Publishing Exchange 2013 OWA using Threat Management Gateway 2010 (TMG)

It still makes me sad that TMG has been retired and superseded with UAG (URGH!). That’s a whole other blog post though.

One thing that is not explained with publishing Exchange 2013 OWA with TMG is the security settings. Recently, I have been deploying an multi-tenancy solution involving single signon between Sharepoint 2013, Exchange 2013 and Remote Desktop Gateway. One of the issues is many of these products have issues with TMG 2010 out of the box, and require slight tweaking.

Today I will focus on Exchange 2013.

Go through the default wizard in TMG 2010 for publishing Exchange 2010 OWA (Web Access). You want to make sure that the Authentication Delegation is set to basic.


On your Exchange server, login in to the admin centre (ECP) and go to servers->virtual directories. Select the OWA virtual directory and change the authentication to basic.


You should also do this with your ECP virtual directory.

If you don’t set these virtual directories, you will need to login twice. When TMG authenticates, it will send you to the OWA login. Not a good look.

I also suggest reading the following link about setting the log off page in TMG.

One thought on “Publishing Exchange 2013 OWA using Threat Management Gateway 2010 (TMG)”

  1. Hi guys,

    I am facing an issue with the OWA login page.

    From External login in I will require to login twice (First at TMG 2010, Second will be OWA 2013 interface)

    From Internal login I will require to login once only (OWA 2013 interface)

    I understand that I would need to put the same Authentication so External would only type in password once.

    I tried putting both to basic, External manage to work as in user only require to login once, but the Internal no longer showing OWA interface, only the authentication box for username and password. Management mention that it is require to having the interface on Internal login as well.

    My Aim:
    1.External only login once, with TMG interface / OWA interface
    2.Internal with OWA interface

    Currently I am putting the authentication as TMG (Basic), CAS (DomainUsername)

    Any ideas where can I start to check?

    Thanks and Regards,

Leave a Reply