Update 11/28/12: we wanted to let you know that the Forefront Unified Access Gateway (UAG) Product Team team has published a blog post around availability of UAG 2010 SP3 which will include suppo...
Updated Jul 01, 2019
Version 2.0
Blog Post
So, basically, with Exchange 2013 we have to expose an internal server to anonymous access from the Internet, without preauthentication on TMG? That sort of defeats part of the reason for having a TMG in the first place, and if you have an IIS bug the internal server is vulnerable to all sorts of automated scanning and attacks.
Yes, I realize that the URL isn't easily predictible, but since it will be used by every user on every computer they use to log on to OWA, it's not very protected either.
For organizations that need to apply the defense-in-depth principle and require pre-authentication on the perimiter, is there a way to disable these "cloud apps" in OWA and provide the user with an informative message instead?