Before you publish Exchange services

Before you publish Exchange services through Forefront Unified Access Gateway (UAG), make sure you are familiar with the following:

Known issues and limitations—Describes the known issues and limitations that you may encounter when publishing Exchange services through Forefront UAG.
About server certificates—Describes the server certificate requirements for securing communications between the Exchange Client Access server and Forefront UAG.

Known issues and limitations

When publishing Outlook Web Access using pass-through authentication, there is no pre-authentication to the Forefront UAG portal.
When publishing Outlook Web Access, if the trunk through which you publish Outlook Web Access does not use Basic or NTLM/KCD authentication, you must define Outlook Web Access as the site’s initial application.
If you set the Outlook Web Access application as the portal home page, if the Exchange server is running Exchange 2007, end users who access Outlook Web Access from Windows Internet Explorer browsers can choose whether to use Outlook Web Access Light or Outlook Web Access Premium. Users of other browsers are required to use Outlook Web Access Light.
You cannot apply an Outlook Web Access look and feel to the portal's logon and logoff pages when publishing Exchange 2003.
When publishing Outlook Web Access on Forefront UAG SP1, you can use only NTLM or Basic authentication for single sign on (SSO) to the Exchange Client Access server.

On Forefront UAG prior to SP1, the Forefront UAG Management console allowed you to configure forms-based authentication to perform SSO to Outlook Web Access by selecting either HTML form or Both on the Authentication tab of the Application Properties dialog box. However, this was not a supported configuration. Forefront UAG SP1 does not allow this unsupported configuration and requires that you configure the authentication as 401 request. Therefore, you must also configure the Exchange Client Access server to use NTLM or Basic authentication. If you installed SP1 on a server with this unsupported configuration and attempt to edit the application, Forefront UAG changes the application to use Basic authentication.
When publishing Exchange ActiveSync, increasing the session timeout may result in disconnected sessions remaining active on the server, and affect performance.
If you publish Exchange services and SharePoint applications on the same Forefront UAG portal, make sure that any user agents that are used by your Exchange services are set not to use Microsoft Office Forms Based Authentication (MSOFBA). For information, see Customizing user agents for rich clients.

About server certificates

When you publish Exchange services through Forefront UAG, you can use a server certificate or an Exchange certificate to ensure secure communications between the Forefront UAG server and the Exchange Client Access server.

Note:
If you are using an HTTP connection between Forefront UAG and the Exchange Client Access server, you do not need a certificate.Forefront UAG does not support certificates with four-level domain names; for example, mail.exchange.contoso.com.

You can choose to install a server certificate or an Exchange certificate, as follows:

Important:
In both of the following cases, Forefront UAG must trust the certificate installed on the Exchange Client Access server or the connection will fail.

Install a server certificate on the Exchange Client Access server and on the Forefront UAG server—This certificate can be from an internal certification authority (CA) and does not need to be purchased from a public CA.

Certificates issued by an internal CA are not trusted Secure Sockets Layer (SSL) certificates. However, if the Forefront UAG server and the Exchange Client Access server are part of the same domain, a certificate issued by an internal CA is trusted by the Forefront UAG server.

If you install a certificate from a trusted CA, when you obtain the certificate, on the Client Access server, you must also provide the fully qualified domain name (FQDN). The FQDN must match the name by which Forefront UAG connects to the Client Access server, such as: www.contoso.com.

Note:
To ensure a successful connection between the Forefront UAG server and the Client Access server, the Forefront UAG server must use the same FQDN as the FQDN used to create the certificate. The certificate that you use can be a wildcard certificate.

Install the Exchange certificate on the Forefront UAG server—When you install Exchange, you can install a default SSL certificate that is created by Exchange Setup. You can install this certificate on the Forefront UAG server. Note that this certificate is not a trusted SSL certificate.

Note:
To allow testing of your deployment before using a server certificate, an Exchange certificate, or purchasing a trusted certificate, make the following changes to the registry to allow communication between Forefront UAG and the Exchange Client Access server: Open the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\Comm\SSL. Set the registry keys ‘ValidateRwsCert’ and ‘ValidateRwsCertCRL’ to zero. Restart Internet Information Services (IIS) on the Forefront UAG server.

Note:

To allow testing of your deployment before using a server certificate, an Exchange certificate, or purchasing a trusted certificate, make the following changes to the registry to allow communication between Forefront UAG and the Exchange Client Access server:

Open the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\Comm\SSL.
Set the registry keys ‘ValidateRwsCert’ and ‘ValidateRwsCertCRL’ to zero.
Restart Internet Information Services (IIS) on the Forefront UAG server.