May 17

How to: Configure and understand AutoDiscover with TMG

Using Exchange 2010 Autodiscovery with Microsoft’s Forefront Threat Management Gateway

After working with Windows Small Business Server and Threat Management Gateway one of the challenges you come across is what kind of policies do you need to set it place to allow access to Exchange 2010 Web services for your corporate users. Well, it all starts with Autodiscover I guess. Being able to publish that information on the Internet will ensure your users can easily configure Outlook and work remotely more easily. In order to achieve this this is the access rule you have to create:

  1. Let’s go ahead and leverage the existing wizards in TMG. Go ahead and click “Publish Exchange web access client”.
  2. Name your rule anyway you want based on your enterprise wide naming conventions, for example “SBS – Publish Autodiscover service for Exchange 2010”.
  3. Select “Exchange 2010” from the drop-down and click “Outlook Anywhere (RPC/HTTP(S))”. You want to select “Publish additional folders on the Exchange Server for Outlook 2007 clients” as well as one of those folders is the Autodiscover folder.
  4. Next select if you are doing a single web server or a farm. In the case of a SBS installation I would assume it is a single web server.
  5. Use the recommended option (to use SSL) but that is an infrastructure choice on the enterprise architecture team.
  6. Type in the Internal site name (aka how you access your SBS or Exchange server). I recommend FQDNs.
  7. Accept requests for: Use this domain name and type in there autodiscover.<smtp-address-domain>. For example, if the user’s e-mail address is [email protected], the primary SMTP domain address is and you would type in there They key here is that SBS uses remote.<smtp-address-domain> for Exchange access but you want to publish the autodiscover as autodiscover.<smtp-address-domain> otherwise it won’t be able to find it. The exception is using the autodiscover subfolder. The Autodiscover service URL will be either https://<smtp-address-domain>/autodiscover/autodiscover.xml or https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml.
  8. Select your web listener of choice (obviously it should authenticate properly the URL provided before.
  9. Chose your preferred delegation method. You should at least select “No delegation, but client may authenticate directly” so your clients have access to the information.

As reference, here is a document on MSDN on understanding how Autodiscovery works:

I hope this helps!

Enhanced by Zemanta

Leave a Reply

%d bloggers like this: