Unable to view OAB and OOF via Outlook Anywhere published through TMG/ISA

This post is about a problem where Outlook was working fine through TMG publishing rule, however when TMG Admin tried to access OAB and OOF through Outlook he got an error. To bypass Outlook he tried to access https://mail.contoso.com/ews/exchange.asmx and got 403. The 403 was coming from Exchange vdir /EWS/, here an example of the header: HTTP HTTP:Response, HTTP/1.1, Status Code = 403, URL:
- Http: Response, HTTP/1.1, Status Code = 403, URL: /ews/
ProtocolVersion: HTTP/1.1
StatusCode: 403, Forbidden
Reason: Forbidden
Server: Microsoft-IIS/7.5
Set-Cookie: exchangecookie=599fc2a7540e4e66b1169d9d5c358aa5; expires=Sat,
17-Jul-2011 21:39:05 GMT; path=/; HttpOnly
XPoweredBy: ASP.NET
Date: Fri, 29 Jan 2010 21:39:05 GMT
ContentLength: 0
HeaderEnd: CRLF

Resolution: after some investigation we notice that the /EWS has anonymous on it (/EWS vdir on Exchange 2007 doesn't have anonymous by default), after disabling anonymous and leave only Basic (to match with the delegation) it worked.

Important points before adopting this resolution:

While working on this issue with the Exchange folks they warned me about this action (disabling anonymous for /EWS on Exchange 2010) and they told me that:

“There are some issues if you disable anonymous on /EWS/ vidr for Exchange 2010.   Anonymous is enabled on the virtual directory because EWS uses ws-security for federating calendars and free/busy across organizations for the new calendar
sharing feature. Federation occurs via the ws-security protocol, which authenticates via SOAP <wssecurity> header rather than an HTTP authentication header. IIS must let such requests go through, after which WCF (upon which EWS is built) will
properly authenticate them - in other words the "anonymous" IIS setting does not  allow anonymous requests to get through to EWS. Turning off anonymous has some side effects, namely that cross-organization (federated) calendar sharing breaks as does federated mailbox migration.”

Having those considerations in mind, what you can do in TMG to overcome that without disabling anonymous is:

  • Use Exchange Publishing Wizard to create a new rule, remove all vdir except /ews.
  • Set this rule to direct authentication
  • Order this rule to higher than the original Exchange Publishing Rule
  • In the original rule (the one that publishes Outlook Anywhere) remove /ews/ path
Comments (4)

  1. Great to know that it is still helping folks out there. Thanks Nhien!

  2. Nice post Yuri!! it really helps

  3. S.E. says:

    Well, whatever all that may mean…


  4. Nhien says:

    Yuri, You made my life easier :). Thanks.

Skip to main content