Cross-Forest Free/Busy without Federation

30 Nov

We want to supply GAL between 2 untrusted Active Directory forests with Exchange organizations. This we will perform with NETsec's GALsync software.
Additionally we want to share Free/Busy information without configuring a Microsoft Federation (using the MS Federation Gateway). We do not want to use the Free/Busy feature of GALsync.

In this article I will demonstrate the procedure to supply Free/Busy in this way.

High-Level-Steps

  1. Exchange Web Service (EWS) is published in Internet (SAN-Certificates and autodiscover work properly)
  2. Create a proxy-account without mailbox in each forest
  3. Perform Add-AvailabilityAddressSpace and Set-AvailabilityConfig
  4. Synchronize the objects with GALsync
  5. With Outlook / OWA invite people in the other forest using the Free/Busy information

In the test environment I use for this procedure I do not have Internet access. Therefor I use self-signed certificates.

Used machines and accounts
name function ip
ADC.foresta.com DC/DNS/Exchange 2010 SP2 172.20.25.100
AGS.foresta.com GALsync Server 172.20.25.101
ClientForestA.foresta.com Outlook 2010 Client 172.20.25.104
     
BDC.forestb.com DC/DNS/Exchange 2010 SP2 172.20.25.102
BGS.forestb.com GALsync Server 172.20.25.103
ClientForestB.forestb.com Outlook 2010 Client 172.20.25.105

 

 

 

 

 

 

 
 

 

——–

name function permissions
foresta.com\freebusy\freebusy proxy account domain user
foresta.com\users\GALsync service account look in GALsync manual
foresta.com\freebusy\freebusytest1foresta Testuser domain user
foresta.com\freebusy\freebusytest2foresta Testuser domain user
forestb.com\freebusy\freebusy proxy account domain user
forestb.com\users\GALsync service account look in GALsync manual
forestb.com\freebusy\freebusytest1forestb Testuser domain user
forestb.com\freebusy\freebusytest2forestb Testuser domain user

 

 

 

 

 


 
 

 

 

 

 

 

Trust: There is no trust between the domains. If there is a trust, it doesn't matter.

Configure send connectors and receive connectors

Send connectors and receive connectors are present and you can email between both organizations

 Configure SAN-Certificates

I create self-signed SAN-Certificates for my non-public test environment

Link: http://blog.exchange-addict.com/2012/11/cross-forest-freebusy-simple-version_13.html

  • selfssl7.exe /N cn=autodiscover.foresta.com;cn=adc.foresta.com;cn=adc /K 1024 /V 18250 /X /F c:\exchangeForesta.pfx /W passwort /Q
  • selfssl7.exe /N cn=autodiscover.forestb.com;cn=bdc.forestb.com;cn=bdc /K 1024 /V 18250 /X /F c:\exchangeForestb.pfx /W passwort /Q


Import certificates
ForestA-certificate:
ADC: computer account Trusted root CA container
BDC: computer account Trusted root CA container
ClientForestA: current user
Trusted root CA container
ForestB-Zertifikat: 
ADC: computer account Trusted root CA container
BDC: computer account Trusted root CA container
ClientForestB: current user
Trusted root CA container

Tests

Exchange (über EMC)

  • Import certificates
  • Apply certificate to service IIS

Configure HOSTS file

  • BDC: 172.20.25.100 AUTODISCOVER.foresta.com
  • ADC: 172.20.25.102  AUTODISCOVER.forestb.com

Configure Exchange

On CAS Server in forestA (ADC)

  • Add-AvailabilityAddressSpace –Forestname "ForestB.com" -AccessMethod OrgWideFB –Credential (get-Credential)
    use credentials of forestb\freebusy
  • Set-AvailabilityConfig –OrgWideAccount freebusy

On CAS Server in forestA (ADC)

  • Add-AvailabilityAddressSpace –Forestname "ForestA.com" -AccessMethod OrgWideFB –Credential (get-Credential) 
    use credentials of foresta\freebusy
  • Set-AvailabilityConfig –OrgWideAccount freebusy

Configure GALsync

  • Synchronize with GALsync the objects FreeBusyTest1Foresta to ForestB and FreeBusyTest1ForestB to ForestA;
  • do not configure the GALsync Free/Busy option;
  • update the addresslists for contacts and the OAB in Exchange (EMC).

Configure Testdata

Create some appointments in all calenders of the 4 users

Expected results

  • FreeBusyTest1ForestA and FreeBusyTest2ForestA can see the Free/Busy inforemation of FreeBusyTest1ForestB,
  • but not of FreeBusyTest2ForestB;
  • Note: in OWA the contact is to add by using "add from addressbook". never insert the name by yourself.

Tip: if you modify the permissions of DEFAULT in a calendar folder of a user you can define more granuarly the data people can see.

Links

 

Leave a Reply

Your email address will not be published. Required fields are marked *