Exchange / UAG – Exchange publication using ForeFront UAG

If you published your Exchange 2010 services (OWA, Outlook Anywhere, EAS…) using ForeFront Unified Access Gateway (ForeFront UAG), you may have trouble with Outlook Anywhere after you deployed the Service Pack 1 for Exchange.

Indeed, Exchange Web Services and Autodiscover Service may not work anymore when connected remotely.

The first thing is to check if Basic authentication is enabled Autodiscover virtual directory.

  • get-autodiscovervirtualdirectory | fl >>> BasicAuthentication             : True

Don’t change the settings for EWS; the authentication providers enabled should be BasicAuthentication and WindowsAuthentication. If you disable WindowsAuthentication for EWS, you will experiment some issue with OWA.

The second thing is new with Exchange 2010 SP1.

You have to check if EWS and Outlook is enabled at the Organization Level; by default, these attributes are not set, even if you already have configured the associated services.

  • get-organizationconfig | fl

EwsEnabled                                                :
EwsAllowOutlook                                           :
EwsAllowMacOutlook                                        :
EwsAllowEntourage                                         :
EwsApplicationAccessPolicy                                :
EwsAllowList                                              :
EwsBlockList                                              :


To set these attributes, you have to run the set-organizationconfig –<attribute> <value> where <attribute> has to be changed with the related name and <value> with the accepted value:

Attribute Description Value
EWSAllowEntourage Specifies whether to allow or disallow Entourage 2008 for Mac, Web Services Edition to access Exchange Web Services for the user. Note that Entourage 2008 uses EWS exclusively, so this parameter can be used to block Entourage 2008 $True or $False
EWSAllowList Specifies the applications  as identified by user agent strings that can access Exchange Web Services when the EWSApplicationAccessPolicy parameter is set  to EnforceAllowList  
EWSAllowMacOutlook Specifies whether to allow or disallow Outlook for Mac to access Exchange using EWS. Future versions of Outlook for Mac will use EWS exclusively $True or $False
EWSAllowOutlook Specifies whether to allow or disallow Outlook 2007 to access Exchange Web Services for the user. Outlook uses Exchange Web Services for free/busy, OOF, and calendar sharing $True or $False
EWSApplicationAccessPolicy Specifies which applications other than Entourage, Outlook for Mac 2011 and Outlook can access Exchange Web Services. If set  to EnforceAllowList, only applications specified in the EWSAllowList parameter are allowed access to Exchange Web Services. If set to EnforceBlockList, every application is allowed access to Exchange Web Services except the ones specified in the EwsBlockList parameter EnforceAllowList
EWSBlockList Specifies the applications (user agent strings) that can’t access Exchange Web Services when the EWSApplicationAccessPolicy parameter is set to EnforceBlockList  

Specifies whether to globally enable or disable Exchange Web Services access for a user, regardless of which application is making the request. 

When the EWSEnabled parameter is set to $false, Exchange Web Services access is turned off regardless of the values of the EWSAllowEntourage parameter

$True or $False

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.