Published: January 11, 2010
Updated: February 15, 2013
Applies To: Unified Access Gateway
Before you publish Exchange services through Forefront Unified Access Gateway (UAG), make sure you are familiar with the following:
Prerequisites—Describes the software requirements, and any other prerequisites.
Known issues and limitations—Describes the known issues and limitations that you may encounter when publishing Exchange services through Forefront UAG.
Before you can publish Exchange services through Forefront UAG, you must have the following servers deployed in your organization:
A single server or an array of servers running Forefront UAG. See Forefront UAG installation.
A single server or a cluster of servers running Microsoft Exchange with the Client Access server role installed. See Exchange Server 2010.
When you publish Exchange services through Forefront UAG, you can use a server certificate or an Exchange certificate to ensure secure communications between the Forefront UAG server and the Exchange Client Access server.
|If you are using an HTTP connection between Forefront UAG and the Exchange Client Access server, you do not need a certificate on the Exchange server.|
You can choose to install a server certificate or an Exchange certificate on the Client Access server, as follows:
|In both of the following cases, Forefront UAG must trust the certificate installed on the Exchange Client Access server or the connection will fail.|
Install a server certificate on the Exchange Client Access server—This certificate can be from an internal certification authority (CA) or can be purchased from a public CA.
Note: To ensure a successful connection between the Forefront UAG server and the Client Access server, the Forefront UAG server must use the same FQDN as the FQDN used to create the certificate. The certificate that you use can be a wildcard certificate.
Install the Exchange certificate on the Forefront UAG server—When you install Exchange, you can install a default SSL certificate that is created by Exchange Setup. You can install this certificate on the Forefront UAG server to make sure that Forefront UAG trusts the Exchange Client Access server. Note that this certificate is not a trusted SSL certificate.
To allow testing of your deployment before using a server certificate, an Exchange certificate, or purchasing a trusted certificate, make the following changes to the registry to allow communication between Forefront UAG and the Exchange Client Access server, without installing a certificate on the Exchange server:
Known issues and limitations
When publishing Outlook Web Access using pass-through authentication, there is no pre-authentication to the Forefront UAG portal.
You cannot apply an Outlook Web Access look and feel to the portal's logon and logoff pages when publishing Exchange 2003.
When publishing Outlook Web Access on Forefront UAG SP1 and SP2, you can use Basic, NTLM, or KCD authentication for single sign on (SSO) to the Exchange Client Access server.
On Forefront UAG prior to SP1, the Forefront UAG Management console allowed you to configure forms-based authentication to perform SSO to Outlook Web Access by selecting either HTML form or Both on the Authentication tab of the Application Properties dialog box. However, this was not a supported configuration. Forefront UAG SP1 does not allow this unsupported configuration and requires that you configure the authentication as 401 request. Therefore, you must also configure the Exchange Client Access server to use NTLM or Basic authentication. If you installed SP1 on a server with this unsupported configuration and attempt to edit the application, Forefront UAG changes the application to use Basic authentication.
When publishing Exchange ActiveSync, increasing the session timeout may result in disconnected sessions remaining active on the server, and affect performance.