In this article, I am going to explain in dept of reverse proxy and how you can utilize reverse proxy functionality of Forefront TMG 2010 in your organisation. I will write a complete how to in this article. Let’s start with a proxy server. What is a proxy or forward proxy server? A proxy or forward proxy is a server (a computer system, devices or an application program) that acts as an intermediary for requests from internal clients seeking resources from external servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page or other resource, available from a different server. The proxy server evaluates the request according to its rules or filtering rules and pass on to the server inside or outside network. A proxy server can also act as a gateway between external and internal networks. A forward proxy secures networks by hiding IP address of internal network from outside network. It also cache contents and provide filtering functionality.
A reverse proxy as name suggests relays request from opposite direction i.e. from external clients to internal servers or perimeter servers i.e. a reverse proxy has more than one network cards and one NIC faces toward internet having another network card facing perimeter or internal network. A reverse is place in the neighbourhood of web servers. A reverse proxy also hides actual IP address of networks or servers from external or VPN clients. A reverse proxy encrypts data, provide load balancing, act as server cache, optimize compression and publish web sites for extranet.
Advantages: A reverse proxy server provides the following advantages over a direct connection to a web server:
- SSL encryption and acceleration
- SSL bridging
- SSL offloading
- Load balancing
Reverse Proxy Prerequisites: Before you can create reverse proxy in your organisation, you need prepare following infrastructure in your organisation.
- Prepare 3-Leg perimeter (DMZ) or back-to-back perimeter
- Configure internet facing network adapter of TMG Reverse proxy server with publicly routable IP
- All the intended web server(s) must have accessible public IP
- Verify proper routing (if required depends) on your DMZ design
- Install Forefront TMG Server
- Configure Firewall Policy to open specific ports
- Request and configure a digital certificate for secure reverse proxy
- Create a Web server publishing rule and verify that the secure Web server publishing rule properties are correct.
- Verify or configure authentication and certification on IIS virtual directories.
- Create an external DNS entry with ISP or Domain registrar
- Verify that you can access the Web site through the Internet
Important! you can use Front End TMG server as a reverse proxy server if you don’t want to use single NIC reverse proxy in DMZ. Please note that there is no specific design and step by step guide for individual situation. I have written this article for generic reverse proxy situation. You can have a single NIC reverse proxy in DMZ or multiple NIC reverse proxy (one-external NIC, another-internal).
Configure Network Adapter of Reverse Proxy Server:
1. On the server running ISA Server 2006, open Network Connections. Click Start, point to Settings, and then click Network Connections.
2. Right-click the external network connection to be used for the external interface, and then click Properties.
3. On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.
4. On the Internet Protocol (TCP/IP) Properties page, configure the real IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.
5. Click OK twice.
6. In Network Connections, right-click the internal network connection to be used for the internal interface, and then click Properties. Repeat steps 3 through 5 to configure the internal network connection.
Create Local DNS Record in AD DS Server: This includes configuring DNS records to point to appropriate web server(s) in the perimeter network, so that internal users can access those web sites locally. An internal DNS A record that resolves the FQDN.
Create External DNS Record with ISP or Domain registrar: Create an external DNS A record pointing to the external interface of reverse proxy TMG server, as described in the following section. An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy. In this step, You need help with domain registrar or ISP.
Request and configure a digital certificate for SSL: Request and install certificate using FQDN for each web server to prevent DNS spoofing. The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web components) needs to be installed on the server running TMG Server 2010. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.
- You must install a Web server certificate on reverse proxy TMG Server. This certificate should match the published FQDN of your external Web farm where you are hosting web sites.
- If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN or web servers.
- On the TMG Server computer, click Start, type mmc, and then press Enter or click OK.
- Click the File menu and then click Add/Remove Snap-in or press Ctrl+M. Under Available Snap-ins, click Certificates and then click Add
- Select Computer Account and then click Next, Click Local Computer and then click Finish
- Click OK in the Add Or Remove Snap-ins dialog box
- Expand Certificates (Local Computer), then expand Personal, and then expand Certificates.
Right-click the Certificates node, select All Tasks, and then select Request New Certificate
- the Welcome To The Certificate Import Wizard page appears. Click Next.
- On the File To Import page, type the location where the certificate is located
- On the Password page, type the password provided by the entity that issued this certificate
- On the Certificate Store page confirm that the location is Personal
- The Completing The Certificate Import Wizard page should appear with a summary of your selections, Review the page and click Finish
To verify that your CA is in the list of trusted root CAs
- On each edge server, open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- In the Add Standalone Snap-ins box, click Certificates, and then click Add.
- In the Certificate snap-in dialog box, click Computer account, and then click Next.
- In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
- Click Close, and then click OK. In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
- In the details pane, verify that your CA is on the list of trusted CAs. Repeat this procedure on each server.
Publish Web Server using TMG Web Publishing Wizard:
Creating an HTTPS Web Listener: Follow these steps to create a new Web listener on TMG to use HTTPS
1. On the TMG computer, open the Forefront TMG Management Console.
2. Click Forefront TMG (Array Name) in the left pane and click Firewall Policy.
3. In the right pane click the Toolbox tab, right-click Web Listener under Network
Objects, and then click New Web Listener
4. The Welcome To The New Web Listener Wizard page appear, Type a name for this Web listener and click Next.
5. Leave the default option selected (SSL), and click Next.
6. On the Web Listener IP Addresses page, select External and click Next.
7. On the Listener SSL Certificate page, click Select Certificate, choose the certificate for
this listener, and then click Select
8. On the Listener SSL Certificates page, confirm that the selected certificate appears and click Next.
9.On the Authentication Settings page, choose HTML Form Authentication from the drop-down box. Leave the other options at the default selection, and click Next.
10. For the purpose of this example disable SSO settings, Click Next.
11. On the Completing The New Web Listener Wizard page, review the selections. Click Finish and then click Apply to commit the changes.
Creating a Secure Web Publishing Rule: Follow these steps to create a secure Web Publishing rule on TMG using the listener that you previously created
1. Expand Forefront TMG (Array Name) in the left pane.
2. Right-click Firewall Policy, point to New, and click Web Site Publishing Rule.
3. The Welcome To The New Web Publishing Rule Wizard page appears,. Type a name for this publishing rule and click Next.
4. On the Select Rule Action page, leave the default selection (Allow) and click Next.
5. On the Publishing Type page, leave the default option and click Next.
6. On the Server Connection Security page, you specify whether TMG will use SSL to
connect to the published Web server. For this rule, leave the default option and click Next.
7. On the Internal Publishing Details page, type the internal site name and click Next.
8. For the Web site that we are publishing, our goal is to allow access to all the content within
the Web server. Therefore, the path should be /*. Click Next.
9. On the Public Name Details page you need to specify the name that the remote clients will use to reach the published server. Type in FQDN (example webmail.wolverine.com.au), leave the other options as default and click Next.
10. On the Select Web Listener page, choose HTTPS Listener (Web Listener That Was Created Previously) from the Web Listener drop-down list, Click Next.
11. On the Authentication Delegation page, click the drop-down list and choose No Authentication. Click Next.
12. On the User Sets page, leave the default option to enforce all users to authenticate before accessing the internal Web server . Click Next to continue.
13. On the Completing The New Web Publishing Rule Wizard, review the summary of the selections for this rule. To confirm that the publishing rule is working properly, click Test Rule. If everything is configured properly. Click Finish and then click Apply to commit the changes.
Verify or Configure Authentication and Certification on IIS Virtual Directories: Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly.
2. In Internet Information Services (IIS) Manager, expand ServerName, and then expand Web Sites.
3. Right-click <default or selected> Web Site, and then click Properties.
4. On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click OK.
5. On the Directory Security tab, click Server Certificate under Secure communications. This opens the Welcome to the Web Server Certificate Wizard. Click Next.
6. On the Server Certificate page, click Assign an existing certificate, and then click Next.
7. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use box, and then click Next.
8. On the Certificate Summary page, verify that settings are correct, and then click Next. Click Finish.
9. Click OK to close the Default Web Site Properties dialog box.
Verify Access through Your Reverse Proxy: Use the following procedure to verify that your users can access information on the reverse proxy. You may need to complete the firewall configuration and DNS configuration before access will work correctly. For each web Server, type a URL similar to the following: https://externalwebfarmfqn/ externalwebfarmFQDN is the external FQDN of the Web farm .