TMG 2010:Login To OWA Without Domain

Some company would simplified the process of lo gin to Outlook Web App (OWA), for instance redirect from HTTP to HTTPS, which is very convenient for users because  they don't need to remember to key in "S" when they want to access OWA.

Another example is they could log in without domain name (domain\username), especially when one company could have different internal & external domain name, they wouldn't want user to get confused about it so they decided to have only username as the log in name.

The steps above is easy to configure in Exchange CAS server, but if you have a TMG server in place, you will need to configure it in TMG server but not CAS server.

Navigate to C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange , look for a file name "string" and open it. (Strongly recorded to backup the file before you start modifying it)

Inside the string file locate the _UserName_Text="Domain\user_name:"

remove domain\ and it should look like _UserName_Text="user_name:" 

Save it and reboot TMG server and you should be able to log in without inputting domain now.


Remember to perform the same step if you have an array of TMG servers.

iTunes Store Finally Arrives Malaysia

Finally, after years of waiting, the iTunes store finally arrives Malaysia today officially together with other Asian countries.

But unlike some of the country like Taiwan, the currency used by iTunes store Malaysia is USD instead of Ringgit Malaysia, which also means we need to pay extra conversion rate based on the currency rate of the day.

About the pricing, let's take an example from one of my favorite artist - David Tao 's previous album. It is selling at price USD9.99 which is around RM31.9 at iTunes store. The price is still consider reasonable as the physical music album (CD) would cost around RM40-RM50 here in Malaysia.

I know what buying music\movies from iTunes is very normal especially in the US, but for the rest of the countries like us, this is still a pretty new experience and would take some time for us to adopt this. Anyway I'm really happy that finally Apple expand this to other country.

Redirect Outlook From Direct Server Connection To CAS Array

Microsoft has been always advice customer to configure CAS Array although there is only one server needed, unfortunately not many people is following this best practice.

My customer is going to deploy HA for their environment, which originally consist of 1 CAS/HUB server and 1 Mailbox server. Now they planning to have 1 more CAS/HUB server and mailbox server for HA purpose.

All the client is currently connected directly to the CAS and when  the new CAS is in place, I need to redirect them to connect to CAS Array.

There is around 700 users in the organization and I’m planning to perform the migration in a big bang strategy and minimize user’s downtime, so, I achieve the goal by using below steps:

  

1. Delete the old CAS DNS A record.

2. Create DNS A record for CAS Array.

3. Dismount all databases and re-mount them.

4. Outlook will perform a new autodiscover search and connect to CAS Array.

I hope this could help you to perform the migration with minimal user impact if you have a similar situation like this.

Deploying Lync Mobility With TMG Single NIC Configuration

I finally managed to deploy Lync mobility service today for my company's Lync server ever since Lync mobility was introduced few months back. You can find many useful deployment guide over the internet if you do a search, but what I would like to share is some experience about deploying Lync mobility services with TMG single NIC configuration which I found it is quite rare since most of the guide you found is mostly about having 2 NICs TMG configuration.

In my environment the TMG server is already in use to publish Exchange web services(OWA, Active Sync, Outlook Anywhere) . Since this is a single NIC TMG, you can only create one listener. If you try to create another listener for Lync services,  an error “A web listener specifying the same port and similar IP Addresses already used by the rule “[Your_Exchange_Services_Rule]”. The port and IP addresses specified in a Web Listener cannot overlap with the IP addresses specified web listener already used in a different rule”

To overcome this issue, simply use the same listener with a SAN certificate that contains both Exchange and Lync services FQDN.

For example, my original SAN certificate for Exchange is inclusive of webmail.domain.com , autodiscover.domain.com. I regenerated a new certificate in Exchange server with additional SAN which is required by Lync mobility services - lyncdiscoverinternal.domain.com , lyncdiscover.domain.com and etc.

After that, I went ahead to request new certificate from Lync Front End server with the same SAN (inclusive of Exchange web services FQDN) and we are almost good to go.

In TMG server I removed the original listener, and created a new listener by using the certificate which is newly created (In my case I export the certificate from Exchange server), followed by creating a new publishing rule for Lync discovery. When the rule is created and the moment I clicked "Test Rule" , it is showing a positive passed result and Lync mobility is ready to go live!

This is just an overall concept on how to deploy Lync mobility with TMG single NIC configuration, I hope this will at least provide you with some ideas if you have the same environment as mine.

Forefront TMG With Single NIC Configuration

I'm involved in a large scale Microsoft Exchange deployment project recently. I've proposed  to use TMG server with single NIC configuration to function as reverse proxy for Exchange services.

During the discussion with my customer when we drill down to the TMG configurations, I'm asked why am I proposing TMG server with single NIC(DMZ) instead of 2 NIC(DMZ + Internal).

Well this is a good question and I would like to take this opportunity to explain the benifits of single NIC configurations.

Before that, you may want to take a look into what is the limitation of single NIC configuration here.

Lets talk about typical 2 NIC configuration like below:

The TMG is configured with 2 NICs, 1 connecting to External network and another one connecting to internal network. When the external firewall NAT the 443 traffic(for Exchange services) to TMG, first it will go through from the external network NIC then perform reverse proxy request to Exchange server via internal network NIC. Please note that in this situation the network traffic will bypass the internal firewall when it route back to Exchange server.


Where if you use single NIC configuration, it will look like this:

 When the external firewall NAT the 443 traffic to TMG, the TMG server will perform reverse proxy request (firewall to route the traffic back to Exchange server) to Exchange server with only single NIC, where it will need to go through the firewall this time without bypassing it.


In my humble personal opinion, this is a better configuration since we can utilize the internal firewall's functionality(scan for malware and etc) instead of bypassing it, it would be a waste if we deploy an inetrnal firewall and bypass it right?(and firewall is expensive!)  ;)

Anyway this is still very much depend on the situation, whether the customer's policy would allow you route traffic directly from DMZ to internal.

I hope this would help you to have a better idea on single NIC TMG deployment.

Error:The operation couldn't be performed because object 'Server\Autodiscover(Default Web Site)' couldn't be found

February seems to be full of troubleshooting month. Today I got another call regrading their OOF reply not working.

Upon Checking, I found that the autodiscover internal URL was empty when i run the command get-AutodiscoverVirtualDirectory

When I try to reset with command Set-AutodiscoverVirtualDirectory -Identity <server_name> -InternalURL "https://test.doman.com/Autodiscover/Autodiscover.xml, there is an error : 
  
  The operation couldn't be performed because object

  '<Exchange_Server>\Autodiscover' couldn't be found on 'ad.example.com'.

Although I set the preferred AD to another server, the same error still appear.

After quite some time I finally found a way to reset the Autodiscover virtual directory by running:

Get-ActiveSyncVirtualDirectory -Server <server_name> | Set-AutodiscoverVirtualDirectory -InternalURL https://test.doman.com/Autodiscover/Autodiscover.xml

Not sure what really happened but using this method seems able to reset the virtual directory.

OWA Redirect Did Not Work After Replacing New Certificate

Yesterday one of my customer ran into some issue after replacing a new certificate for Exchange.

My customer's  public certificate is going to expired soon, they had requested us to replace it with a private certificate instead. Everything works fine after replacing the certificate, and I’ve verified with the them before I leave.

After few hours somehow I was told that OWA redirect is not working anymore and user cannot login into OWA. Please read the similar symptom here:

This error actually only happen if the Exchange server has redirect from HTTP to HTTPS features implemented. The redirect will eventually create infinite loop although you run “iisreset” and all the authentication method(owa,active_sync,outlook_anywhere,ecp and etc) will not work unless you manually configure them.

Troubleshooting Steps:

1. check the Exchange virtual directory using EMS, type Get- WebServicesVirtualDirectory and to make sure the URL is correct

2. goto IIS manager -> default website ->HTTP redirect -> make sure the box is check “redirect request to this destination” and insert the the url ending with /owa.

3. check the box “Only redirect requests to this content in  this directory” (not subsidiaries), with status code (found 302)

4. On the default website, click SSL settings and uncheck "Require SSL" .

5. Remove the enforced redirect for following directories:

• aspnet_client
• Autodiscover
• ecp
• EWS
• Microsoft-Server-ActiveSync
• OAB
• PowerShell
• Rpc

5. run iisreset in CMD

Everything working back to normal after steps above is done.

Lotus Notes to Microsoft Exchange Migration Project

Recently I was assigned with Migration from Notes to Exchange 2010 project. Well I’ve been waiting for this project so long because I think I could gain some very valuable experience in my career.

Unfortunately this project turns out to be no migration at all because the customer did not want to buy the migration tools from Quest software. In a nutshell, this is a simple new Exchange implementation project.Since high availability (HA) isn’t my customer’s requirement, I deploy all 3 server roles (CAS,HUB,Mailbox) in a single VM running on top of ESXi5.

We set a cut-off date that all mails will be routed to Exchange server instead of Lotus Domino, and all users starts using outlook on the same time.

Everything was running quite smooth since there is not much of real migration involve.