Today I will continue my series of articles on Microsoft’s latest Forefront Threat Management Gateway (TMG) and will focus our efforts in publishing Windows 2008 R2 Remote Desktop Web Access (RD Web) and Remote Desktop Gateway (RD Gateway) to the world wide web via TMG.  If you missed my first article on installing Forefront TMG, you can access it here.

This article is assuming that your Remote Desktop Services infrastructure is already in place and that your RD Gateway and RD Web Access are on the same server.   Refer to my 3 part series on Remote Desktop Services in Windows 2008 R2 which outlines the configuration of RD Host, RD Gateway and RD Web Access.

So let’s begin!

Export Certificate

We are assuming a trusted 3rd party certificate has already been issued for the Remote Desktop Services infrastructure.  From your RD Web Access/Gateway server where the certificate is installed, launch IIS Manager and navigate to Server Certificates.  Select the certificate in question and from the Actions navigation pane, select Export…

Specify the location and enter a password to protect the exportation of the certificate.

Import Certificate

We now need to take the exported certificate and import it directly into our personal certificate store located on the TMG server.

On the TMG server, launch the Microsoft Management Console (MMC) / Select File / Add or Remove Snap-ins / select Certificates from available snap-ins and select Add >

Select Computer account / Next.

Select Local computer / Finish.  Then click OK.

Right click on Personal Folder under Certificates and select All Tasks / Import…

This will invoke the Certificate Import Wizard. Click Next.

Browse for the certificate that we exported earlier on.

Click Next

Enter the certificate password.

Click Next.

Ensure that the “Personal” Certificate store is selected to import into.

Click Next and Finish.

To confirm that the certificate was successfully imported, browse to Certificates / Personal / Certificate and double click on the imported certificate.

It’s important that the certificate states that a private key that corresponds to this certificate is present, otherwise it will not be visible in TMG when applying it against our Web Listener.

I would also navigate to the Certification Path tab for the certificate to also ensure that the Certificate status is OK, i.e. there isn’t a “break” in the certificate path and that all certificates in the chain are present.

Create Web Listener

Launch the TMG Management Console and click on Firewall Policy

Navigate to Toolbox / Network Objects and select New, Web Listener.  This will invoke the New Web Listener Wizard.

Enter a friendly name.

Click Next.

Ensure that “Require SSL secured connections with clients” is selected.

Click Next

For your Web Listener IP address, select Internal and then click on Select IP Addresses.

You will need to specify a unique IP address for each Web Listener/Certificate that you setup on your TMG server.

Click Next

In the next window you will assign the recently imported certificate from your RD Web Access/Gateway server against the IP address that we added in the previous window.

Click on Select Certificate and click on the respective certificate that will be applied against your RD Web Access/Gateway Web Listener. Click on “Select” once done.

Click Next.

Select “No Authentication” from the drop down menu.  This is important as we will not be utilising TMG’s Forms Based Authentication.

Click next.

The next screen will state that SSO is only available with HTML form Authentication.

Click Next.

Click Finish to complete the New Web Listener Wizard.

Finally, click Apply to save the changes.

TMG Web Publishing Rule

We can now proceed and create our RD Web Access/Gateway rule by right clicking on Firewall Policy / New / Exchange Web Client Access Publishing Rule… Specify a name for your rule;

Now you might be wondering why I have specifically selected the Exchange Publishing Rule as opposed to a generic Web Publishing rule.  Firstly, I am still not sure why Microsoft have not created a specific template for Remote Desktop Services and secondly if you select the Generic Web Site Publishing Rule, you will receive the below warning when you come to test your rule later.

Category: General warning

Error details: The internal path of the URL was identified as part of a SharePoint or Exchange server publishing rule.

Action: Use the SharePoint Publishing Rule Wizard or the Exchange Publishing Rule Wizard.

Click Next

Select “Exchange Server 2007” and only select the Outlook Anywhere option.  Leave “Publish additional folders on the Exchange Server for Outlook 2007 clients” unchecked

Click Next

Select Publish a single Web site or load balancer.

Click Next.  Select Use SSL to connect to the published Web server or server farm.

Click Next.  Specify the Internal site name.

Click Next.

Specify the Public FQDN which should be externally resolvable.

Click Next.  Select the Web listener that we created earlier.  Click Next

Select “No delegation, but client may authenticate directly” from the Authentication Delegation drop down.

Click Next.

Remove All Authenticated Users and Add All Users.

Click Finish to complete…

There is only one more step and we are done.  Because there is no dedicated publishing rule template for RD Web Access/Gateway we need to add a couple of entries to the Paths area under RD Web Access/Gateway rule.

Right click on your designated rule and select properties, and navigate to the Paths tab.

Click Add..

Enter /rdweb/* as the path.

Now because we selected the Exchange Server 2007 publishing wizard and in particular the Outlook Anywhere service, the RPC path mapping should already be included under paths.  Do NOT remove this path.

Finally, remove /* if it exists.

Make sure you click on Test Rule which should provide you with a green tick beside each path entry!

That’s all that is to it.  In upcoming posts in this series, I will go through publishing other items such as Outlook Web App and SharePoint sites.

Forefront Threat Management Gateway 2010, or commonly referred to as TMG 2010, is the long awaited latest and greatest release of Microsoft’s Internet Security and Acceleration (ISA) server in which we have all come to love or hate over the years.   TMG builds on ISA’s ability to deliver a comprehensive application layer reverse proxy firewall and is usually deployed on the edge of your network or in between an existing edge such as a firewall provided by Cisco or Checkpoint.  Today, I will begin a series of articles on installing and configuring Forefront TMG 2010, discuss some of the new features that have been integrated into this release before providing a step by step guide in securely publishing web sites such as Outlook Web App (OWA) or internal SharePoint  web sites.

Let’s begin by outlining some of the key new features that TMG introduces over ISA.

• URL Filtering: TMG now integrates a comprehensive web filtering subscription services that is tightly integrated into the TMG management console.  Organizations can creates rules to block or allow web sites based on category such pornography, violence, shopping etc.  This was usually only possible by using 3rd party services such as Websense/Surfcontrol or Symantec and usually required additional hardware requirements and extra servers on top of your ISA implementation.
• Web anti-malware: Another subscription based service that provides protection over web sites/pages that may contain malware and viruses.
• Email protection: Yup, you guessed it.. Another protection subscription service that utilises Forefront Protection for your Exchange servers and scans emails for viruses and spam content before they are delivered to your Exchange mailboxes.
• Network Inspection System: Commonly referred to as NIS, this out of the box feature scans traffic for any exploits based on any outstanding Microsoft Vulnerabilities.
• Other features: These include the long awaited 64 bit and Windows 2008 support for greater scalability, Enhanced NAT for 1-1 publishing, and Enhanced VOIP capabilities that should make for simpler voice deployments.

Now that we have been introduced to some of the notable features within TMG, let’s begin the installation and initial configuration, but before doing so, ensure that you have met the minimum system requirements which are listed in the following TechNet article ;

http://technet.microsoft.com/en-au/library/dd896981.aspx

After ensuring the minimum requirements are met, launch the autorun.hta and on the main setup splash page, begin by running the preparation tool.  Because my machine is joined to the network and is running WSUS, I have purposely skipped the Run Windows Update, however please do so in the event you are not running WSUS in your environment.

The following welcome screen is displayed.

Click Next

Accept the terms and conditions. Click on Next

Select Forefront TMG services and Management.  Click Next.

The Installation proceeds and begins configuring the necessary Windows Roles and Features that are required by TMG.

Upon completion, you should receive the following Preparation Complete Window.  Click Finish to launch the TMG installation.

The installation begins and the wizard outlines the 3 core stages and estimated times.

Once the welcome screen appears, click Next.

Accept the Licence Agreement. Click Next

Enter the customer information and Click Next.

Specify your installation path.  Click Next.

Add your Internal Network Address Ranges. Click Next.

You will receive the below warning message advising of services that will be restarted during the installation.  Click Next.

Click Install.

You should hopefully receive the below screen notifying that the installation was a success.

Upon launching Forefront TMG for the first time you will be presented with a Getting Started Wizard which will assist in getting you up and running in 3 easy steps.  Please note that if you are looking at importing your existing ISA 2006 Server configuration settings to the new TMG server then you much close the wizard and accomplish this task first.

Let’s begin by going through the 3 stages of the Getting Started Wizard.  The first stage is Configuring your network settings.

Click Next

The below screen capture similarly to ISA 2006 allows you to select a network template and in this instance will detect what different types of network setups are configurable based on the number of adapters installed on your TMG server.  In my instance, I only have one single adapter and this has been reflected in the below screen capture.  This TMG setup is purely acting as a second layer application firewall publishing our Web Applications such as SharePoint and Outlook Web App.

Click Next

Specify your IP address settings.  It is best practice that you specify a static IP address to your TMG server as opposed to utilising DHCP.

Click Next and Finish.

You will then be presented with Stage 2 of the Getting Started Wizard, Configure system settings.

The system will attempt to determine Host identification details such as Computer name, Windows domain and DNS suffix.

Click Next and Finish.

The third and final stage of the Getting Started Wizard is defining your deployment options.

Click Next

Specify whether Forefront TMG will use the Microsoft Update Service to check for updates.  Please note, that if your TMG server is configured to use WSUS then it will utilise this method first and use the Microsoft Update service as a fallback method.

The next screen allows us to configure TMG’s protection features such as Network Inspection System (NIS) and Web Protection.  As mentioned earlier in the post, these are paid subscription based services, however Microsoft do provide you with a 120 days complimentary evaluation of these 2 product offerings.

Click Next

Specify your NIS signature update settings and how often it will check for new updates.

Click Next.

In the next screen, specify whether you want to participate in the Customer Feedback Improvement Program.

Click Next

In the next screen you will be provided with the opportunity to participate in the Microsoft Telemetry Reporting Service where malware attacks etc are sent to Microsoft, assisting them with improving TMG and it’s signatures.

Click Next and then Finish.

Upon clicking close, TMG will provide you with the ability to Run the Web Access Wizard to create your first rule.  We will be discussing Access Rules and Publishing Rules in upcoming articles in this TMG series.

I’d be interested to know how many TMG deployments are out there and how many are considering replacing their existing ISA boxes with TMG 2010.

References

Forefront TMG Planning and Design; http://technet.microsoft.com/en-au/library/cc441674.aspx

Forefront TMG Deployment; http://technet.microsoft.com/en-au/library/cc441445.aspx

Installing Forefront TMG; http://technet.microsoft.com/en-au/library/cc441440.aspx