TMG must be in the same domain as whatever is being published in order to use KCD. TMG is in the same forest and domain as Exchange and Kerberos Constrained Delegation (KCD) is configured. Everything in the resource forest was built on Windows Server 2008 R2. A new Exchange resource forest was built to host Exchange for two separate forests/domains where the user accounts lived.
Before I get into the issue in detail, a little background on the environment. All steps should be tested prior to production rollout. It is not meant to be a detailed step-by-step configuration guide. Part 3 of 3 – Fun with NTLM and Outlook Anywhere This article assumes a fairly decent knowledge of both TMG and Exchange. I recently wrapped up a large TMG deployment in support of a new Exchange 2010 resource forest and there were a lot of lessons learned (read: issues that needed to be overcome), so I figured I would try to capture the main ones for the blogosphere. On a related note, here is the single best article I have seen on working with FTP on ISA and TMG. This particular issue is actually documented and, but refers to ISA 2006/2004/2000 and is obscure enough that you probably won’t find it unless you know exactly the right keywords to search for. Make the change and restart the Microsoft Firewall service.
The value will likely need to be created and it goes here: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/W3Proxy/Parameters It is also likely that you will need to create the Parameters key. The default value is 1, indicating that Active mode is used. To resolve, set the DWORD value NonPassiveFTPTransfer to 0 in the registry on the TMG server, which sets the mode to Passive. So little documented that all the links refer to ISA 2006. The solution is to use a little documented setting in TMG to force the use of passive FTP for Web Proxy clients.
And when a Web Proxy client uses FTP, TMG connects to the external site with active FTP, which often fails.