Publishing Exchange2013 EWS using TMG2010

Publishing Exchange 2013 Web Services (EWS) to clients on the external network is essential for Lync 2013 Unified Contact Store (UCS) and Lync 2013 Mobile clients to work properly. Without EWS available to clients on external networks, Lync 2013 Mobile clients will be unable to get Lync contacts when UCS has been enabled for users, since these contacts are now stored in Exchange. Lync 2013 Mobile clients will also not be able to retrieve calendaring information to join Lync online meetings. In order to enable these functions for the full Lync mobile experience, EWS must be published. This article provides configuration details for publishing Exchange 2013 EWS using Forefront TMG2010. Note that TMG2010 is no longer available for purchase but Forefront Unified Access Gateway (UAG) with Service Pack 3 (SP3) is still available and can be used for publishing Exchange 2013.

---

To begin use the "Publish Exchange Web Client Access" in the TMG 2010 Task pane to start the wizard. Give the rule a name and in the Select Services screen choose "Exchange Server 2010" and click on "Outlook Anywhere".

Next we can either choose to publish a single Exchange CAS server, which is the case in this lab, or if an array of CAS servers are deployed then the publishing type should be set to a server farm. Then we select to use SSL for the connection from TMG to CAS:

Next, the FQDN of the exchange CAS server is entered into the Internal site name. This should be resolvable by the TMG to an IP address either via DNS query or hostfile. Then the public name is entered in the next screen, which is the FQDN used when clients connect from the internet. This FQDN needs to be resolved to the public NAT'ed IP of the TMG server which the web listener listens on. At the same time, an autodiscover DNS A record needs to be created to point to the same IP. Note that this same public FQDN and autodiscover FQDN must be in the list of SANs for the certificate assigned to the web listener. eg. mail.domain.com and autodiscover.domain.com

Here we select the pre-configured web listener for the rule. If one has not yet been created, the "New.." button allows the creation of a new web listener. Note the settings of the web listener in particular the "No Authentication" setting as shown below. Next we choose to have "No delegation, but client may authenticate directly" setting for the Authentication Delegation setting:

Finally we leave the default User Sets of "All Users", not "All Authenticated Users". This happens when the web listener is configured with "No Authentication". To complete the wizard click "Finish":

After the rule has been created, we need to edit the rule again to configure 2 additional properties. First the Public Name tab should contain both the Public FQDN as well as the Autodiscover FQDN as shown below. Then in the Paths tab we should remove the "/rpc/*" entry and include the "/ews/*" and "/autodiscover/*" entries as shown below:

Now we can proceed to save the changes to the rule but before that, a validation test can be performed by clicking on the "Test Rule" button as shown below. This should return a "green" check for all tests performed to ensure that the rule is working properly. Once the changes are saved, open a browser to using a client connected to the internet and navigate to https://mail.domain.com/ews/exchange.asmx. A popup window should appear asking for user credentials which should then return a web page similar to the following picture below:

Conclusion
After completing the steps outlined above, Lync 2013 clients connecting from the internet should now be able to access the Exchange EWS via the TMG2010 server and be able to retrieve contacts stored in Exchange UCS as well as meeting information from the Exchange calendar for joining Lync Online meetings. Last but not least, this walkthrough should be used in-verbatim only in lab or testing environments.