How to configure reverse proxy using Forefront TMG 2010— step by step

In this article, I am going to explain in dept of reverse proxy and how you can utilize reverse proxy functionality of Forefront TMG 2010 in your organisation. I will write a complete how to in this article. Let’s start with a proxy server. What is a proxy or forward proxy server? A proxy or forward proxy is a server (a computer system, devices or an application program) that acts as an intermediary for requests from internal clients seeking resources from external servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page or other resource, available from a different server. The proxy server evaluates the request according to its rules or filtering rules and pass on to the server inside or outside network. A proxy server can also act as a gateway between external and internal networks. A forward proxy secures networks by hiding IP address of internal network from outside network. It also cache contents and provide filtering functionality.
Windows Server 2012 Step by Step

A reverse proxy as name suggests relays request from opposite direction i.e. from external clients to internal servers or perimeter servers i.e. a reverse proxy has more than one network cards and one NIC faces toward internet having another network card facing perimeter or internal network. A reverse is place in the neighbourhood of web servers. A reverse proxy also hides actual IP address of networks or servers from external or VPN clients. A reverse proxy encrypts data, provide load balancing, act as server cache, optimize compression and publish web sites for extranet.

Advantages: A reverse proxy server provides the following advantages over a direct connection to a web server:

  • Security  
  • SSL encryption and acceleration 
  • SSL bridging  
  • SSL offloading  
  • Load balancing  

Reverse Proxy Prerequisites: Before you can create reverse proxy in your organisation, you need prepare following infrastructure in your organisation. 

  • Prepare 3-Leg perimeter (DMZ) or back-to-back perimeter
  • Configure internet facing network adapter of TMG Reverse proxy server with publicly routable IP
  • All the intended web server(s) must have accessible public IP
  • Verify proper routing (if required depends) on your DMZ design
  • Install Forefront TMG Server
  • Configure Firewall Policy to open specific ports
  • Request and configure a digital certificate for secure reverse proxy
  • Create a Web server publishing rule and verify that the secure Web server publishing rule properties are correct.
  • Verify or configure authentication and certification on IIS virtual directories.
  • Create an external DNS entry with ISP or Domain registrar
  • Verify that you can access the Web site through the Internet



Windows Server 2012 Step by Step



Important! you can use Front End TMG server as a reverse proxy server if you don’t want to use single NIC reverse proxy in DMZ. Please note that there is no specific design and step by step guide for individual situation. I have written this article for generic reverse proxy situation. You can have a single NIC reverse proxy in DMZ or multiple NIC reverse proxy (one-external NIC, another-internal).

Configure Network Adapter of Reverse Proxy Server:

1. On the server running ISA Server 2006, open Network Connections. Click Start, point to Settings, and then click Network Connections.

2. Right-click the external network connection to be used for the external interface, and then click Properties.

3. On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.

4. On the Internet Protocol (TCP/IP) Properties page, configure the real IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.

5. Click OK twice.

6. In Network Connections, right-click the internal network connection to be used for the internal interface, and then click Properties. Repeat steps 3 through 5 to configure the internal network connection.

Create Local DNS Record in AD DS Server: This includes configuring DNS records to point to appropriate web server(s) in the perimeter network, so that internal users can access those web sites locally. An internal DNS A record that resolves the FQDN.

Create External DNS Record with ISP or Domain registrar: Create an external DNS A record pointing to the external interface of reverse proxy TMG server, as described in the following section. An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy. In this step, You need help with domain registrar or ISP.

Request and configure a digital certificate for SSL: Request and install certificate using FQDN for each web server to prevent DNS spoofing. The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web components) needs to be installed on the server running TMG Server 2010. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.

  • You must install a Web server certificate on reverse proxy TMG Server. This certificate should match the published FQDN of your external Web farm where you are hosting web sites.
  • If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN or web servers.


Import Certificate:

  • On the TMG Server computer, click Start, type mmc, and then press Enter or click OK.
  • Click the File menu and then click Add/Remove Snap-in or press Ctrl+M. Under Available Snap-ins, click Certificates and then click Add
  • Select Computer Account and then click Next, Click Local Computer and then click Finish
  • Click OK in the Add Or Remove Snap-ins dialog box
  • Expand Certificates (Local Computer), then expand Personal, and then expand Certificates.
    Right-click the Certificates node, select All Tasks, and then select Request New Certificate
  • the Welcome To The Certificate Import Wizard page appears. Click Next.
  • On the File To Import page, type the location where the certificate is located
  • On the Password page, type the password provided by the entity that issued this certificate
  • On the Certificate Store page confirm that the location is Personal
  • The Completing The Certificate Import Wizard page should appear with a summary of your selections, Review the page and click Finish

To verify that your CA is in the list of trusted root CAs

  • On each edge server, open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
  • On the File menu, click Add/Remove Snap-in, and then click Add.
  • In the Add Standalone Snap-ins box, click Certificates, and then click Add.
  • In the Certificate snap-in dialog box, click Computer account, and then click Next.
  • In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
  • Click Close, and then click OK.  In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
  • In the details pane, verify that your CA is on the list of trusted CAs. Repeat this procedure on each server.

Publish Web Server using TMG Web Publishing Wizard:

Creating an HTTPS Web Listener: Follow these steps to create a new Web listener on TMG to use HTTPS
1. On the TMG computer, open the Forefront TMG Management Console.
2. Click Forefront TMG (Array Name) in the left pane and click Firewall Policy.

3. In the right pane click the Toolbox tab, right-click Web Listener under Network
Objects, and then click New Web Listener

4. The Welcome To The New Web Listener Wizard page appear, Type a name for this Web listener and click Next.

5. Leave the default option selected (SSL), and click Next.

6. On the Web Listener IP Addresses page, select External and click Next.

7. On the Listener SSL Certificate page, click Select Certificate, choose the certificate for
this listener, and then click Select

8. On the Listener SSL Certificates page, confirm that the selected certificate appears and click Next.

9.On the Authentication Settings page, choose HTML Form Authentication from the drop-down box. Leave the other options at the default selection, and click Next.

10. For the purpose of this example disable SSO settings, Click Next.

11. On the Completing The New Web Listener Wizard page, review the selections. Click Finish and then click Apply to commit the changes.

Creating a Secure Web Publishing Rule: Follow these steps to create a secure Web Publishing rule on TMG using the listener that you previously created
1. Expand Forefront TMG (Array Name) in the left pane.
2. Right-click Firewall Policy, point to New, and click Web Site Publishing Rule.

3. The Welcome To The New Web Publishing Rule Wizard page appears,. Type a name for this publishing rule and click Next.

4. On the Select Rule Action page, leave the default selection (Allow) and click Next.

5. On the Publishing Type page, leave the default option and click Next.

6. On the Server Connection Security page, you specify whether TMG will use SSL to
connect to the published Web server. For this rule, leave the default option and click Next.

7. On the Internal Publishing Details page, type the internal site name and click Next.

8. For the Web site that we are publishing, our goal is to allow access to all the content within
the Web server. Therefore, the path should be /*. Click Next.

9. On the Public Name Details page you need to specify the name that the remote clients will use to reach the published server. Type in FQDN (example, leave the other options as default and click Next.

10. On the Select Web Listener page, choose HTTPS Listener (Web Listener That Was Created Previously) from the Web Listener drop-down list, Click Next.

11. On the Authentication Delegation page, click the drop-down list and choose No Authentication. Click Next.

12. On the User Sets page, leave the default option to enforce all users to authenticate before accessing the internal Web server . Click Next to continue.

13. On the Completing The New Web Publishing Rule Wizard, review the summary of the selections for this rule. To confirm that the publishing rule is working properly, click Test Rule. If everything is configured properly. Click Finish and then click Apply to commit the changes.

Verify or Configure Authentication and Certification on IIS Virtual Directories:  Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly.

clip_image001[3]1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In Internet Information Services (IIS) Manager, expand ServerName, and then expand Web Sites.

3. Right-click <default or selected> Web Site, and then click Properties.

4. On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click OK.

5. On the Directory Security tab, click Server Certificate under Secure communications. This opens the Welcome to the Web Server Certificate Wizard. Click Next.

6. On the Server Certificate page, click Assign an existing certificate, and then click Next.

7. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use box, and then click Next.

8. On the Certificate Summary page, verify that settings are correct, and then click Next. Click Finish.

9. Click OK to close the Default Web Site Properties dialog box.

clip_image001[4]Verify Access through Your Reverse Proxy: Use the following procedure to verify that your users can access information on the reverse proxy. You may need to complete the firewall configuration and DNS configuration before access will work correctly. For each web Server, type a URL similar to the following: https://externalwebfarmfqn/  externalwebfarmFQDN is the external FQDN of the Web farm .

Relevant Articles:

Configure DMZ using back to back topology

How do I reset the hosts file back to the default?

Install and configure TMG step by step

Add a resource record step by step

Adding CNAME using Cpanel

  Share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Exchange Server, Windows Server and tagged , , , , , , . Bookmark the permalink.

19 Responses to How to configure reverse proxy using Forefront TMG 2010— step by step

  1. Carlos says:

    Hi, I´m implementing a reverse-proxy and followed all your steps. But is not working. When it does the https-inspect protocol I get error status 10061.
    From Argentina, Carlos


    • Please update me with reverse proxy diagram. What you trying to publish? When you do reverse proxy, orginating packet will come from external and destination will be internal. Is that what you doing?


  2. Pingback: FF TMG 2010: Configure Network Load Balancing Across Enterprise Array Members | MicrosoftGURU

  3. Pingback: Install and Configure Lync Server 2010—Step by Step | Blog by Raihan Al-Beruni

  4. Yoong says:

    Hi Raihan, nice write up.😉

    How’s things?

    I am having some problems with SYN packet drops (assuming this means it doesn’t know what to do with it, although it’s knocking on TMG’s door), using the three leg perimeter setup with reverse proxy setup. It’s to publish OCS to external, yet it appears it’s not functioning correctly. Got a email I can pm you on?


    • do you have public IP and host name configured through ISP? Is that public IP forwarded to your premises? have you published OCS from external to internal access?
      please monitor your packet through TMG.

      what is pm you?


  5. Laurent says:

    Hi Raihan, nice info.

    I’m in scenario 1. Due to SSL certificates my TMG 2010 SP1 RU1 has several IP addresses, and when it sends data to the internal network I can’t be sure of the TMG source IP address used.

    I had to open all addresses on my back-end firewall. Do you know how to set the IP address used for sending frames to the internal network ?


    • how many nics you have in reverse proxy server? did you publish the web via reverse proxy? you dont have to open everything in back firewall.
      publish web services
      allow specific ports in back firewall
      thats all you have to do.


  6. M. A. Malik says:

    Dear Raihan Al-Beruni,
    I hope you will be fine. Dear I am using TMG 2010 Enterprises Edition in my network for internet sharing. Some of my clients are using Filezilla and WinSCP. Both software can not connect behind the TMG firewall.
    Is there any solution to solve this issue.

    1. Domain 2008 32 Bit (Active Directory, DNS, DHCP)
    2. Member Server 2008 64 Bit (Microsoft TMG 2010)
    3. Client Windows 7


    M. A. Malik


  7. Kingbuzzo says:

    Great article.

    I could have used this yesterday but I got the reverse proxy working so far!

    Now, how do I route SQL traffic from the web server in the dmz of the three-leg to the internal sql server?



    • Please be aware of security risk of exposing internal SQL server to DMZ. Create User Designed Protocol using SQL port 1433 and publish it from DMZ Server to the SQL Server. Use Specific IP address on both side. do not publish entire network such Perimeter Network or Internal Network.


  8. CCSXP says:

    Rahain Al Beruni,

    Would the TMG reverse proxy deployment allow all traffic to authenticated users? Or do you have to publish all of the resources that you want to provide access too (ej. ftp, share drives, mail, intrante URL’s, etc)?

    Thank you,


    • TMG doesn’t allow anything by default. you have to publish OWA, Mail, SharePoint etc. As far as forward proxy concern, you can create firewall policy allowing/denying specific user/group to access http/https/ftp/url/domain etc. TMG will not work for share drive.


      • CCSXP says:


        We were looking at using TMG 2010 as a reverse proxy in the DMZ. The idea is to use TMG to identify users in our domain but providing them access to their authenticated resources as if they were sitting in their home office. We are seeing if TMG 2010 will permit access to mail, share drives, applications, and anyother access that a user would normally have sitting in their office. The user would be in a partners office however we would only want users from our domain, not any partner uses, access. would any of the two solutions you have provided here in this website meet this requirement? If not is their a TMG solution that would?

        Thank you,


      • I have a feeling that you are talking about configuring VPN using TMG 2010 then your user will have access to mail, share drives, applications, and other access. Reverse proxy is for web site access ONLY. Using reverse proxy you can publish Outlook Web Access, Outlook AnyWhere, Web Site, SharePoint, Lync Server.

        Configuring VPN access, you can allow your users to access internal shared drives, application from home or anywhere. I am sure I make things clear. To configure VPN, you need to deploy TMG Edge Topology then configure VPN.

        To configure reverse proxy, you need to configure TMG Edge topology then publish OWA, Outlook Anywhere etc.

        You can choose to have both in single TMG server. In this case, TMG will be in Edge topology.


      • CCSXP says:


        Thank you for your help. Great article and very helpful.


  9. Kamlesh says:

    Dear Raihan

    We are implementing SAP Netweaver Portal. This will be exposed to Internet via TMG.

    Here, will need your help and guidance, as to from which server the Certificate Request should be generated and how a SSL is configured from Cloud to TMG ad TMG to SAP Portal ?

    Thank you in advance….


    • Generate a certificate request from SAP. sign the certificate from a public CA like Verisign, Geotrust. Get the certificate. import the certificate in both SAP and TMG server. In TMG server import the certificate into computer/personal store. then publish the site using the url you visited. simple as that.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s