How to Configure TMG for Office 365 and Exchange 2010 Hybrid deployments

[This topic is in progress.]  

Applies to: Exchange Server 2010

This article gives general guidance on how to configure TMG for use in a Hybrid (Exchange 2010 and Office 365) environment. Specifically, the authentication settings that are needed on the TMG rule for features like Autodiscover for organization relationships (Autodiscover.svc) and the EWS endpoints (used for Free Busy data and mailbox moves).

Non Goals:

  • End to end ISA configuration.

  • Discuss every possible TMG deployment scenario.

  • Discuss non TMG firewalls.

This topic assumes that you have a third-party certificate for the Exchange endpoints configured on the TMG server, and that you already have TMG configured with a listener for the on-premises Exchange 2010 server. For guidance on this configuration, see the following white paper: Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010.

Configuring TMG Rule

Now that you have your TMG configured for the on-premises Exchange environment, you'll need to modify the TMG configuration for Office 365 integration in your Hybrid deployment.

This configuration change centers around the authentication delegation setting that's used on the TMG rule for the other Exchange components. Typically, you pre-authenticate at the TMG. This works for Outlook Anywhere and OWA, but this causes issues in an Hybrid environment. We need to allow for passthrough authentication for certain endpoints that use token-based authorization instead of standard basic/integrated authentication options.

The solution is simple: you need to create a new web publishing rule that uses the same listener as the other Exchange components, but provides explicit paths to the required services. You also need to modify the new rule to prevent pre-authentication at the TMG. If you configure this correctly, you can continue to use the same external IP address and port (443) on the same listener for both rules.

Create a new web publishing rule for the Hybrid Exchange components

  1. Open the Forefront TMG Management console, expand Forefront TMG <ServerName>, right click on FireWall Policy, select New, and then select Web Publishing Rule.

  2. The New Web Publishing Rule Wizard opens. On the welcome page, type a name for the rule (for example, Hybrid), and then click Next.

  3. On the Select Rule Action page, select Allow, and then click Next.

  4. On the Publishing Type page, select the appropriate option for your environment (for example, Publish a single Web site or load balancer), and then click Next.

  5. On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm, and then click Next.

  6. On the Internal Publishing Details page, enter the proper site name and IP address for your environment. For example:

    • Internal site name   mail.contoso.com

    • Select Use a computer name or IP address to connect to the published server.

    • Computer name or IP address   192.168.100.1

    You can get the correct values from your existing on-premises Exchange web publishing rule. When you're finished, click Next.

  7. On the Internal Publishing Details page, accept the default values and click Next. We'll configure the paths later.

  8. On the Public Name Details page, configure the following settings:

    • Accept requests for   Select The domain name (type below).

    • Public name   Enter the EWS external web site name (for example, mail.contoso.com).

    • Path (optional)   Leave this setting blank.

    When you're finished, click Next.

  9. On the Select Web Listener page, select the listener that's used for the existing on-premises Exchange rule from the Web listener drop down, and then click Next.

  10. On the Authentication Delegation page, select No Delegation, but client may authenticate directly, and then click Next.

  11. On the User Sets page, select All Users, and then click Next.

  12. On the completion page, review the settings, and then click Finish.

Now we need to go to the properties of the new Hybrid web publishing rule to modify the paths and public names.

  1. Back at the main Forefront TMG Management console screen, right-click on the new web publishing rule and select Properties.

  2. On the Public Names tab, click Add, enter the Autodiscover external URL (for example, autodiscover.contoso.com), and then click Apply.

  3. On the Paths tab, configure the following settings:

    • Remove the default /* path value by selecting it, and then clicking Remove.

    • Add the following path values by clicking Add and entering each one:

      • /ews/mrsproxy.svc

      • /ews/exchange.asmx/wssecurity

      • /autodiscover/autodiscover.svc/wssecurity

      • /autodiscover/autodiscover.svc

    When you're finished, click OK.

  4. The last step is to ensure that this new web publishing rule is higher in the list than the on-premises Exchange web publishing rule. To do this, right click on the new rule and select Move up until the new rule is above the on-premises Exchange rule.

Issues you may encounter

A Hybrid organization uses MRS/MRSProxy to perform mailbox moves between the on-premises Exchange and Exchange Online environments. This operation can intermittently fail when you traverse a TMG server due to a built-in TMG defense mechanism named Flood Mitigation. Read more about Flood Mitigation here: Overview of flood mitigation.

If you encounter this issue, you'll see an error that looks like this:

Mailbox Move to the cloud fail with error: Transient error CommunicationErrorTransientException has occurred. The system will retry.

To verify the issue, you can review the alerts in the Forefront TMG Management console at Forefront TMG <ServerName> > Monitoring > Alerts tab. where you'll see alerts that look like this:

The number of HTTP requests per minute the source IP address <IPAddress> exceeded the configured limit. Forefront TMG will block new HTTP requests sent from this IP address.

To fix this issue, follow these steps:

  1. Open the Forefront TMG Management console, expand Forefront TMG <ServerName>, and select Intrusion Prevention System.

  2. Click the Behavioral Intrusion Detection tab, and select Configure Flood Mitigation Settings.

  3. On the IP Exceptions tab, enter the IP addresses that Office 365 environment will use to connect to your Exchange server during the move operation. The list can be found here Office 365 URLs and IP address ranges.

  4. On the Flood Mitigation tab, click Edit next to Maximum HTTP requests per minute per IP address.

  5. Raise the limit only for the Office 365 IP addresses that you configured on the IP Exceptions tab. For example, enter 6000 in the Custom limit field. Note that 6000 might not be high enough for a large number of mailbox moves, If the error returns, you can raise the limit to a higher value.

 © 2010 Microsoft Corporation. All rights reserved.