Publish Enterprise Vault Using TMG / Blogs / Perficient

I have a lot of customers who have deployed Enterprise Vault within their email environments. In many cases, these customers have deployed Exchange 2003 or Exchange 2007 and have been using ISA Server to publish OWA and Outlook Anywhere to the Internet. These customers have then upgraded to Exchange 2010 and replaced ISA with TMG. This type of upgrade presents some challenges simply based on how Enterprise Vault works. Specifically, when an end user accesses an item stored in Enterprise Vault, their client connects directly to the Vault Server over port 80 (or port 443) to retrieve information. Because of this, when TMG is used to publish OWA and Outlook Anywhere to the Internet, TMG must also be configured to publish the Enterprise Vault Server to the Internet as well.
The following is a typical high level diagram of an Exchange 2010 and Enterprise Vault environment that I have helped customers deploy:

In the diagram above, the internal Active Directory Domain is test.net and the public domain owned by the company is test.com.
Three TMG Rules are required in order for external clients to access Exchange and Enterprise Vault. The rules are the following:

Publish Outlook Anywhere
Publish OWA
Publish Enterprise Vault

Publish Outlook Anywhere

Under Tasks click Publish Exchange Web Client Access. Provide a name for your rule and click Next.

Select the appropriate Outlook Anywhere settings and click Next.

My environment only has a single CAS Server so I select Publish a single Web site or load balancer and click Next.

Outlook Anywhere requires SSL so select Use SSL to connect to the published Web server or server farm and click Next.

My TMG Server is configured to use internal DNS Servers for name resolution so I entered the internal FQDN of mail.test.net for the CAS Server and click Next.

Note that my internal Domain name and external Domain names are different. My internal Active Directory Domain is test.net and my publicly accessible Domain name is test.com. The public name of my CAS Server is mail.test.com so I entered that as the Public Name and click Next.

Previous to running this wizard, I had created a Web Listener and bound my SSL certificate to the listener. Note the following about this listener:

The listener is only configured to use port 443
Authentication is set to Forms Based Authentication with Active Directory
Always Authenticate is disabled
- To configure this setting, click the Authentication tab on the Listener and click the Advanced button
- Under Client Configuration Settings, uncheck Require all users to authenticate

Select the appropriate Web Listener and click Next.

In order for Outlook Anywhere to function correctly through TMG, I configured the TMG Outlook Anywhere rule not to pre-authenticate. Without configuring the rule in this fashion, end users will be prompted for username and password when accessing Outlook Anywhere from the Internet. To accomplish this, I selected No delegation, but client may authenticate directly and click Next.

In order for the above rule to work, the User Set needs to be configured for All Users

When selecting All Users for the User Set, I received the following warning, which is normal. Simply click OK when the warning is displayed.

Click Finish to complete the creation of the Outlook Anywhere Publishing Rule.

Publish OWA

The IT Leader's Guide to Multicloud Readiness

This guide provides practical key insights and important factors to consider to make informed decisions in your multicloud journey.

Download the Guide

In order to publish OWA using Enterprise Vault, Link Translation must be enabled on the rule. However, there is a bug within TMG that causes Link Translation not to function correctly when the Publish OWA rule is generated using the Exchange 2010 Wizard built into TMG. The workaround is to create a standard Web Publishing Rule manually and configure all of the required Exchange options so Link Translation can be utilized.
Under Tasks click Publish Web Sites. Provide a name for the rule and click Next.

Select Allow and click Next.

Select Publish a single Web site or load balancer and click Next.

Select Use SSL to connect to the published Web server or server farm and click Next.

Enter the internal name of the CAS Server and click Next.

Enter /OWA/* for the Path and click Next. (Note that additional Paths will need to be added after this rule is created. I’ll cover that in a later step.)

Enter mail.test.com for the Public Name and click Next.

Select the same SSL Listener used for the Publish Outlook Anywhere Rule above and click Next.

Set Authentication Delegation to Basic Authetication and click Next.

Set the User Set to All Authenticated Users and click Next.

Select Finish.

Modify the Publish OWA Rule

That completes the creation of the Publish OWA Rule. However, with the rule created, some additional modifications to the rule must be made before the rule will function correctly. Make the following modifications to the Publish OWA Rule:
Open the Publish OWA Rule and click the To tab. Enable the option called Forward original host header instead of the actual one (specified in the Internal site name field)

The following additional paths need to be added: /public/*, /Exchange/*, /ecp/*. The order in which the paths are listed is not important.

The Application Settings tab needs to be configured as shown:

The reason this rule needs to be created manually and the additional options need to be added manually is so Link Translation can be configured. Link Translation rules do not function when applied to TMG rules created using the Exchange 2010 Configuration Wizard. In order to get my Link Translations to function correctly, I selected the Link Translation tab and clicked the Configure button. After that, I clicked the Add button and added the following translations:

Note that you will need to replace the translations listed above with names of servers in your own organization.
These Link Translations are required because the Stubs of archived email messages stored in Enterprise Vault are accessed via a URL link and that link points to the internal Enterprise Vault Server. When accessing archived email messages stored in Enterprise Vault, the Link Translation redirects external web browser clients to the externally published URL of the Exchange 2010 CAS Server. This is necessary because the FQDN of the internal Enterprise Vault Server is not accessible or routable via the Internet.

Publish Enterprise Vault

The third piece and final piece of this puzzle is publishing the internal Enterprise Vault Server. This rule is required in order for external clients to access items stored in Enterprise Vault.
Under Tasks click Publish Web Sites. Provide a name for the rule and click Next.

Select Allow and click Next.

Select Publish a single Web site or load balancer and click Next.

Select Use non-secured connections to connect the published Web server or server farm and click Next.

Note that I am publishing Enterprise Vault via Port 80 because there is no SSL certificate installed on the Enterprise Vault server. If an SSL certificate was installed on the EV Server then I would publish it using Port 443.
Enter the internal name of the Enterprise Vault server and click Next.

For the Path enter /EnterpriseVault/* and click Next.

Enter the public name of the Exchange 2010 Server and click Next.

Entering the public name of the Exchange 2010 Server may seem wrong but this rule works in conjunction with the Link Translation configured within the OWA Publishing Rule created earlier.
Prior to creating this rule, I created a Web Listener similar to the SSL Listener created earlier. The only difference between this listener and the SSL Listener created earlier is that this listener is bound to Port 80 instead of Port 443.
Select the 2010 HTTP Listener and click Next.

Select Basic Authentication and click Next.

The following warning message will be displayed:

Click OK to proceed.
Select All Authenticated Users and click Next.

Click Finish to complete creation of the rule.