Configuring ActiveSync publishing

Using Exchange ActiveSync, users can access their Exchange mailboxes from Microsoft Windows Mobile®-based devices, such as Windows Mobile 2003 Software for Pocket PC, including Pocket PC Phone Edition, and Windows Mobile 2003 Software for Smartphone with high levels of security. Users can then synchronize the e-mail messages, appointments, contact information, and tasks in their mailboxes and use any of this information when the mobile device is offline.

When using Exchange Server 2007 or Exchange Server 2010, you can authenticate an ActiveSync connection using client certificate-based authentication. Forefront TMG supports Kerberos constrained delegation, which allows Forefront TMG to authenticate a client connection with a client certificate and to obtain a Kerberos ticket. This ticket can be presented to the published Web server, which accepts the Kerberos ticket instead of client credentials.

To configure ActiveSync publishing

In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
In the Tasks pane, click the Toolbox tab.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.

Complete the New Web Listener Wizard as outlined in the following table.

Page	Field or property			Setting or action
Welcome to the New Web Listener Wizard	Web listener name			Type a name for the Web listener. For example, type ActiveSync Listener.
Client Connection Security				Select Require SSL secured connections with clients.
Web Listener IP Addresses	Listen for incoming Web requests on these networks			Select the External network. Click Select IP Addresses, and select Specified IP Addresses on the Forefront TMG computer in the selected network. Under Available IP Addresses, select the IP address for the Web site, click Add, and then click OK.
Listener SSL Certificates			Select Use a single certificate for this Web listener, click Select Certificate, and select a certificate for which the host name that users use to access the published Web site appears in the Issued To field.
Authentication Settings		Select how clients will provide credentials to Forefront TMG	In the drop-down list, select HTML Form Authentication. If you want to use Kerberos constrained delegation, select SSL Client Certificate Authentication.
		Collect additional delegation credentials in the form	Leave this check box cleared.
		Select how Forefront TMG will validate client credentials	If Forefront TMG is deployed in a domain, select Windows (Active Directory). In a workgroup deployment, you can select LDAP (Active Directory), RADIUS, RADIUS OTP, or SecurID.
Single Sign On Settings		Enable SSO for Web sites published with this listener	Leave this check box cleared.
Completing the New Web Listener Wizard			Review the settings and click Finish.

In the Tasks pane, click the Tasks tab.
On the Tasks tab, click Publish Exchange Web Client Access to open the New Exchange Publishing Rule Wizard.

Complete the New Exchange Publishing Rule Wizard as outlined in the following table.

Page	Field or property	Setting or action
Welcome to the New Exchange Publishing Rule Wizard	Exchange publishing rule name	Type a name for the Exchange publishing rule. For example, type ActiveSync Clients.
Select Services	Exchange version	Select Exchange Server 2003, Exchange Server 2007 or Exchange Server 2010.
	Web client mail services	Select Exchange ActiveSync.
Publishing Type		Select Publish a single Web site or load balancer. The other options are beyond the scope of this procedure.
Server Connection Security		Select Use SSL to connect the published Web server or Web farm. This option requires installation on each Exchange front-end server of an SSL server certificate for which the host name specified as the internal site name in the Issued To field.
Internal Publishing Details	Internal site name	Type the host name that Forefront TMG will use in HTTP request messages sent to the published server. If the internal site name specified in this field is not resolvable and is not the computer name or IP address of the published server, select Use a computer name or IP address to connect to the published server, and type the resolvable computer name or IP address of the published server.
Public Name Details	Accept requests for	Select This domain name (type below).
	Public name	Type the public fully qualified domain name (FQDN) or IP address that external users will use to access the published Exchange ActiveSync site.
Select Web Listener	Web Listener	In the drop-down list, select the Web listener that you created in Step 4. You can then click Edit to modify properties of the Web listener selected.
Authentication Delegation	Select the method used by Forefront TMG to authenticate to the published Web server	For forms-based authentication, select Basic Authentication. For SSL client certificate authentication, select Kerberos constrained delegation.
User Sets	This rule applies to requests from the following user sets	If you are using Windows credentials validation, do not change the default All Authenticated Users. If you are using RADIUS, LDAP, or SecurID validation, you must use a user set that is configured for the applicable namespace.
Completing the New Exchange Publishing Rule Wizard		Review the settings and click Finish.

In the details pane, click the Apply button to save and update the configuration, and then click OK.

Note:
When publishing over SSL, an SSL server certificate that was issued to the host name of the published Web site must be installed in the Personal store for the local computer on the Forefront TMG computer. For more information about obtaining and installing an SSL server certificate, see Configuring server certificates for secure Web publishing. On the Web Listener IP Addresses page of the New Web Listener Wizard, you can also select Default IP addresses for network adapters on this network. If Network Load Balancing is enabled, this option will automatically select the virtual IP address. Otherwise, the default IP address will be automatically selected for each network adapter. If you use RADIUS credentials validation, the Forefront TMG computer must be registered as a RADIUS client on the RADIUS server, and the RADIUS system policy rule must be enabled to allow RADIUS traffic from the Forefront TMG computer (Local Host network) to the Internal network. This rule assumes that the RADIUS server is located in the Internal network. If you select RADIUS, LDAP, or RADIUS OTP credentials validation, you must edit the properties of the Web listener that you create to specify the RADIUS or LDAP servers that will be queried for authentication. Exchange ActiveSync is supported only by Exchange Server 2003 and Exchange Server 2007. Using Exchange ActiveSync, users can synchronize with high levels of security to the Exchange mailboxes from Microsoft Windows Mobile-based devices, such as Windows Mobile 2003 Software for Pocket PC, including Pocket PC Phone Edition, and Windows Mobile 2003 Software for Smartphone. Forefront TMG uses the User-Agent header in a client request to determine the HTML form that will be used in the response returned to the Web browser. The supported types of forms are HTML 4.01, XHTML-MP, and cHTML. When the User-Agent header in the request is not mapped to a format, Forefront TMG falls back to Basic authentication. Users connect with Exchange ActiveSync by opening a URL that typically has the form https://host_name/Microsoft-Server-ActiveSync. You may need to modify the mappings between the paths specified by users and the internal paths on the Paths tab of your Web publishing rule's properties. For more information about other settings in Web publishing rules, see Planning for publishing.

Note:

When publishing over SSL, an SSL server certificate that was issued to the host name of the published Web site must be installed in the Personal store for the local computer on the Forefront TMG computer. For more information about obtaining and installing an SSL server certificate, see Configuring server certificates for secure Web publishing.
On the Web Listener IP Addresses page of the New Web Listener Wizard, you can also select Default IP addresses for network adapters on this network. If Network Load Balancing is enabled, this option will automatically select the virtual IP address. Otherwise, the default IP address will be automatically selected for each network adapter.
If you use RADIUS credentials validation, the Forefront TMG computer must be registered as a RADIUS client on the RADIUS server, and the RADIUS system policy rule must be enabled to allow RADIUS traffic from the Forefront TMG computer (Local Host network) to the Internal network. This rule assumes that the RADIUS server is located in the Internal network.
If you select RADIUS, LDAP, or RADIUS OTP credentials validation, you must edit the properties of the Web listener that you create to specify the RADIUS or LDAP servers that will be queried for authentication.
Exchange ActiveSync is supported only by Exchange Server 2003 and Exchange Server 2007.
Using Exchange ActiveSync, users can synchronize with high levels of security to the Exchange mailboxes from Microsoft Windows Mobile-based devices, such as Windows Mobile 2003 Software for Pocket PC, including Pocket PC Phone Edition, and Windows Mobile 2003 Software for Smartphone.
Forefront TMG uses the User-Agent header in a client request to determine the HTML form that will be used in the response returned to the Web browser. The supported types of forms are HTML 4.01, XHTML-MP, and cHTML. When the User-Agent header in the request is not mapped to a format, Forefront TMG falls back to Basic authentication.
Users connect with Exchange ActiveSync by opening a URL that typically has the form https://host_name/Microsoft-Server-ActiveSync. You may need to modify the mappings between the paths specified by users and the internal paths on the Paths tab of your Web publishing rule's properties.
For more information about other settings in Web publishing rules, see Planning for publishing.

To configure ActiveSync publishing

Related Topics

Concepts