TMG-%ore&ront '(G to yo"r (ctive Directory b"t yo" #till $ant to !re9a"thenticate "#er#, yo" have to choo#e #ome other &orm o& a"thori4ation #o"rce to enable %ore&ront TMG-%ore&ront '(G to )etermine $hether the "#er #ho"l) be able to acce## the re#o"rce. 5t8# recommen)e) that yo" Coin %ore&ront '(G to the (ctive Directory an) !lace it behin) another &ire$all. There&ore, "#ing (ctive Directory )omain member#hi! an) a"thentication i# recommen)e). %ore&ront TMG an) %ore&ront '(G o&&er m"lti!le choice# $hen yo" are choo#ing an a"thori4ation #o"rce. +"t &rom an Exchange !er#!ective, beca"#e o& to the $ay Exchange i# highly integrate) into (ctive Directory, "#ing (ctive Directory a# the &inal a"thori4ation #o"rce i# e##ential. There are )i&&erent $ay# to enable %ore&ront TMG-%ore&ront '(G to acce## (ctive Directory, )irectly thro"gh (ctive Directory member#hi!, thro"gh 6D(P an) thro"gh 7a)i"#. +"t it #ho"l) al#o be note) that $hen %ore&ront TMG an) %ore&ront '(G are not )omain Coine), #ome #cenario#, mo#t notably certi&icate9ba#e) a"thentication an) the "#e o& D*D, are not !o##ible. Thi# g"i)e cover# "#ing %ore&ront TMG an) 6D(P to acce## (ctive Directory. 5& yo" $ant to "#e 7a)i"#, 7S( Sec"re 5D, or 7a)i"# 2TP on %ore&ront TMG, or el#e "#e one o& the other metho)# available in %ore&ront '(G, !lea#e re&er to the a!!ro!riate online )oc"mentation. -D $ uthentication

5& yo" )eci)e not to Coin %ore&ront TMG or %ore&ront '(G to yo"r (ctive Directory, "#ing 6D(P a"thentication i# &airly ea#y to con&ig"re an) enable# %ore&ront TMG-%ore&ront '(G not only to allo$ or )eny acce## ba#e) on "#ername-!a##$or)#, b"t al#o to ta3e a)vantage o& (ctive Directory gro"!# in !"bli#hing-acce## r"le#. '#ing 7a)i"# a# an a"thentication #o"rce )oe# not allo$ gro"! member#hi!# to be "#e) in !"bli#hing r"le re#triction#. Configuring ctive Directory as an -D $ source in Forefront TMG

*on&ig"ring %ore&ront TMG to "#e 6D(P a"thentication i# !er&orme) on a !er li#tener ba#i#. Each li#tener yo" con&ig"re ha# #etting# &or the *lient ("thentication Metho) :the #etting# a client "#e# to a"thenticate to %ore&ront TMG; an) an ("thentication ?ali)ation Metho) :>o$ %ore&ront TMG $ill vali)ate the cre)ential#;

0/

5n the exam!le #ho$n, the client $ill a"thenticate to the li#tener "#ing a &orm, or +a#ic a"thentication i& the client )oe# not #"!!ort it, a# $ith Exchange (ctiveSync or 2"tloo3 (ny$here, then (ctive Directory $ill "#e 6D(P again#t (ctive Directory to vali)ate the cre)ential#. *lic3ing the *on&ig"re ?ali)ation Server# let# yo" con&ig"re the 6D(P an) 7a)i"# Server# %ore&ront TMG $ill "#e.

The 6D(P Server Set )ialog let# yo" #!eci&y a gro"! o& )omain controller# to "#e &or a"thentication. Solely &or rea#on# o& #ec"rity, it8# recommen)e) that yo" "#e 6D(P#, $hich reB"ire# the )omain controller to have a certi&icate $ith it# o$n %IDN #!eci&ie) on an in#talle) certi&icate. The %ore&ront TMG $i4ar)# #tate thi# i# a 0G

reB"irement &or !a##$or) change#. Thi# $a# tr"e &or earlier ver#ion# o& Exchange, b"t i# no longer the ca#e a# the *lient (cce## #erver it#el& han)le# the !a##$or) change# &rom in#i)e the 2"tloo3 eb (!! a!!lication.

The 6ogin Ex!re##ion #etting# re&er to the $ay %ore&ront TMG $ill match log on attem!t# to 6D(P Server Set#. %or exam!le, i& yo" $ere !"bli#hing t$o Exchange organi4ation# "#ing %ore&ront TMG, $hich i# !o##ible $hen "#ing 6D(P a"thentication, yo" co"l) #en) the a"thori4ation reB"e#t a "#er ma3e# to t$o )i&&erent D*#, ba#e) on the )omain they #!eci&ie) $hen they trie) to log on: *onto#oNalia# reB"e#t# going to one D*-G* an) %abri3amN(lia# going to another. Ao" can al#o )o the #ame $ith 'PN login#, "#ing an ex!re##ion #"ch a# KO&abri3am.com. 5& yo" have a #ingle (ctive Directory an) are "#ing 6D(P, $e recommen) that yo" #et the 6ogin Ex!re##ion to K. Thi# mean# that the logon $ill be #ent in the &ormat in $hich it8# receive) by %ore&ront TMG, that i#, 'PN login# are #ent a# 'PN#, )omainNalia# login# #ent a# )omainNalia#.

00

(# #oon a# they are con&ig"re), a"thentication #ho"l) $or3 exactly a# i& %ore&ront TMG $ere "#ing (ctive Directory )irectly a# a )omain member. Using Grou#s in $u%!ishing Ru!es '#ing a gro"! &rom (ctive Directory to re#trict $ho can acce## a !"bli#hing r"le i# ea#y to )o. %rom the '#er# tab o& the !"bli#hing r"le, clic3 ""0 ,ew, an) then give yo"r gro"! a meaning&"l name.

*lic3

"", an) then #elect -D $.

01

Select the 6D(P Server Set That Ao" create) $hen yo" #et "! the 6D(P #o"rce, an) then #!eci&y the name o& the gro"!Hthe exact )i#!lay name a# #ho$n in (ctive Directory. 5& yo" )o not match the name exactly yo" $ill receive an error at the next #te!.

*lic3 &6 an) !rovi)e cre)ential# to acce## (ctive Directory. The gro"! $ill be vali)ate) an) !o!"late the )ialog li#t.

10

*lic3 ,ext an) Finish, an) the ne$ gro"! i# com!lete. Then #elect the gro"!, clic3 "", an) change# to the r"le are com!lete.

7emove any "nnece##ary gro"!# &rom the li#t an) a!!ly the change# to %ore&ront TMG.

11

""itiona! /nformation
%or more in&ormation abo"t Exchange Server, #ee the &ollo$ing re#o"rce#: Micro#o&t Exchange Server 2010 Exchange Server 2010: Exchange 210 >el! 'ni&ie) *omm"nication# *erti&icate Partner# &or Exchange Server an) &or *omm"nication# Server

%or more in&ormation abo"t %ore&ront '(G, #ee the &ollo$ing re#o"rce#: %ore&ront 'ni&ie) (cce## Gate$ay 2010 %ore&ront 'ni&ie) (cce## Gate$ay :'(G;

%or more in&ormation abo"t %ore&ront TMG, #ee the &ollo$ing re#o"rce#: %ore&ront Threat Management Gate$ay 2010 %ore&ront Threat Management Gate$ay :TMG; 2010

-ega! ,otice
Thi# )oc"ment i# !rovi)e) La#9i#M. 5n&ormation an) vie$# ex!re##e) in thi# )oc"ment, incl")ing '76 an) other 5nternet eb #ite re&erence#, may change $itho"t notice. Ao" bear the ri#3 o& "#ing it. Some exam!le# )e!icte) herein are !rovi)e) &or ill"#tration only an) are &ictitio"#. No real a##ociation or connection i# inten)e) or #ho"l) be in&erre). Thi# )oc"ment )oe# not !rovi)e yo" $ith any legal right# to any intellect"al !ro!erty in any Micro#o&t !ro)"ct. Ao" may co!y an) "#e thi# )oc"ment &or yo"r internal, re&erence !"r!o#e#. S 2010 Micro#o&t *or!oration. (ll right# re#erve). Micro#o&t, MS9D2S, in)o$#, in)o$# Mobile, in)o$# Server, (ctive Directory, (ctiveSync, %ore&ront, 2"tloo3, an) SharePoint are tra)emar3# o& the Micro#o&t gro"! o& com!anie#. (ll other tra)emar3# are !ro!erty o& their re#!ective o$ner#.

12