[Yaniv Hoobian]

hi

i have a new deployment that have some problems.

the servers are :

Exchange 2010 on server 2008 R2
the domain controllers are server 2003 STD
the TMG is on server 2008 64bit

the tmg is located in the DMZ an has 1 NIC.
I've setup according to bunch of articles i found, and it's working fine only if I'm not forcing the use of SSL certificate.

when i turn on the "require client certificate" the TMG log shows Allowed connection using my active sync rule, but the HTTP status code is "403 forbidden"

i appreciate any help

almost forgot, the certificate is issued from the CA on the domain controller.
I've tested the connection internally using "exchange ActiveSync MD" tool, and it's working.

thanks
Yaniv

[tehcamel]

tmg works better with two nics.. otherwise you're not necessarily getting the benefit of the firewall

[Yaniv Hoobian]

i have two other firewalls outside the DMZ.

the only purposes of the TMG is to publish the exchange

[tehcamel]

a google search for tmg publish exchange one nic found this as one of the first responses


http://social.technet.microsoft.com/...0-5c8b96e9efe7

[Yaniv Hoobian]

thanks, but i read it before.
it's something related to the way the TMG act when a certificate is used.

[tehcamel]

I'm re-reading your post.

"require client certificate"

To me, it sound likes that option is requiring that the CLIENT Present a certificate to authenticate itself.

The SSL Certificate for the Exchange websites should be bound to the HTTPS listener on the ISA server.

[Yaniv Hoobian]

done that already.

i searched some more and i think the problem is bigger.
i don't see the exchage virtual directorys in ADSIEDIT.

i wanted to recreate the microsoft-server-activesync virtual directory, but it woulsn't let me reomove it, becuase the dc don't recognize it as existed.
but when i wanted to create it, it says ut is already created.
so i opened the ADSIEDIT based on what i've found here http://www.experts-exchange.com/Soft..._26185316.html

if you can't read it here it is :

"Navigate to the following: CN=Configuration, DC=dommainname, DC=com -> CN=Services -> CN=domainname -> CN=Administrative Groups -> CN=Exchange Administrative Group (FYDIBOHF23SPDLT) -> CN=Servers -> CN=Netbios name of the exchange server -> CN=Protocols -> CN=HTTP
and under HTTP found only OWA"



any ides?

[Yaniv Hoobian]

An update

i changed the external ip address to port forward to the exchange server directly.
and i came to the same result.

so the problem is with the exchange or active directory and not the TMG


Yaniv

[tehcamel]

ok, has it EVER worked as it is supposed to?

If so, what was changed recently. If it worked, and now doesn't, something changed. Vdirs don't just delete themselves.

Have you tried reinstalling the CAS role ?

[Yaniv Hoobian]

its a new sever. installed 3 months ago

now when the time come to use activesync i face this problems.

today i mange to recreat the microsoft-server-activesync virtual directory.
and now ADSIEDIT shows some records for the virtual directorys.
but it's not like I'm familiarize with ( on exchange 2003 )

now under HTTP, i have only one folder for the OWA.
( CN=OWA (default web site))


and rows for each virtual directory, that looks like a text file.


Yaniv