Forefront UAG 2010 Deployment Guide

Forefront TMG Important URL and Guide

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Forefront UAG Event Messages

Forefront UAG registry keys

Microsoft Forefront Product Roadmap

Microsoft is discontinuing any further releases of the following Forefront-branded solutions:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)
  • Forefront Unified Access Gateway 2010 (UAG)
  • Forefront Client Security
  • Forefront Security for Exchange Server

There is no change to the FIM roadmap. Microsoft will continue to develop next version of FIM.

References.

http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Forefront&Filter=FilterNO

http://redmondmag.com/articles/2013/12/17/microsoft-ending-uag-sales.aspx

 

Experience Mobile (iPhone & Android) Browsing with Forefront UAG

If you are scratching your head how to grant access to your website for iPhone and Tablet published via Forefront UAG, there is way to achieve your goal. But before I articulate how to achieve this let’s revisit how UAG endpoint compliance works.

By default UAG checks compliance of every endpoint device. If you do now allow all endpoint devices in UAG Trunk it will be blocked due to policy violation. Since release of UAG SP3, mobile devices are identified as “Other” in UAG Endpoint Policy. “Other” includes iPhone, iPad, Android phone and tablet. Surprisingly I found that UAG also blocks Windows 8 mobile phone unless you allow it explicitly in endpoint policy.

When an endpoint device connect to Trunk portal or a published website, UAG automatically check Default Session Access  and Default Web Application Access policy.  However for FTP and similar policy UAG checks  Default Web Application Upload and  Default Web Application Download policy as well. You need to tweak little bit in the Trunk properties and application properties to make it work.

Let’s begin with Trunk properties. Log on the UAG server using administrative credential. Open UAG Management Console.

Step1: Advanced Trunk Configuration

  1. Select the Trunk where you publish the application, in the Trunk Configuration area, click Configure.
  2. On the Advanced Trunk Configuration dialog box, click the Endpoint Access Settings tab.
  3. On the Endpoint Access Settings tab, click Edit Endpoint Policies.
  4. On the Manage Policies and Expressions dialog box, click the Default Session Access policy, and then click Edit Policy.
  5. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  6. On the Manage Policies and Expressions dialog box, click the Default Web Application Access policy, and then click Edit Policy.
  7. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  8. Repeat the step 4 to step 7 on all the required policies. Example for FTP policies perform step4 to step7 for Default Web Application Upload and Default Web Application Download policies.
  9. On the Manage Policies and Expressions dialog box, click Close.
  10. On the Advanced Trunk Configuration dialog box, click OK.
  11. Activate the configuration. Wait for activation to complete. Note that it takes  few minutes.
  12. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step2: Allow Premium Mobile Portal

  1. Select the application you published through the Trunk where you configured advanced properties in previous steps. In the Applications area, click the required application, and then click Edit.
  2. On the Application Properties dialog box, click the Portal tab.
  3. On the Portal tab, select the Premium mobile portal and Non-premium mobile portal check box.
  4. On the Application Properties dialog box, click OK.
  5. Activate the configuration. Wait for activation to complete. Note that it takes few minutes.
  6. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step3: Test Mobile Devices

  1. Browse published website in Windows Phone or iPhone
  2. Open Forefront UAG Monitor, Check the Session compliance, Authentication in Active Session.
  3. Check all systems logs in UAG monitor. You will see a session is connected successfully with endpoint device type, endpoint IP and GUID mentioned in the logs.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

Publish FTP Using Microsoft Forefront UAG 2010

Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue.  So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.

Prerequisites:

  1. Forefront UAG 2010 SP3
  2. Windows 7 or Windows 8 Client
  3. Windows Server 2008 R2 Domain
  4. Internet Explorer 9 or later
  5. Passive Mode FileZilla FTP Client or passive mode CuteFTP Client
  6. Passive mode IIS 7.5 FTP 
  7. Client Connection Port 20 & 21.
  8. Passive mode port range 1024-65534

image

image

Create a separate FTP Trunk:

You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.

image

Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk. 

image

On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.

image

Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.

image

Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.

image

image

Add Enhanced Generic Client Application (Multiple Servers)

Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.

image

image

On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok. 

image

image

On the socket forwarding select basic.

image

image

image

On the Endpoint policy make sure other is set to always. Click Ok.

image

Activate the Trunk

Click File, Click Activate.

image

Wait for Activation to complete.

image

Open Command Prompt as an administrator. Type iisreset and hit enter.

image

Error and Warning:

Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8.   You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.

In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall. 

image

image

image

image

image

To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.

image

image

Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.

image

Apply the policy into Endpoint Policy.

image

Again activate the trunk. run iisreset.

Testing FTP

Open browser, browse https://ftp.yourdomain.com 

image

Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect

image

image

image

Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.

image

image

Further Study

Publish FTP using TMG

Passive mode IIS 7.5 FTP 

UAG Articles

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

 

 

 

 

 

 

 

 

How to Publish Application Specific Host Name using Pass Through Authentication in Forefront UAG 2010

To avoid being caught into the following UAG events, follow the below procedure to create a correct Trunk and an Application in UAG 2010.

UAG Events:

Warning 58 “The requested URL is not associated with any configured application.”

Warning 51 Invalid Method

“A request from source IP address x.x.x.x, user on trunk Trunk Name; Secure=1 for application failed because the method used PUT is not valid for requested URL”

Solutions:

1. Bypass Active Directory authentication to allow application specific authentication.

Open Regedit>Go to HKLMSoftwareWhaleCome-GapvonURLFilter

Create a 32 Bit DWORD named KeepClientAuthHeader and set value to 1

Also make sure FullAuthPassThru value is set to 1.

clip_image002

2. Public Host Name in Trunk must be different then public host name in published application. The purpose of public host name in Trunk is to create the actual trunk. This public host name in Trunk will not be accessible from external network nor internal network. Why? simple reason without public host name, you can’t create a Trunk. Public host name in application is the Real FQDN which employee/roaming users will access from external network which means public IP will resolve the name of application public host name. Since public host name in Trunk and Public host name in application are different, when you activate this trunk and application, you will receive a certificate error which says your trunk FQDN doesn’t match with your certificate. As long as your certificate CN matches with application public host name you will be fine. If you don’t want to see this error then you can add a SAN certificate which has both Trunk public host name and application public host name. In my case I don’t mind the see that certificate warning, my Trunk and application public host name are as follows:

  • Trunk Public Host Name: Mobile.mydomain.com
  • Application Public Host Name: mymobile.mydomain.com

3. Correct URL Set

  • Name: MobilePortal_Rule1
  • Action: Accept
  • URL: /.*
  • Parameters: Ignore
  • Methods: PUT, POST, GET

Use the following steps to correctly publish mobile device, third party application implemented in IIS within a subdirectory.

Step1: Create a Separate Trunk for this Application

  1. Before you begin, import certificate in UAG server. Certificate must be in .pfx format with private key. Open the Microsoft Management Console (MMC) which enables you to import a certificate into the IIS Certificate store.
  1. Start Menu>Run>MMC
  2. To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.
  3. From the Action menu, click All Tasks, and then click Import.
  4. Follow the instructions in the Certificate Import Wizard.
  1. In the Forefront UAG Management console, right-click HTTP Connections to create a trunk accessible over HTTP, or right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.
  2. On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk.
  3. On the Setting the Trunk page of the Create Trunk Wizard, specify Trunk details. In my case I have the following:

i. Trunk Name: MobilePortal

ii. Public Host Name: Mobile.mydomain.com

iii. IP Address: Trunk IP (you must add additional IP address(s) in the TCP/IP properties of UAG external nic)

iv. Port: 443

  1. On the Authentication page of the Create Trunk Wizard, I am going to add my domain controller but later stage I will remove the domain controller to make it application specific authentication not LDAP or AD. That means I will bypass AD authentication. For now select an authentication server that will be used to authenticate user requests for trunk sessions. Click Add to select a server, as follows:
  1. In the Authentication and Authorization Servers dialog box, select a server and click Select. To add a new server to the list, click Add.
  2. Select User selects from a server list to specify that during login to the trunk, users will be prompted to select an authentication server. If you configure one authentication server, users will authenticate to that server only. Select Show server names to allow users to select an authentication server from a list; otherwise, users must enter the server name. Select User provides credentials for each selected server to prompt users during login to authenticate to all the specified authentication servers. Select Use the same user name to specify that users must enter a single user name that will be used to authenticate to all specified servers.
  1. On the Certificate page of the Create Trunk Wizard (HTTPS trunks only), select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint.
  2. On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using in-built Forefront UAG access policies.
  3. Click Finish after completing the Trunk wizard.

Step2: Advanced Trunk Configuration

  1. Click Configure Trunk. Click Endpoint Access Settings, Click Edit Endpoint Policies.

image

image

  1. In this step, you will allow access of mobile phone and tablet. Microsoft UAG by default doesn’t allow mobile phone access. You need allow this access manually. Click Edit Endpoint Access Policies, Select Default Session Access, Click Edit, Click other, Select Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default Web Application Access Policy, Default Web Application Upload, Default Web Application download.
  2. Click Authentication Page, de-select require user to authenticate at session logon. By deselecting this option, you have created pass through authentication.

image

  1. Click on the session tab, deselect disabled component installation and disable scripting for portal applications.

image

  1. Click URL Set Tab, Scroll down to bottom of the page. On the mobile portal rule, select PUT, POST, GET. Click Ok. Adding PUT will resolve the following issue:

image

  1. After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon on the toolbar, and then on the Activate configuration dialog box, click Activate.

Step3: Add an Application Specific Host Name for iPhone, Android and Tablet

1. In the Forefront UAG Management console, select the portal trunk to which you want to add the application. In the main trunk properties page, in the Applications area, click Add to open the Add Application Wizard.

2. On the Select Application page, Click Web, choose the application specific host name you want to publish.

3. On the Application Setup page, specify the name and type of the application.

4. On the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications. You must verify that other device is allowed in Endpoint security. See Step11 in creating a Trunk.

5. On the Application Deployment page, specify whether you want to publish a single server or a Web farm.

6. On the Web Servers page, if you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish. On the application requires paths, add more / as your path. This will allow any sub directories of application hosted in Microsoft IIS server. On the address, type the fully qualified domain name of the web application which will be accessible from external network.

image

7. On the Connectivity Verifier Settings page, if you are publishing a Web farm, specify how the state of Web farm members should be detected.

8. On the Authentication page, deselect SSO. By deselecting this option, you have created pass through authentication.

image

9. On the Portal Link page, specify how the application appears in the portal home page of the trunk. If you have subdirectory in IIS, specify correct URL. For example, in my case I have subdirectory like https:// mymobile.mydomain.com/mobile/ .Select premium and non-premium mobile portal.

image

10. Once done, Click Finish.

11. On the Trunk , On the initial application, Select Portal Home page, as MobilePortal.

image

Step4: Activating Trunk and Post Check.

1. On the console toolbar, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

2. This is the simple step, most of techie doesn’t do and end up being calling Microsoft Tech support. You have to do this step so that published application works. Open command prompt as an administrator, run iisreset /restart.

3. Once everything is configured correctly, you will receive the following event in UAG Web Monitor> Event Viewer

The application MobilePortal was accessed on trunk; Secure=1 with user name and session ID EDD953BD-CB79-4180-B811-F1A0F53DCB33.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Replace Common Name (CN) and SAN Certificates with Wild Card Certificate— Step by Step

If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.

Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us

Here is a guide lines how to accomplish this objective.

Step1: Check Current Exchange SSL Certificate

Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.

Step2: Record Proposed Exchange SSL Wildcard Certificate

  • Common Name: *.yourdomain.com.au
  • SAN: N/A
  • Organisation: Your Company
  • Department: ICT
  • City: Perth
  • State: WA
  • Country: Australia
  • Key Size: 2048

Step3: Generate a wildcard certificate request

You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.

New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True

Step4: Sign the certificate request and download SSL certificate in PKCS#7 format

For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808

1. Click https://products.geotrust.com/geocenter/reissuance/reissue.do

2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.

3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.

4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or  X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.

5. Save the certificate locally and install per the server software. 

Step5: Locate and Disable the Existing CA certificate

Now this step is a disruptive step for webmail. You must do it after hours.

1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292

2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.

3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties

4. In the Certificate purposes section, select  Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.

Step6: Install Certificate

To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx

1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.

2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example

Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services  “SMTP, IMAP, POP, IIS”

3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.

For Example Get-ExchangeCertificate -DomainName yourdomain.com.au

4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”

Step7: Configure Outlook settings

Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx

To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au

To change Outlook 2007 connection settings to resolve a certificate error

1. In Outlook 2007, on the Tools menu, click Account Settings.

2. Select your e-mail address listed under Name, and then click Change.

3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.

4. Select the Connect using SSL only check box.

5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.

6. Click OK, and then click OK again.

7. Click Next. Click Finish. Click Close.

8. The new setting will take effect after you exit Outlook and open it again.

Step8: Export Certificate from Exchange in .pfx format

The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.

Open Exchange Management Shell, run

Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB

010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password

Step9: Import certificate in TMG 2010

1.Click Start and select Run and tape mmc
2.Click on the  File menu and select   Add/Remove Snap in
3.Click  Add, select Certificates among the list of   Standalone Snap-in and click   Add
4.Choose   Computer Account and click   Next
5.Choose   Local Computer and click   Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.

Step10: Replace Certificate in Web Listener

1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.

2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

3. In the results pane, double-click Remote Web Workplace Publishing Rule.

4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.

5. Select External Web Listener from the list, and then click Properties.

6. In External Web Listener Properties, click the Certificates tab.

7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.

8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.

9. To save changes and update the configuration, in the results pane, click Apply.

Step11: Test OWA from external and internal network

On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.

Make sure no certificate warning shows on IE.

Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.
 

Relevant References

Request an Internet Server Certificate (IIS 7)

Using wildcard certificates

Hardening Security of Server- The Bottom Line

Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not be music in the ears of oncall Engineer facing nightmare. So how you accomplish a tight security and control on IT infrastructure without compromising work environment. Here are some tips for you.

Infrastructure Firewalls

You must have an isolated Head Office network from branch office. You can purchase MPLS or IP WAN service from your ISP. Alternatively you can create site to site VPN using security appliance or application like Forefront TMG 2010. A better design approach would be a multi-tier firewall so that your internal server, DMZ servers and branch servers stay securely connected. You can have specific VLANs for specific servers/services/applications with correct Access Control List (ACL) in Cisco switches and routers. This will add another layer of firewall to the network.

Computer based Firewalls

In Windows Server 2008 and Windows Server 2012, there is built in firewall. You can configure that built-in firewall for a group of servers or individual server to provide host based firewall. Both Server 2008 and Server 2012 shipped with advanced Firewall and security configuration tools which you can administer through Group Policy object.

Intrusion Detection System

Another key aspect of firewall is security appliance that provide you to harden security using Intrusion Detection System (IDS) /Intrusion Protection System (IPS). These are third-party Devices or appliance. The IDS helps you monitor network traffic, logs data about the traffic, analyses the traffic based on signatures and anomalies, recognizes potential attacks, and alerts the IT staff to the perceived attack. The IPS does all that, but it also has the capability to react to the perceived  attack. IPS is also capable of reacting to an attack based on your configured rules.

Server Hardening- The bottom line

You execute the following action to stop being hacked or take these actions to prevent hacking

  • Isolate Administrator Role for individual tasks similar to their job description.
  • Stopping and disabling all unnecessary services and applications
  • Renaming the Administrator account
  • Implement password policy using Default Domain Policy in Group Policy Object
  • Implement GPO to secure servers and clients
  • Deleting or disabling all unnecessary user accounts
  • Use of Service Account to run services and application instead of running services using IT Admin’s generic account and store password to safe location
  • Create Role Based User Account instead of using user account by user name
  • Requiring strong authentication and certificates to access applications
  • Performing regular firmware, operating system and application updates using WSUS or SCCM
  • Installing renowned Antivirus and Anti-Spyware program and manage them centrally 
  • Document all system configurations and store these documents in safe location
  • Audit and monitor IT infrastructure regularly to prevent any misconfiguration
  • Use Read only Domain Controller (RODC) for branch office
  • Utilize great benefit of Server Core Technology reducing surface attack further
  • Utilize NPS, NAP and Certificate Servers to secure access to applications and services.