Deprecated: Function is_staging_site is deprecated since version 3.3.0! Use in_safe_mode instead. in /var/www/ on line 6078
How to Configure TMG for Office 365 (Exchange) Hybrid deployments – Knowledge eXchange
Deprecated: Function is_staging_site is deprecated since version 3.3.0! Use in_safe_mode instead. in /var/www/ on line 6078

How to Configure TMG for Office 365 (Exchange) Hybrid deployments

Obtained from:


How to Configure TMG for Office 365 (Exchange) Hybrid deployments


The purpose of this article to give some general guidance on how to configure TMG for use with Office 365 Exchange related components. The idea is to give some general guidance mainly around authentication settings needed on the TMG rule that will be used for things such as AutoDiscover for organization Relationships (Autodiscover.svc)and the EWS endpoints (used for things such as Free Busy/Mailbox Moves).

Non Goals:


  • End to end ISA configuration
  • Discuss every possible TMG deployment scenario
  • Discuss non TMG firewalls


The following details assume you have a Third-Party certificate for the Exchange endpoints in place on the TMG server. There is also an assumption that you already have the TMG configured with a listener for the on-premises Exchange 2010 server. For guidance on this configuration please look to the following white paper:


Configuring TMG Rule


Now that you have your TMG setup for the on-premises Exchange environment you will need to make some modification to the TMG setup to allow the Office 365 integration for your Hybrid deployment.


The reason we may need to change the TMG configuration centers around the authentication Delegation setting used on the TMG rule for the other Exchange components. In many cases a customer will choose to pre-authenticate at the TMG. This is a fine solution for things such as Outlook Anywhere and OWA but this will cause issues for the Hybrid environment. We need to allow for pass-through authentication for certain endpoints. These are the endpoint that use token based authorization instead of standard basic/integrated authentication options.


The solution is simple, you simply need to create a rule that uses the same listener as the other Exchange components but provide explicit paths. Then change the new rule so that it does not perform pre-authentication at the TMG. If implemented properly you will be able to continue to use the same external IP address and port (443) on the same listener for both rules.


Create the new Rule for use with the Hybrid components

  1. From Within TMG Management Console, right click on the FireWall Policy from the left tree
  2. Then select New
  3. Then select Web Publishing Rule

4. From the Welcome to the New Web Publishing Rule Wizard window type in a name for the rule and select next



5. On the select Rule Action screen select the Allow radio button then select next



6. On the Publishing Type page select the appropriate option and then select next (in my case I have select the Publish a single Web site or load balancer option)


7. On the Server Connection Security page select the Use SSL option then select next



8. On the Internal Publishing Details page fill in the proper site name and IP address such as the example depicted below. If you are not sure what to put just take a look at your current Exchange publishing rule, once completed select the next option.



9. From the Internal Publishing Details leave the defaults then select the next option. We will configure the paths later in the configuration



10. On the Public Name Details section be sure that the EWS external web site names(for example is listed as depicted below then select the next option





11. Then from the Select Web Listener page select the listener used for the regular exchange rule from the drop down menu then select the next option



12. Then from the Authentication Delegation page select the No Delegation, but client may authenticate directly option then select next



13. Then from the Select User Sets page choose the All Users option then select next. Then select the finish option







Then we need to go to the properties of the newly created rule and modify the Paths and the public names within the rule.


  1. From the TMG management interface right click the newly created rule and select properties
  2. Then select the Public Names tab and add the autodiscover external URL (for example and apply that change



3. Then select the paths tab and add the paths listed below , be sure to also remove the default “/*” path, then apply those changes


    • /ews/mrsproxy.svc
    • /ews/exchange.asmx/wssecurity
    • /autodiscover/autodiscover.svc/wssecurity
    •  /autodiscover/autodiscover.svc






4. The last step it to ensure that this new rule is higher in the list than the primary exchange rule.  You can simply right click on the rule and select move up until it is above the primary exchange rule. Then apply the changes


More information


The task for setting up TMG is not very complex but there is some attention that needs to be made when configuring the hybrid deployment.



Issues you may run into


With a Hybird deployment (Exchange 2010 and Office 365) you will be using MRS/MRSProxy to perform the mailbox moves between premises. This operation can potentially fail (could be intermittent) when you traverse a TMG server. The reason for this is a defense mechanism built into TMG called Flood Mitigation.




For more information and the mitigation please read the following wiki:


Timothy Heeney (MSFT)

Enhanced by Zemanta

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.