Thursday, December 22, 2011

Hybrid Office 365 Deployment with Threat Management Gateway

After working with a Hybrid Office 365 deployment with Threat Management Gateway performing SSL offloading to an Exchange 2010 SP2 hybrid server for one of my customers I experienced a number of gotcha's which are not documented.

MRSProxy with SSL Offloading

The first issue was with MRSProxy. I found out the hard way that MRSProxy "/EWS/mrsproxy.svc" does not support SSL offloading. The MRSProxy connection must hit the Exchange 2010 Client Access Server on TCP443 using a secure SSL connection. When using SSL offloading with Forefront Threat Management Gateway as soon as unsecure HTTP port 80 connections were passed to MRSProxy on the Exchange 2010 Hybrid server we were receiving was (404) Not Found in the IIS logs.

We created a separate TMG firewall rule with a path rule of "/EWS/mrsproxy.svc" which is processed before our Hybrid firewall rule. This path rule re-encrypts and forwards to the Hybird server on TCP443. All other connections come through on TCP80.

Free/Busy with Office 365

The second issue was with free/busy. Users on-premises were able to view Free/Busy for users in Office 365, however users in Office 365 were unable to view Free/Busy for users on-premises. This was caused by the Web Listener being configured for Basic or Windows Integrated authentication. Free/Busy over an Organization Relationship uses Microsoft.Web.Services.SoapContext to authenticate free/busy... in other words the authentication is handled by the .NET framework. Threat Management Gateway must pass through authentication requests to /EWS/*. Setting the TMG listener to No Authentication achieves this.


  1. Thanks for sharing, good information.
    Did you try out Lync via the same publishing rule?

  2. My client did not deploy lync. The MRSProxy SSL offloading issue is being worked on by the product team and a fix should be coming soon. Will post it up when available.

  3. Hi Clint, had you performed the config change to the web.config as per the wiki?

    How did you come to determine that SSL offloading is not supported for MRSProxy? I am also unable to get it to work with the changes in the wiki. I'm running Exchange 2010 SP2 RTM (fresh install) An error is logged in the event log that "the response message must be protected" and a 500 internal server error is returned to the move request from Office 365.

  4. Hi Steve,

    I posted this before the information was made available in the wiki link you provided. I logged the bug with Ben Appleby who works in the Exchange team. They then got this information published..

    Thanks for your post.

    Kind Regards,