Forefront UAG 2010 Deployment Guide

Forefront TMG Important URL and Guide

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Forefront UAG Event Messages

Forefront UAG registry keys

Microsoft Forefront Product Roadmap

Microsoft is discontinuing any further releases of the following Forefront-branded solutions:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)
  • Forefront Unified Access Gateway 2010 (UAG)
  • Forefront Client Security
  • Forefront Security for Exchange Server

There is no change to the FIM roadmap. Microsoft will continue to develop next version of FIM.

References.

http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Forefront&Filter=FilterNO

http://redmondmag.com/articles/2013/12/17/microsoft-ending-uag-sales.aspx

 

Experience Mobile (iPhone & Android) Browsing with Forefront UAG

If you are scratching your head how to grant access to your website for iPhone and Tablet published via Forefront UAG, there is way to achieve your goal. But before I articulate how to achieve this let’s revisit how UAG endpoint compliance works.

By default UAG checks compliance of every endpoint device. If you do now allow all endpoint devices in UAG Trunk it will be blocked due to policy violation. Since release of UAG SP3, mobile devices are identified as “Other” in UAG Endpoint Policy. “Other” includes iPhone, iPad, Android phone and tablet. Surprisingly I found that UAG also blocks Windows 8 mobile phone unless you allow it explicitly in endpoint policy.

When an endpoint device connect to Trunk portal or a published website, UAG automatically check Default Session Access  and Default Web Application Access policy.  However for FTP and similar policy UAG checks  Default Web Application Upload and  Default Web Application Download policy as well. You need to tweak little bit in the Trunk properties and application properties to make it work.

Let’s begin with Trunk properties. Log on the UAG server using administrative credential. Open UAG Management Console.

Step1: Advanced Trunk Configuration

  1. Select the Trunk where you publish the application, in the Trunk Configuration area, click Configure.
  2. On the Advanced Trunk Configuration dialog box, click the Endpoint Access Settings tab.
  3. On the Endpoint Access Settings tab, click Edit Endpoint Policies.
  4. On the Manage Policies and Expressions dialog box, click the Default Session Access policy, and then click Edit Policy.
  5. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  6. On the Manage Policies and Expressions dialog box, click the Default Web Application Access policy, and then click Edit Policy.
  7. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  8. Repeat the step 4 to step 7 on all the required policies. Example for FTP policies perform step4 to step7 for Default Web Application Upload and Default Web Application Download policies.
  9. On the Manage Policies and Expressions dialog box, click Close.
  10. On the Advanced Trunk Configuration dialog box, click OK.
  11. Activate the configuration. Wait for activation to complete. Note that it takes  few minutes.
  12. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step2: Allow Premium Mobile Portal

  1. Select the application you published through the Trunk where you configured advanced properties in previous steps. In the Applications area, click the required application, and then click Edit.
  2. On the Application Properties dialog box, click the Portal tab.
  3. On the Portal tab, select the Premium mobile portal and Non-premium mobile portal check box.
  4. On the Application Properties dialog box, click OK.
  5. Activate the configuration. Wait for activation to complete. Note that it takes few minutes.
  6. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step3: Test Mobile Devices

  1. Browse published website in Windows Phone or iPhone
  2. Open Forefront UAG Monitor, Check the Session compliance, Authentication in Active Session.
  3. Check all systems logs in UAG monitor. You will see a session is connected successfully with endpoint device type, endpoint IP and GUID mentioned in the logs.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

Publish FTP Using Microsoft Forefront UAG 2010

Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue.  So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.

Prerequisites:

  1. Forefront UAG 2010 SP3
  2. Windows 7 or Windows 8 Client
  3. Windows Server 2008 R2 Domain
  4. Internet Explorer 9 or later
  5. Passive Mode FileZilla FTP Client or passive mode CuteFTP Client
  6. Passive mode IIS 7.5 FTP 
  7. Client Connection Port 20 & 21.
  8. Passive mode port range 1024-65534

image

image

Create a separate FTP Trunk:

You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.

image

Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk. 

image

On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.

image

Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.

image

Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.

image

image

Add Enhanced Generic Client Application (Multiple Servers)

Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.

image

image

On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok. 

image

image

On the socket forwarding select basic.

image

image

image

On the Endpoint policy make sure other is set to always. Click Ok.

image

Activate the Trunk

Click File, Click Activate.

image

Wait for Activation to complete.

image

Open Command Prompt as an administrator. Type iisreset and hit enter.

image

Error and Warning:

Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8.   You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.

In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall. 

image

image

image

image

image

To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.

image

image

Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.

image

Apply the policy into Endpoint Policy.

image

Again activate the trunk. run iisreset.

Testing FTP

Open browser, browse https://ftp.yourdomain.com 

image

Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect

image

image

image

Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.

image

image

Further Study

Publish FTP using TMG

Passive mode IIS 7.5 FTP 

UAG Articles

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

 

 

 

 

 

 

 

 

 

How to Publish Application Specific Host Name using Pass Through Authentication in Forefront UAG 2010

To avoid being caught into the following UAG events, follow the below procedure to create a correct Trunk and an Application in UAG 2010.

UAG Events:

Warning 58 “The requested URL is not associated with any configured application.”

Warning 51 Invalid Method

“A request from source IP address x.x.x.x, user on trunk Trunk Name; Secure=1 for application failed because the method used PUT is not valid for requested URL”

Solutions:

1. Bypass Active Directory authentication to allow application specific authentication.

Open Regedit>Go to HKLMSoftwareWhaleCome-GapvonURLFilter

Create a 32 Bit DWORD named KeepClientAuthHeader and set value to 1

Also make sure FullAuthPassThru value is set to 1.

clip_image002

2. Public Host Name in Trunk must be different then public host name in published application. The purpose of public host name in Trunk is to create the actual trunk. This public host name in Trunk will not be accessible from external network nor internal network. Why? simple reason without public host name, you can’t create a Trunk. Public host name in application is the Real FQDN which employee/roaming users will access from external network which means public IP will resolve the name of application public host name. Since public host name in Trunk and Public host name in application are different, when you activate this trunk and application, you will receive a certificate error which says your trunk FQDN doesn’t match with your certificate. As long as your certificate CN matches with application public host name you will be fine. If you don’t want to see this error then you can add a SAN certificate which has both Trunk public host name and application public host name. In my case I don’t mind the see that certificate warning, my Trunk and application public host name are as follows:

  • Trunk Public Host Name: Mobile.mydomain.com
  • Application Public Host Name: mymobile.mydomain.com

3. Correct URL Set

  • Name: MobilePortal_Rule1
  • Action: Accept
  • URL: /.*
  • Parameters: Ignore
  • Methods: PUT, POST, GET

Use the following steps to correctly publish mobile device, third party application implemented in IIS within a subdirectory.

Step1: Create a Separate Trunk for this Application

  1. Before you begin, import certificate in UAG server. Certificate must be in .pfx format with private key. Open the Microsoft Management Console (MMC) which enables you to import a certificate into the IIS Certificate store.
  1. Start Menu>Run>MMC
  2. To import a certificate, in the MMC window, in the left pane, under Console Root, verify that Certificates (Local Computer) > Personal is selected.
  3. From the Action menu, click All Tasks, and then click Import.
  4. Follow the instructions in the Certificate Import Wizard.
  1. In the Forefront UAG Management console, right-click HTTP Connections to create a trunk accessible over HTTP, or right-click HTTPS Connections to create a trunk accessible over HTTPS. Then click New Trunk.
  2. On the Select Trunk Type page of the Create Trunk Wizard, click Portal trunk.
  3. On the Setting the Trunk page of the Create Trunk Wizard, specify Trunk details. In my case I have the following:

i. Trunk Name: MobilePortal

ii. Public Host Name: Mobile.mydomain.com

iii. IP Address: Trunk IP (you must add additional IP address(s) in the TCP/IP properties of UAG external nic)

iv. Port: 443

  1. On the Authentication page of the Create Trunk Wizard, I am going to add my domain controller but later stage I will remove the domain controller to make it application specific authentication not LDAP or AD. That means I will bypass AD authentication. For now select an authentication server that will be used to authenticate user requests for trunk sessions. Click Add to select a server, as follows:
  1. In the Authentication and Authorization Servers dialog box, select a server and click Select. To add a new server to the list, click Add.
  2. Select User selects from a server list to specify that during login to the trunk, users will be prompted to select an authentication server. If you configure one authentication server, users will authenticate to that server only. Select Show server names to allow users to select an authentication server from a list; otherwise, users must enter the server name. Select User provides credentials for each selected server to prompt users during login to authenticate to all the specified authentication servers. Select Use the same user name to specify that users must enter a single user name that will be used to authenticate to all specified servers.
  1. On the Certificate page of the Create Trunk Wizard (HTTPS trunks only), select the server certificate that will be used to authenticate the Forefront UAG server to the remote endpoint.
  2. On the Endpoint Security page of the Create Trunk Wizard, control access to trunk sessions by selecting policies that allow access, based on the health of client endpoints. Click Use Forefront UAG access policies to determine the health of endpoints using in-built Forefront UAG access policies.
  3. Click Finish after completing the Trunk wizard.

Step2: Advanced Trunk Configuration

  1. Click Configure Trunk. Click Endpoint Access Settings, Click Edit Endpoint Policies.

image

image

  1. In this step, you will allow access of mobile phone and tablet. Microsoft UAG by default doesn’t allow mobile phone access. You need allow this access manually. Click Edit Endpoint Access Policies, Select Default Session Access, Click Edit, Click other, Select Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default Web Application Access Policy, Default Web Application Upload, Default Web Application download.
  2. Click Authentication Page, de-select require user to authenticate at session logon. By deselecting this option, you have created pass through authentication.

image

  1. Click on the session tab, deselect disabled component installation and disable scripting for portal applications.

image

  1. Click URL Set Tab, Scroll down to bottom of the page. On the mobile portal rule, select PUT, POST, GET. Click Ok. Adding PUT will resolve the following issue:

image

  1. After completing the Create Trunk Wizard, in the Forefront UAG Management console, on the toolbar, click the Activate configuration icon on the toolbar, and then on the Activate configuration dialog box, click Activate.

Step3: Add an Application Specific Host Name for iPhone, Android and Tablet

1. In the Forefront UAG Management console, select the portal trunk to which you want to add the application. In the main trunk properties page, in the Applications area, click Add to open the Add Application Wizard.

2. On the Select Application page, Click Web, choose the application specific host name you want to publish.

3. On the Application Setup page, specify the name and type of the application.

4. On the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications. You must verify that other device is allowed in Endpoint security. See Step11 in creating a Trunk.

5. On the Application Deployment page, specify whether you want to publish a single server or a Web farm.

6. On the Web Servers page, if you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish. On the application requires paths, add more / as your path. This will allow any sub directories of application hosted in Microsoft IIS server. On the address, type the fully qualified domain name of the web application which will be accessible from external network.

image

7. On the Connectivity Verifier Settings page, if you are publishing a Web farm, specify how the state of Web farm members should be detected.

8. On the Authentication page, deselect SSO. By deselecting this option, you have created pass through authentication.

image

9. On the Portal Link page, specify how the application appears in the portal home page of the trunk. If you have subdirectory in IIS, specify correct URL. For example, in my case I have subdirectory like https:// mymobile.mydomain.com/mobile/ .Select premium and non-premium mobile portal.

image

10. Once done, Click Finish.

11. On the Trunk , On the initial application, Select Portal Home page, as MobilePortal.

image

Step4: Activating Trunk and Post Check.

1. On the console toolbar, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

2. This is the simple step, most of techie doesn’t do and end up being calling Microsoft Tech support. You have to do this step so that published application works. Open command prompt as an administrator, run iisreset /restart.

3. Once everything is configured correctly, you will receive the following event in UAG Web Monitor> Event Viewer

The application MobilePortal was accessed on trunk; Secure=1 with user name and session ID EDD953BD-CB79-4180-B811-F1A0F53DCB33.

Other Articles:

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Replace Common Name (CN) and SAN Certificates with Wild Card Certificate— Step by Step

If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.

Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us

Here is a guide lines how to accomplish this objective.

Step1: Check Current Exchange SSL Certificate

Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.

Step2: Record Proposed Exchange SSL Wildcard Certificate

  • Common Name: *.yourdomain.com.au
  • SAN: N/A
  • Organisation: Your Company
  • Department: ICT
  • City: Perth
  • State: WA
  • Country: Australia
  • Key Size: 2048

Step3: Generate a wildcard certificate request

You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.

New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True

Step4: Sign the certificate request and download SSL certificate in PKCS#7 format

For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808

1. Click https://products.geotrust.com/geocenter/reissuance/reissue.do

2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.

3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.

4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or  X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.

5. Save the certificate locally and install per the server software. 

Step5: Locate and Disable the Existing CA certificate

Now this step is a disruptive step for webmail. You must do it after hours.

1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292

2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.

3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties

4. In the Certificate purposes section, select  Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.

Step6: Install Certificate

To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx

1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.

2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example

Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services  “SMTP, IMAP, POP, IIS”

3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.

For Example Get-ExchangeCertificate -DomainName yourdomain.com.au

4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”

Step7: Configure Outlook settings

Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx

To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au

To change Outlook 2007 connection settings to resolve a certificate error

1. In Outlook 2007, on the Tools menu, click Account Settings.

2. Select your e-mail address listed under Name, and then click Change.

3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.

4. Select the Connect using SSL only check box.

5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.

6. Click OK, and then click OK again.

7. Click Next. Click Finish. Click Close.

8. The new setting will take effect after you exit Outlook and open it again.

Step8: Export Certificate from Exchange in .pfx format

The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.

Open Exchange Management Shell, run

Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB

010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password

Step9: Import certificate in TMG 2010

1.Click Start and select Run and tape mmc
2.Click on the  File menu and select   Add/Remove Snap in
3.Click  Add, select Certificates among the list of   Standalone Snap-in and click   Add
4.Choose   Computer Account and click   Next
5.Choose   Local Computer and click   Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.

Step10: Replace Certificate in Web Listener

1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.

2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

3. In the results pane, double-click Remote Web Workplace Publishing Rule.

4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.

5. Select External Web Listener from the list, and then click Properties.

6. In External Web Listener Properties, click the Certificates tab.

7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.

8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.

9. To save changes and update the configuration, in the results pane, click Apply.

Step11: Test OWA from external and internal network

On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.

Make sure no certificate warning shows on IE.

Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.
 

Relevant References

Request an Internet Server Certificate (IIS 7)

Using wildcard certificates

Hardening Security of Server- The Bottom Line

Gallery

Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not … Continue reading

FF TMG 2010—Can future be altered?

Gallery

I read the following articles about Microsoft Forefront TMG 2010. I was shocked by the news. TMG 2010 is one of the beautiful product Wintel Engineers and Security Administer can be proud off. I believe I am one of the … Continue reading

How did this blog perform in the year of 2011

Gallery

This blog was viewed about 190,000 times in 2011. The busiest day of the year was December 7th with 1,150 views. The most popular post that day was Install and Configure Lync Server 2010—Step by Step. Some visitors came searching, … Continue reading

TMG2010: Server Configuration does not match the stored configuration

Gallery

Issue: Not Synced Server Configuration does not match with stored configuration Cause: FF TMG 2010 Array certificates expired. Solutions: The following steps will fix the issue. Please note that I am explaining the situation where my TMG 2010 enterprise Array … Continue reading

Manage Internet Bandwidth and Quota by Integrating BSplitter with FF TMG 2010

Gallery

Bandwidth Splitter is a third party tools which works as an extension for Forefront TMG 2010 that allow granular management of internet bandwidth by shaping and setting up quota for the existing Internet connection and distributing it users and groups … Continue reading

FF TMG 2010: Configure Network Load Balancing Across Enterprise Array Members

Gallery

NLB is an wonderful in built TMG feature you can utilize to balance high network traffic. you can configure network load balancing across up to eight FF TMG array members. The following is an example of FF TMG 2010 NLB … Continue reading

FF TMG 2010: Configure ISP Redundancy— Step by Step

Gallery

ISP redundancy feature utilizes multiple ISP links and provide high-availability with load balancing and failover or just failover capability to the corporate Internet. The common functionality of ISP redundancy are: Designate primary and secondary link for internet connections Balance traffic … Continue reading

Configure Forefront TMG as a NPS (Radius) Client for VPN and local clients

Gallery

In this article, I will describe how to configure Forefront TMG as a RADIUS client. As a radius client FF TMG act as a messenger sending RADIUS request to NPS for authentication and authorization of VPN connection. The following Visio … Continue reading

Configure non-domain Forefront TMG to allow traffic from domain members and domain clients

Gallery

In this article, I will explain how to configure non-domain FF TMG to allow traffic from domain members and clients.  Log on to FF TMG server as an administrator. In the FF TMG Management console, in the tree, click Firewall … Continue reading

Forefront TMG 2010: Frequently Asked Questions (FAQ)

Gallery

What is Forefront Threat Management Gateway? Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employee to safely and productively use the Internet for business without worrying about malware and other threats.  It provides multiple layers of continuously updated … Continue reading

Configure custom HTML error message on Forefront TMG 2010 and redirect users to corporate notice

Gallery

Log on to Forefront TMG Server, Browse to %Program Files%Microsoft Forefront TMGerrorhtmls . Copy default.htm file and paste inside a folder called banned. Now modify the file using Microsoft Office word and add corporate logo and notice. Once you have … Continue reading

How to configure Forefront TMG 2010 as WPAD server (Auto Proxy Discovery)—Step by Step

Gallery

WPAD stands for Web Proxy Auto-Discovery Protocol. WPAD contains the information proxy settings for clients. Windows client uses WPAD protocol to obtain proxy information from DHCP and DNS server. Clients query for WPAD entry and returns with address of WPAD … Continue reading

Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

Gallery

Forefront TMG can be configured in various topologies or network scenario such as Edge Firewall, 3-leg perimeter, back firewall and single network adapter. In this article, I will configure Forefront TMG as a 3-leg perimeter. Before you can start, prepare … Continue reading

Install and configure Forefront Client Security Step by Step part I

Gallery

Forefront Client Security (FCS) is the protection technology for desktop and server against spyware and antivirus. FCS is centrally managed for both servers and client delivering automated virus protection for organisation. FCS got four different roles such as management, collection, … Continue reading

How to configure reverse proxy using Forefront TMG 2010— step by step

Gallery

In this article, I am going to explain in dept of reverse proxy and how you can utilize reverse proxy functionality of Forefront TMG 2010 in your organisation. I will write a complete how to in this article. Let’s start … Continue reading

How to Configure Back-to-Back Firewall with Perimeter (DMZ) Topology—–Step by Step Guide

Gallery

This gallery contains 160 photos.

Placing a firewall in a corporate network puts you in commanding position to protect your organisation’s interest from intruder. Firewall also helps you to publish contents or share infrastructure or share data securely with eternal entity such as roaming client, … Continue reading

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management (part II)—Step by Step

Gallery

This gallery contains 74 photos.

In part 1 Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step, I illustrated how to configure Forefront EMS. In this second part, I will continue on additional configuration and verification required for a … Continue reading

Install and configure Forefront TMG 2010 Enterprise Management Server (EMS) for centralized Management—Step by Step

Gallery

This gallery contains 94 photos.

Forefront TMG 2010 provides standard and enterprise version. On an Enterprise version you can deploy Forefront TMG in a single server (standalone deployment) or multiple servers in Enterprise Management Array deployment. In an Enterprise deployment, one TMG server perform as … Continue reading

Forefront TMG and BranchCache Hosted Cache deployed on the same host

Gallery

BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. … Continue reading

Forefront TMG 2010 as an Anti-spam, an Antivirus and a Content Filter systems

Gallery

This gallery contains 46 photos.

Forefront TMG got inbuilt capabilities to work as an anti-spam, antivirus and content filter for E-Mail protection. TMG 2010 works hand to hand with Forefront Protection 2010 and Exchange Edge Transport Server to provide mail relay, anti-spam and antivirus protection. … Continue reading

How to configure L2TP/IPSec VPN using Forefront TMG 2010

Gallery

This gallery contains 40 photos.

Pre-requisites: Windows Active Directory and DNS DHCP server or range of free IP addresses Enterprise Root CA Forefront TMG is a member server. Computer certificate installed in TMG server Public IP assigned in external NIC of TMG server Configure L2TP/IPSec … Continue reading

How to configure HTTS Inspection in Forefront TMG 2010

Gallery

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, … Continue reading

Configure Malware Inspection, NIS and URL Filter in Forefront TMG 2010

Gallery

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, … Continue reading

Configure Forefront TMG 2010 to receive definition update from Windows server update services (WSUS)

Gallery

This gallery contains 12 photos.

Forefront TMG maintains the definitions of known viruses, worms, and other malware. To keep these important definitions up to date, Forefront TMG has built in a centralized mechanism called the Update Centre that allows the administrator to configure the update … Continue reading

How to publish Exchange ActiveSync in Forefront TMG 2010

Gallery

This gallery contains 30 photos.

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management>Expand Forefront Server>Right Click on Firewall Policy>Click New>Click Exchange Web Client Publishing Rule>Type Rule Name>Click Next>Select Exchange 2010 from Exchange version>check Exchange ActiveSync. Click Next. Now … Continue reading

How to publish Exchange Anywhere in Forefront TMG 2010

Gallery

This gallery contains 22 photos.

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management>Expand Forefront Server>Right Click on Firewall Policy>Click New>Click Exchange Web Client Publishing Rule>Type Rule Name>Click Next>Select Exchange 2010 from Exchange version>check Outlook Anywhere and Publish additional … Continue reading

Forefront TMG 2010: Publishing Exchange server 2010

Gallery

This gallery contains 2 photos.

To ensure that every Exchange client access mail securely from anywhere (internally and externally) Exchange deployment published through Forefront TMG 2010. you need to plan and deploy the different roles of Exchange Server which includes Exchange HT, CAS, ET and … Continue reading

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Gallery

This gallery contains 68 photos.

Log on to Forefront TMG 2010 server using admin credential.  Open Forefront TMG Management from start menu.  Expand Forefront TMG>Firewall Policy>Select Tasks>Click Publish Exchange web client access.   Click New button to add Exchange Farm i.e. Exchange CAS servers you … Continue reading

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Gallery

This gallery contains 58 photos.

Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and … Continue reading

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Gallery

Microsoft Forefront Protection 2010 for Exchange Server provides ultimate protection for Microsoft Exchange server 2010 from viruses, worms, spyware and spam. Forefront Protection 2010 is an additional component included in Forefront TMG 2010 Enterprise version. However you can download and … Continue reading

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Gallery

  Intrusion Prevention System Log on to Forefront TMG server using admin credential. Open Forefront TMG 2010>Expand Forefront TMG>Intrusion Prevention System>Right Click>Configure Property   Add Network sets and web sites for exemptions     Forefront TMG 2010 Web Caching  Open … Continue reading

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Gallery

This gallery contains 68 photos.

  Intrusion Prevention System Log on to Forefront TMG server using admin credential. Open Forefront TMG 2010>Expand Forefront TMG>Intrusion Prevention System>Right Click>Configure Property   Add Network sets and web sites for exemptions     Forefront TMG 2010 Web Caching  Open … Continue reading

Migrating a single ISA Server to Forefront TMG 2010 Step by Step

Gallery

This gallery contains 8 photos.

Before start migrating… Record Fully qualified domain name (FQDN) of the computer running ISA Server. Record IP address, subnet mask, default gateway, and DNS server address of all the network adapters connected to the internal, external network (Internet) and perimeter … Continue reading

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Gallery

This gallery contains 162 photos.

Forefront TMG 2010 has been built on top of the core capabilities delivered in Microsoft Internet Security and Acceleration (ISA) Server 2004/2006 in order to deliver a comprehensive, enhanced and integrated network security gateway. Forefront TMG provide additional protection capabilities … Continue reading