Publishing Exchange 2013 OWA using Threat Management Gateway 2010 (TMG)

It still makes me sad that TMG has been retired and superseded with UAG (URGH!). That’s a whole other blog post though.

One thing that is not explained with publishing Exchange 2013 OWA with TMG is the security settings. Recently, I have been deploying an multi-tenancy solution involving single signon between Sharepoint 2013, Exchange 2013 and Remote Desktop Gateway. One of the issues is many of these products have issues with TMG 2010 out of the box, and require slight tweaking.

Today I will focus on Exchange 2013.

Go through the default wizard in TMG 2010 for publishing Exchange 2010 OWA (Web Access). You want to make sure that the Authentication Delegation is set to basic.

OWA

On your Exchange server, login in to the admin centre (ECP) and go to servers->virtual directories. Select the OWA virtual directory and change the authentication to basic.

Capture

You should also do this with your ECP virtual directory.

If you don’t set these virtual directories, you will need to login twice. When TMG authenticates, it will send you to the OWA login. Not a good look.

I also suggest reading the following link about setting the log off page in TMG.

Veeam Backup & Replication 6.5 Patch3 Released

Veeam Backup & Replication 6.5 Patch3 has been released and includes a number of fixes.

URL: http://www.veeam.com/kb_articles.html/kb1751

Resolved Issues

General
• Application-aware image processing may cause Windows Server 2012 Domain Controller to stop booting if virtual machine is configured to use EFI.
• File level recovery process hangs on dynamic disks with partitions size being multiple of 4GB.
• Re-IP fails for replicas if host where replica VM was originally created is deleted from the cluster.
• Disabled ability to move folders in the Files tree with Shift + drag and drop operation because this functionality was not implemented and may result in data loss if the move process is cancelled.

VMware
• Adding virtual disks that were originally excluded back to the job results in wrong change ID used during the first incremental backup.
• Upgrading vCenter or ESX(i) hosts may results in duplicate hosts appearing under Managed Servers, causing jobs to fail with object not found errors.
• VM Copy job always logs the following warning when the target is another VMFS datastore: "Could not perform threshold check for backup location."
• Deleting temporary VM snapshot manually instead of letting the job delete it results in vCenter connection duplication. As the result, vCenter Server may stop responding due to too many connections already opened with the following error: 503 Service Unavailable
• Under certain circumstances, additional registry processing required for SureBackup jobs and re-IP addressing may cause registry corruption with VM failing to boot with the following error: "System hive error"  or "Windows could not start because the following file is missing or corrupt: WINDOWSSYSTEM32CONFIGSYSTEM"
• If vCenter Server is registered with Backup Infrastructure twice (as vCenter Server, and as a Windows server), replica seeding and backup mapping fails with the following error: "Cannot find VM in the backup file specified for seeding."
• Improved performance of enumerating infrastructure objects in large vSphere deployments.

Hyper-V
• Changed block tracking (CBT) driver does not monitor newly appearing virtual disks on volumes that were in redirected access mode at the time when CBT driver starts. This results in full scan incremental runs for the affected virtual disks with the following warning: "Failed to flush change tracking data before snapshot."
• Adding virtual disk files located on volumes mounted into the folder under changed block tracking fails with the following error: "The device object parameter is either not a valid device object or is not attached to the volume specified by the file name."
• Instant VM Recovery fails if virtual disk files are located on a mount point.
• Copying very large files from Windows Server 2012 CSV volume may consume lots of host memory.
• Under rare circumstances, backup file update may fail with the following error: "Failed to store all blob data at the metastore."

Veeam Explorer for Exchange
• Exporting a very large amount of individual items may use up all available system memory.
• Opening certain mailbox databases may fail with the "Jet error -1206" error when Veeam Backup & Replication is installed on Windows 8 or Windows Server 2012.
• Restoring emails that were sent using Outlook Web Access (OWA) fails with the following error: "Error code: ErrorItemSavePropertyError".

PowerShell
• Start-VBRInstantVMRecovery cmdlet fails with the following error: "Cannot complete login due to an incorrect user name or password."

Exchange 2013 Outlook Anywhere (RPC) Settings

I’ve been having some issues with the default RTM install of Exchange 2013. I’ve not been able to get clients to connect via Outlook Anywhere (RPC over HTTPS).

Here is the output of the Exchange Connectivity Test

Attempting to ping RPC proxy mail.contoso.co.nz.
RPC Proxy can't be pinged.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.

The first thing Microsoft Looked at were the settings on the Outlook-Anywhere provider. They were as follows:

(get-outlookanywhere)

ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Negotiate
IISAuthenticationMethods : {Negotiate}

This is the default install settings. These are however, incorrect. The settings should be as follows:

(set-outlookanywhere)

ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : NTLM
IISAuthenticationMethods : {basic, ntlm, negotiate}

Your Outlook providers also need their certificate set correctly. By default they are set as the following:

(get-outlookprovider)

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1

This needs to be set to your certificate name (assuming you are using a trusted SSL cert). In our case we were using a wild card certificate.

(set-outlookprovider)

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                        msstd:*.contoso.co.nz         1
EXPR                                                        msstd:*.contoso.co.nz         1
WEB                                                                                       1

We have installed CU1 for Exchange 2013 and found it set the same settings. I’m not sure why the default authentication is not being set correctly when installing for the first time.