Requirement: publish the intranet Exchange server to the Internet through TMG, so that users on the Internet can access the intranet Exchange server.
Tutorial topology:
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782292rGr.png "/>
There are four ways to publish an Exchange server to the public network:
POP3, SMTP plaintext release
POP3, SMTP ciphertext released
OWA bridging mode released
Release of OWA tunnel mode
Either of the four methods is to use the certificate. Before publishing, you must apply for an Exchange server certificate. Otherwise, a certificate error will be reported.
How to obtain a certificate
Purchase a certificate from a certificate provider on the public network (all clients trust the certificate without installing a trusted certificate)
Www.verisign.comwww.ssl.comwww.wosign.com
Install the certificate service on the internal server and issue it to the user through the CA. (No money, but the client does not trust it by default)
Exchange server certificate application
In the exchange server configuration, select create an exchange certificate to apply for an Exchange certificate.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782294D5S.png "/>
Enter a friendly name.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278230dRZD.png "/>
Wildcard certificates are used to configure the host name. If the second-level domain name is correct, you can write the host name at will. Wildcard certificates do not need to be created. It is very expensive to create one.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278230i5jZ.png "/>
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278231o4N3.png "/>
Set mail.benet.com as a public name
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278232QX5f.png "/>
Set the certificate storage location
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278233t1cg.png "/>
Complete certificate application
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278234o4IX.png "/>
The downloaded file is encrypted using a special encryption algorithm.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782353GCy.png "/>
Log on to the CA server to apply for a certificate
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278236yOcN.png "/>
Select advanced certificate application
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278236mr36.png "/>
Select a base64-encoded certificate
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278237lstG.png "/>
Copy the content of the new exchange certificate. Select web Server as the certificate template.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782388KDX.png "/>
Select the encoding used to download the certificate.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278238bCd8.png "/>
In server configuration, right-click the certificate you just created and select the put on hold request to keep the applied certificate to the exchange server.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278239rsZl.png "/>
Select the location of the applied exchange certificate
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782398pIk.png "/>
Select to allocate services to certificates
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782405zRY.png "/>
Select a server. Because there is only one server, click next.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278241MfEV.png "/>
Select the assigned service
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278243L0vd.png "/>
Complete certificate application
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278244tQUn.png "/>
In addition to the configured certificate, other built-in certificates can be deleted.
Then the certificate service of Exchange is configured, and the client can access Exchange in any way.
By default, pop3 is manually enabled if ssl authentication is not enabled. After ssl authentication is enabled, the service needs to be restarted.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278245lO2V.png "/>
Set SMTP to support anonymous user access
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_141527824545xB.png "/>
In this case, the client can perform encrypted access, but if you do not trust the root CA, the certificate error will still be reported. Therefore, the client needs to install the CA to the trusted root authority.
Plaintext publishing exchange ServerPOP3 (110), SMTP (25)
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246iXXC.png "/>
To publish POP3 and SMTP, select the first
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246YT8c.png "/>
Select publish plain text protocols POP3 (110) and SMTP (25)
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246F6dx.png "/>
Set the IP address of the Exchange Server
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246Px6l.png "/>
Specifies the external address of the listener.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278246QcaW.png "/>
When the policy is applied, the unencrypted Exchange server is published and the client can access the exchange server.
Test and release the client's telnet installation function
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247yiXr.png "/>
Make sure that the client can parse the internet address of TMG (mail.benet.com)
Port 25 telnet successful
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247FxFE.png "/>
If Port 110 fails, set the POP3 port to plain text and restart the POP3 service.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247ROee.png "/>
Check SMTP anonymous users
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247dqp5.png "/>
Then telnet port 110 is enabled.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247cefE.png "/>
Outlook client test
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278247QyWw.png "/>
Set account information and server address
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278248ppHu.png "/>
Test successful
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249100c.png "/>
Set encrypted publishing for the exchange Server
First, set POP3 of the Exchange server to the encryption mode and restart the service after the setting is complete.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249bgKd.png "/>
Create an email server publishing rule
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249MkzO.png "/>
Select the published ports as POP3 and SMTP Security ports.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249A5Dx.png "/>
Set the address of the exchange Server
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278249jZQd.png "/>
Set external addresses for listener addresses
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278250axdp.png "/>
Set, application policy
The POP encryption Port defined by the TMG server is 995.
However, the SMTP encrypted port defined by the TMG server is 465, but the SMTP encrypted port of the Exchange server is 587.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278251IKM9.png "/>
Port 995 of POP3 is enabled when the client tests the Exchange server.
However, the client test server's port 465 (the TMG and Exchange ports are different) and port 587 (the TMG is not enabled) are both disconnected.
In this case, you need to set the TMG firewall policy to change the port of the TMG listening SMTP to port 587.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278251DrUW.png "/>
The client is connected to port 465.
Outlook sets the server port number
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278252fQ9i.png "/>
If you do not want to or will not change the port, you can set the receiving port to 25 on the TMG server, from Port 25 to port 587.
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_14152782524AZD.png "/>
Test passed
650) this. width = 650; "src =" http://img1.51cto.com/attachment/201411/6/8809812_1415278252Uvjz.png "/>
Subsequent content: http://wangjunkang.blog.51cto.com/8809812/1573844
This article from the "plum blossom from bitter cold" blog, please be sure to keep this http://wangjunkang.blog.51cto.com/8809812/1573842
Public network release of Exchange Server