Before you publish Exchange services through Forefront Unified Access Gateway (UAG), make sure you are familiar with the following:
- Known issues and
limitations—Describes the known issues and limitations that you
may encounter when publishing Exchange services through Forefront
- About server
certificates—Describes the server certificate requirements for
securing communications between the Exchange Client Access server
and Forefront UAG.
Known issues and limitations
- When publishing Outlook Web Access using
pass-through authentication, there is no pre-authentication to the
Forefront UAG portal.
- When publishing Outlook Web Access, if the
trunk through which you publish Outlook Web Access does not use
Basic or NTLM/KCD authentication, you must define Outlook Web
Access as the site’s initial application.
- If you set the Outlook Web Access application
as the portal home page, if the Exchange server is running
Exchange 2007, end users who access Outlook Web Access from
Windows Internet Explorer browsers can choose whether to use
Outlook Web Access Light or Outlook Web Access Premium. Users of
other browsers are required to use Outlook Web Access Light.
- You cannot apply an Outlook Web Access look
and feel to the portal's logon and logoff pages when publishing
- When publishing Outlook Web Access on
Forefront UAG SP1, you can use only NTLM or Basic authentication
for single sign on (SSO) to the Exchange Client Access server.
On Forefront UAG prior to SP1, the Forefront UAG Management console allowed you to configure forms-based authentication to perform SSO to Outlook Web Access by selecting either HTML form or Both on the Authentication tab of the Application Properties dialog box. However, this was not a supported configuration. Forefront UAG SP1 does not allow this unsupported configuration and requires that you configure the authentication as 401 request. Therefore, you must also configure the Exchange Client Access server to use NTLM or Basic authentication. If you installed SP1 on a server with this unsupported configuration and attempt to edit the application, Forefront UAG changes the application to use Basic authentication.
- When publishing Exchange ActiveSync,
increasing the session timeout may result in disconnected sessions
remaining active on the server, and affect performance.
- If you publish Exchange services and
SharePoint applications on the same Forefront UAG portal, make sure
that any user agents that are used by your Exchange services are
set not to use Microsoft Office Forms Based Authentication
(MSOFBA). For information, see Customizing user agents
for rich clients.
About server certificates
When you publish Exchange services through Forefront UAG, you can use a server certificate or an Exchange certificate to ensure secure communications between the Forefront UAG server and the Exchange Client Access server.
|If you are using an HTTP connection between Forefront UAG and the Exchange Client Access server, you do not need a certificate.Forefront UAG does not support certificates with four-level domain names; for example, mail.exchange.contoso.com.|
You can choose to install a server certificate or an Exchange certificate, as follows:
|In both of the following cases, Forefront UAG must trust the certificate installed on the Exchange Client Access server or the connection will fail.|
- Install a server certificate on the
Exchange Client Access server and on the Forefront UAG
server—This certificate can be from an internal certification
authority (CA) and does not need to be purchased from a public
Certificates issued by an internal CA are not trusted Secure Sockets Layer (SSL) certificates. However, if the Forefront UAG server and the Exchange Client Access server are part of the same domain, a certificate issued by an internal CA is trusted by the Forefront UAG server.
If you install a certificate from a trusted CA, when you obtain the certificate, on the Client Access server, you must also provide the fully qualified domain name (FQDN). The FQDN must match the name by which Forefront UAG connects to the Client Access server, such as: www.contoso.com.
Note: To ensure a successful connection between the Forefront UAG server and the Client Access server, the Forefront UAG server must use the same FQDN as the FQDN used to create the certificate. The certificate that you use can be a wildcard certificate.
- Install the Exchange certificate on the
Forefront UAG server—When you install Exchange, you can install
a default SSL certificate that is created by Exchange Setup.
You can install this certificate on the Forefront UAG server. Note
that this certificate is not a trusted SSL certificate.
|To allow testing of your deployment before using a server
certificate, an Exchange certificate, or purchasing a trusted
certificate, make the following changes to the registry to allow
communication between Forefront UAG and the Exchange Client Access