Windows Thread, [Windows7/Server 2008R2/Exchange 2010/IIS/Forefront TMG] Internal OWA website blocked in Technical; Working in a test environment prior to deployment. 1 x Windows 7 client, 3 x Windows Server 2008R2 Servers (2 ...
Working in a test environment prior to deployment. 1 x Windows 7 client, 3 x Windows Server 2008R2 Servers (2 virtual), Exchange Server 2010/3, Forefront TMG 2010/SP1, Forefront Security for Exchange Server.
I am trying to access the Exchange Web OWA website but I am having mixed results.
Fore the purpose of this test, the everything is in AD domain xyz.school except Forefront (and edge transport) which is in a non AD workgroup.
All dns is name.xyz.school so:
office1.xyz.school - Windows 7 client - 192.168.3.101
griffin.xyz.school - Server 2008R2, AD DC and RRAS LAN routing - 192.168.3.1, 192.168.2.1
leo.xyz.school - Virtual 2008R2, Exchange Server and OWA on IIS - 192.168.2.21
eagle.xyz.school - Virtual 2008R2, Workgroup - Forefront TMG, Exchange EdgeServer, Forefront Security for Exchange Server - 192.168.2.11
On the Windows 7 client: https://leo/owa - works but gets certificate error - certificate is for LEO.abc.school. Cannot se any logs in Forefornt TMG https://leo.xyz.school/owa - times out. TMG indicates ssl tunnel is blocked by default rule. Everything looks fine in TMG. Domains setup, even excemption of domain from malware and ssl inspection. https://192.168.2.21/owa - times out. Again, ssl tunnel is blocked as above
The SSL denied message is:
Log type: Web Proxy (forward)
Status: 12202 Forefront TMG denied the specified Uniform Resource Locator (URL)
Protocol: SSL tunnel
On griffin AS server
On eagle Forefront TMG
No access via any method. Blocked by 'branchcache - advertise' rule!!!
On leo Exchange server
Seems to work as expected - seems because I have scripts blocked in IE so cannot use OWA otherwise access is not logged in tmg nor denied
If this wasn't for the fact that this should work, I would probably setup an ssl tunnel allow rule. But I think there is an underlying problem. Especially when accessing from Windows 7 client via netbios name, it works.
My guess is something to do with certificates, but I scratch my head over these. Prior to moving eagle (edge transport / forefront ) to a workgroup, it was part of the AD domain and it worked fine. Just decided fairly late in the day that, due to a change in ISP, it would be better to move edge transport out of AD domain. leo and eagle build largely from scratch - full reinstall of OS and rollback to earlier snapshot.
Not sure if adding am exchange web client access rule in tmg will help since I had this in an earlier build and I was still having problems. But it has worked when eagle was part of the AD domain.
Its been a while since I put the fix in place, but IIRC that I needed to add the internal web sites for access through TMG using the FQDN - think using netbios name, TMG was bypassed so no issue. Setup a computer group of 'Internal Web Servers' in TMG and gave HTTP/HTTPS access to this group from all protected networks.