Outlook Anywhere and Autodiscover don't work when Published through Forefront Unified Access Gateway (UAG)

  • Article

 

Recently I worked on an issue where we were unable to access Outlook Anywhere and Autodiscover from the External Outlook Clients and these Exchange Services were published through Forefront Unified Access Gateway(UAG).

 

So, as usual we collected the UAG trace from the UAG server. For those who are not aware of how to collect UAG trace, please follow the Post below from my fellow colleague Ben:

https://blogs.technet.com/b/ben/archive/2010/09/03/uag-tracing-made-simple.aspx 

Then we started looking through the UAG trace for the Outlook Anywhere traffic as that's what we tried while collecting the Trace. The Outlook Anywhere Traffic will have the Request URL like the one below:

https://Mail.Contoso.Com/rpc/rpcproxy.dll

 

And when we looked for the traffic for the above request in the trace, we could see it failing with the Below Error:

 

 

image

 

image

 

 

As you can see above that the UAG is somehow trying to match this RpcProxy URL with an Application which starts with a name Cloud and which has an Application Type as Some Corp App. This Application doesn't look to be an Outlook Anywhere Application Type. As the Outlook Anywhere Application type will typically look like this:

 

 image

 

 

So, it looks like that Cloud Application was some other Application and not the Outlook Anywhere Application. And when we went back and checked the UAG configuration that's what turned out to be the case. That Cloud App was some other App published on UAG above the Outlook Anywhere App. And because our RPCProxy traffic was being matched with a wrong App, we got the Error 23 in the UAG trace as shown in the Screenshots above.

And when we looked at that Cloud App on the UAG’s Trunk, we could see that it was also Pointing to the same CAS server as the Outlook Anywhere Rule and it was allowing Everything as it had ‘/’ in the Paths Allowed.

Which actually meant that any traffic for the CAS server will hit that App as it was at the Top and UAG checks the Web Server name, Path and Port number in order to match the Incoming traffic with a particular Application.

SO, we brought the Outlook Anywhere App above that Cloud App in the Trunk and then Activated the UAG config. And after that when we tried connecting to Outlook Anywhere, we could connect successfully and Download emails as well.

Then we tried to connect using Autodiscover from the same Outlook Client, but that was still failing. We Tested the Connectivity for Autodiscover using the “Test E-mail AutoConfiguration” option which we get by pressing the Control Key on the Keyboard and Right Clicking the Outlook Icon on the bottom Right hand corner of the Taskbar:

image

image

 

 

But when we performed the above Test for Autodiscover, it Failed with an Error “0x800c8204”. So,we again gathered the UAG trace while running the above Test and this time when we Analysed the Trace we could see the Below Error:

image

 

As you can see above that this time we are getting Error 21. Error 21 means that “The URL contains an invalid path”.

For a detailed list of the UAG Error Codes please refer to the Post below":

https://blogs.technet.com/b/ben/archive/2012/11/06/uag-error-codes.aspx

 

So, it appears that UAG did not have a Proper Rule Set which allows the Autodiscover Traffic. We went and checked the UAG configuration in the Trunk Properties in the following location and we found out that we did not have the Autodiscover Rule there as Outlined below, which is required for the Autodiscover to work through UAG:

 

 

image

 

 

We went ahead and added that Rule for Autodiscover under the URL Sets Tab and Activated the UAG configuration. After that when we tried to access Autodiscover, it worked Fine this time and we got a successful Result in the “Test E-mail AutoConfiguration” option as well.

AUTHOR

NITIN SINGH

SUPPORT ESCALATION ENGINEER, FOREFRONT EDGE SECURITY, MICROSOFT