Forefront TMG Important URL and Guide
Forefront TMG Important URL and Guide
Microsoft is discontinuing any further releases of the following Forefront-branded solutions:
There is no change to the FIM roadmap. Microsoft will continue to develop next version of FIM.
If you are scratching your head how to grant access to your website for iPhone and Tablet published via Forefront UAG, there is way to achieve your goal. But before I articulate how to achieve this let’s revisit how UAG endpoint compliance works.
By default UAG checks compliance of every endpoint device. If you do now allow all endpoint devices in UAG Trunk it will be blocked due to policy violation. Since release of UAG SP3, mobile devices are identified as “Other” in UAG Endpoint Policy. “Other” includes iPhone, iPad, Android phone and tablet. Surprisingly I found that UAG also blocks Windows 8 mobile phone unless you allow it explicitly in endpoint policy.
When an endpoint device connect to Trunk portal or a published website, UAG automatically check Default Session Access and Default Web Application Access policy. However for FTP and similar policy UAG checks Default Web Application Upload and Default Web Application Download policy as well. You need to tweak little bit in the Trunk properties and application properties to make it work.
Let’s begin with Trunk properties. Log on the UAG server using administrative credential. Open UAG Management Console.
Step1: Advanced Trunk Configuration
Step2: Allow Premium Mobile Portal
Step3: Test Mobile Devices
Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue. So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.
Create a separate FTP Trunk:
You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.
Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk.
On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.
Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.
Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.
Add Enhanced Generic Client Application (Multiple Servers)
Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.
On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:Program FilesFileZilla FTP ClientFileZilla.exe. Click Ok.
On the socket forwarding select basic.
On the Endpoint policy make sure other is set to always. Click Ok.
Activate the Trunk
Click File, Click Activate.
Wait for Activation to complete.
Open Command Prompt as an administrator. Type iisreset and hit enter.
Error and Warning:
Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:Program FilesFileZilla FTP Client location in Windows 7 or Windows 8. You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.
In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall.
To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.
Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.
Apply the policy into Endpoint Policy.
Again activate the trunk. run iisreset.
Open browser, browse https://ftp.yourdomain.com
Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect
Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.
To avoid being caught into the following UAG events, follow the below procedure to create a correct Trunk and an Application in UAG 2010.
Warning 58 “The requested URL is not associated with any configured application.”
Warning 51 Invalid Method
“A request from source IP address x.x.x.x, user on trunk Trunk Name; Secure=1 for application failed because the method used PUT is not valid for requested URL”
1. Bypass Active Directory authentication to allow application specific authentication.
Open Regedit>Go to HKLMSoftwareWhaleCome-GapvonURLFilter
Create a 32 Bit DWORD named KeepClientAuthHeader and set value to 1
Also make sure FullAuthPassThru value is set to 1.
2. Public Host Name in Trunk must be different then public host name in published application. The purpose of public host name in Trunk is to create the actual trunk. This public host name in Trunk will not be accessible from external network nor internal network. Why? simple reason without public host name, you can’t create a Trunk. Public host name in application is the Real FQDN which employee/roaming users will access from external network which means public IP will resolve the name of application public host name. Since public host name in Trunk and Public host name in application are different, when you activate this trunk and application, you will receive a certificate error which says your trunk FQDN doesn’t match with your certificate. As long as your certificate CN matches with application public host name you will be fine. If you don’t want to see this error then you can add a SAN certificate which has both Trunk public host name and application public host name. In my case I don’t mind the see that certificate warning, my Trunk and application public host name are as follows:
3. Correct URL Set
Use the following steps to correctly publish mobile device, third party application implemented in IIS within a subdirectory.
Step1: Create a Separate Trunk for this Application
i. Trunk Name: MobilePortal
ii. Public Host Name: Mobile.mydomain.com
iii. IP Address: Trunk IP (you must add additional IP address(s) in the TCP/IP properties of UAG external nic)
iv. Port: 443
Step2: Advanced Trunk Configuration
Step3: Add an Application Specific Host Name for iPhone, Android and Tablet
1. In the Forefront UAG Management console, select the portal trunk to which you want to add the application. In the main trunk properties page, in the Applications area, click Add to open the Add Application Wizard.
2. On the Select Application page, Click Web, choose the application specific host name you want to publish.
3. On the Application Setup page, specify the name and type of the application.
4. On the Endpoint Security page, select the access policies for your application. Note that not all of the policies may be available for some published applications. You must verify that other device is allowed in Endpoint security. See Step11 in creating a Trunk.
5. On the Application Deployment page, specify whether you want to publish a single server or a Web farm.
6. On the Web Servers page, if you are publishing a Web application, on the Web Servers page, configure settings for the backend Web server that you want to publish. On the application requires paths, add more / as your path. This will allow any sub directories of application hosted in Microsoft IIS server. On the address, type the fully qualified domain name of the web application which will be accessible from external network.
7. On the Connectivity Verifier Settings page, if you are publishing a Web farm, specify how the state of Web farm members should be detected.
8. On the Authentication page, deselect SSO. By deselecting this option, you have created pass through authentication.
9. On the Portal Link page, specify how the application appears in the portal home page of the trunk. If you have subdirectory in IIS, specify correct URL. For example, in my case I have subdirectory like https:// mymobile.mydomain.com/mobile/ .Select premium and non-premium mobile portal.
10. Once done, Click Finish.
11. On the Trunk , On the initial application, Select Portal Home page, as MobilePortal.
Step4: Activating Trunk and Post Check.
1. On the console toolbar, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.
2. This is the simple step, most of techie doesn’t do and end up being calling Microsoft Tech support. You have to do this step so that published application works. Open command prompt as an administrator, run iisreset /restart.
3. Once everything is configured correctly, you will receive the following event in UAG Web Monitor> Event Viewer
The application MobilePortal was accessed on trunk; Secure=1 with user name and session ID EDD953BD-CB79-4180-B811-F1A0F53DCB33.
If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.
Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us
Here is a guide lines how to accomplish this objective.
Step1: Check Current Exchange SSL Certificate
Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.
Step2: Record Proposed Exchange SSL Wildcard Certificate
Step3: Generate a wildcard certificate request
You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.
New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True
Step4: Sign the certificate request and download SSL certificate in PKCS#7 format
For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808
2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.
3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.
4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.
5. Save the certificate locally and install per the server software.
Step5: Locate and Disable the Existing CA certificate
Now this step is a disruptive step for webmail. You must do it after hours.
1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292
2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties
4. In the Certificate purposes section, select Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.
Step6: Install Certificate
To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.
2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example
Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services “SMTP, IMAP, POP, IIS”
3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.
For Example Get-ExchangeCertificate -DomainName yourdomain.com.au
4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”
Step7: Configure Outlook settings
Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx
To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au
To change Outlook 2007 connection settings to resolve a certificate error
1. In Outlook 2007, on the Tools menu, click Account Settings.
2. Select your e-mail address listed under Name, and then click Change.
3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.
4. Select the Connect using SSL only check box.
5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.
6. Click OK, and then click OK again.
7. Click Next. Click Finish. Click Close.
8. The new setting will take effect after you exit Outlook and open it again.
Step8: Export Certificate from Exchange in .pfx format
The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.
Open Exchange Management Shell, run
Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB
010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password
Step9: Import certificate in TMG 2010
1.Click Start and select Run and tape mmc
2.Click on the File menu and select Add/Remove Snap in
3.Click Add, select Certificates among the list of Standalone Snap-in and click Add
4.Choose Computer Account and click Next
5.Choose Local Computer and click Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.
Step10: Replace Certificate in Web Listener
1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.
2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.
3. In the results pane, double-click Remote Web Workplace Publishing Rule.
4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.
5. Select External Web Listener from the list, and then click Properties.
6. In External Web Listener Properties, click the Certificates tab.
7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.
8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.
9. To save changes and update the configuration, in the results pane, click Apply.
Step11: Test OWA from external and internal network
On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.
Make sure no certificate warning shows on IE.
Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.
Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not be music in the ears of oncall Engineer facing nightmare. So how you accomplish a tight security and control on IT infrastructure without compromising work environment. Here are some tips for you.
You must have an isolated Head Office network from branch office. You can purchase MPLS or IP WAN service from your ISP. Alternatively you can create site to site VPN using security appliance or application like Forefront TMG 2010. A better design approach would be a multi-tier firewall so that your internal server, DMZ servers and branch servers stay securely connected. You can have specific VLANs for specific servers/services/applications with correct Access Control List (ACL) in Cisco switches and routers. This will add another layer of firewall to the network.
Computer based Firewalls
In Windows Server 2008 and Windows Server 2012, there is built in firewall. You can configure that built-in firewall for a group of servers or individual server to provide host based firewall. Both Server 2008 and Server 2012 shipped with advanced Firewall and security configuration tools which you can administer through Group Policy object.
Intrusion Detection System
Another key aspect of firewall is security appliance that provide you to harden security using Intrusion Detection System (IDS) /Intrusion Protection System (IPS). These are third-party Devices or appliance. The IDS helps you monitor network traffic, logs data about the traffic, analyses the traffic based on signatures and anomalies, recognizes potential attacks, and alerts the IT staff to the perceived attack. The IPS does all that, but it also has the capability to react to the perceived attack. IPS is also capable of reacting to an attack based on your configured rules.
Server Hardening- The bottom line
You execute the following action to stop being hacked or take these actions to prevent hacking