Configure FF TMG 2010 as SOCKS Proxy

In this article I am going write about SOCKS proxy and applications of SOCKS proxy in enterprise. lets begin with SOCKS proxy. Socket Secure (SOCKS) is an Internet protocol that routes network packets between a client and server through a proxy server. SOCKS servers will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded. SOCKS performs at Layer 5 of the OSI model—the session layer.

In simple terms, SOCKS is an IETF approved standard for TCP/IP based networking applications. The SOCKS proxy provides the capability to allow traffic to be handled by a proxy for those applications (IM, ICQ) that do not have the native ability to set proxy parameters.

Let me explain forward proxy or proxy server. A proxy server’s function is to receive a request from a web browser or client, to perform that request (possibly after authorization checks), and return the results to the browser or client.

image

Advantages of proxy is the IP addresses or names of the internal systems never appear on the Internet, internet see the address of the proxy server. So attackers cannot use the addresses to gain information about your internal system names and network structure. Requests for certain sites can be restricted or banned. Web proxy servers usually support many protocols, including HTTP, FTP, Gopher, HTTPS.

How does SOCKS server works? Proxy servers can themselves use the SOCKS protocol to provide additional security. SOCKS proxy add a layer of encapsulation into the request from the client and forward the encapsulated request to the destination.

image

Advantages:

  • Encapsulating any TCP protocol within the SOCKS protocol. On the client system, within the corporate network, the data packets to be sent to or from an external system will be put inside a SOCKS packet and sent to a SOCKS server.
  • Returning packets will be sent to the SOCKS server, which will encapsulate them similarly and pass on to the original client, which remove the SOCKS encapsulation, giving the required data.

Disadvantages:

  • The advantage of all this is that the firewall can be very simply configured, to allow any TCP/IP connection on any port, from the SOCKS server to the non-secure Internet, trusting it to disallow any connections which are initiated from the Internet.
  • The disadvantages are that browser configuration is more complex, the added data transfers can add an extra delay to page access, and sometimes proxies impose additional restrictions such as a time-out on the length of a connection, preventing very large downloads.

Microsoft FF TMG 2010 can perform itself as a SOCKS server or SOCKS Gateway or SOCKS Proxy. To configure Microsoft FF TMG 2010 as SOCKS gateway.

Log on to FF TMG 2010>Open TMG management console>Click on System>Click on Application Filter>Right Click SOCKS4 Filter>Click Enable

1

2

Apply Changes>Click OK.

3

4

Right Click SOCKS4 Filter>Click Enable>Click Property.

Keep Default Port number>Select the network where SOCKS request will originate. For example Internal Network.

5

Click Ok. Apply Changes>Click Ok.

Now create a firewall policy to allow SOCKS communication between a source and destination. For example here I created policy opening SOCKS port between internal network and SOCKS gateway that is my proxy server.

6

7

8

9

10

11

12

Apply changes. Click Ok.

13

The following are the screenshot shows ICQ protocol available in TMG 2010 Protocols. If you don’t see your desired protocol on the list. you can add user defined protocol by simply adding new protocol. for ICQ communication, you have to create a rule specifying source and destination and the protocol you are allowing.

14

To Configure FTP SOCKS connection configure global settings of cute FTP or individual connection settings in each connections shown as below.

15

16

To configure proxy settings in IE. Open IE>Click Tools>Click Internet options>Click Connections>Click LAN Settings>Click proxy Settings and add SOCKS gateway or SOCKS proxy server details. 

17

You can configure SOCKS proxy via GPO.

Create and Link a GPO with an OU> Right Click on GPO>Click Edit>navigate to User configurationwindows settingsinternet explorer maintenance

Expand internet explorer maintenance node, and in the connection section, double-click Proxy  settings. You can define Proxy setting for users.

18

19

To configure ICQ, Click on the Main button>Select Preferences>Click Connections. Click on the Firewall tab and select Socks4

  • Type Proxy IP address in the Host
  • Type in the proxy Port 1080
  • Type username and password in the Authentication
  • Apply and Click Ok

How did this blog perform in the year of 2011

This blog was viewed about 190,000 times in 2011.

1

The busiest day of the year was December 7th with 1,150 views. The most popular post that day was Install and Configure Lync Server 2010—Step by Step.

Some visitors came searching, mostly for tmg reverse proxy, lync server, tmg 2010 pdf, fax server windows 2008, and forefront site to site vpn configuration.

2

The top referring sites in 2011 were:

The most commented on post in 2011 was Microsoft Active Directory—Best Practice

The popular posts:

  1.  Install and Configure Lync Server 2010—Step by Step
  2.  Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step
  3.  How to configure reverse proxy using Forefront TMG 2010— step by step
  4.  Configure FAX server using Windows Server 2008 and Standard Fax Modem
  5.  Configure 3-Leg Perimeter (DMZ) using Forefront TMG 2010—step by step

I look forward to serving you again in 2012! Happy New Year!

TMG2010: Server Configuration does not match the stored configuration

Issue: Not Synced Server Configuration does not match with stored configuration

image

Cause: FF TMG 2010 Array certificates expired.

Solutions: The following steps will fix the issue. Please note that I am explaining the situation where my TMG 2010 enterprise Array is deployed in workgroup.

Step1: Run ISA BPA on TMG 2010 Array Member

image

Step2: Verify certificate expiry date

1. From the Start menu, click Run. Type MMC, and then click OK.

2. In MMC, click File, and then click Add/Remove Snap-in.

3. Click Add to open the Add Standalone Snap-in dialog box.

4. From the list of snap-ins, select Certificates, and then click Add.

5. Select the service account and click Next.

6. Click Next.

7. Select ISASTGCTRL and click Finish.

8. Browse to ADAM_ISASTGCTRLPersonal > Certificates.

9. Open the certificate to see if it is expired.

Step3: Create a Request.inf file. Open notepad and copy the following and paste into notepad. modify CN and domain details as per your own requirement. rename the file as request.inf. An example of the inf file is:

[Version]

Signature=”$Windows NT$

[NewRequest]

Subject = “CN=myTMG.mydomain.com”

EncipherOnly = FALSE

Exportable = TRUE  

KeyLength = 1024

KeySpec = 1 ; Key Exchange

KeyUsage = 0xA0 ; Digital Signature, Key Encipherment

MachineKeySet = True

ProviderName = “Microsoft RSA SChannel Cryptographic Provider”

ProviderType = 12

RequestType = CMC

; Omit entire section if CA is an enterprise CA

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]

CertificateTemplate = WebServer

Step4: request Certificate to the Root/Subordinate CA

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -new –f request.inf certnew.req

Important! This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.

Step5:Submit the request and obtain certificate

Open a elevated command prompt. At the command prompt, type the following command, and then press ENTER:

certreq -submit certnew.req certnew.cer

Important! certnew.req is generated in the previous command. certnew.cer is the certificate you are looking for.

An alternative way of submitting certificate to CA

  1. Open Certificate Authority
  2. Right Click on CA Server>All Task>Submit a New request
  3. Point to the location of certnew.req file
  4. Save Certificate As certnew.CER file into the preferred location

Step6:Convert certificate into .pfx format

Import the certificate certnew.cer into a server or an admin workstation

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Import. The Certificate Export Wizard appears. Click Next.

10. Browse to location of certnew.cer file

11. Import Certificate

To export a certificate in PFX format using the Certificates snap-in

1. On the head node, click Start, click Run, and then type mmc to start the Microsoft Management Console.

2. On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

3. In Available snap-ins, click Certificates, and then click Add.

4. Select Computer account, and then click Next.

5. Select Local computer, and then click Finish.

6. If you have no more snap-ins to add to the console, click OK.

7. In the Microsoft Management Console, in the console tree, expand Certificates, and then expand Personal.

8. In the details pane, click the certificate you want to manage.

9. On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.

10. On the Export Private Key page, click Yes, export the private key. Click Next.

11. On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.

12. On the Password page, type and confirm the password that is used to encrypt the private key. Click Next.

13. Follow the pages of the wizard to export the certificate in PFX format.

Step7: Import Certificate into TMG Array

Log on to the TMG Server

Open FF TMG 2010 Console

Click on System>Click Server that is one of the array member>Click Import Server Certificate from the task pan>Browse location of the certificate import certnew.PFX format certificate

Click Ok.

Click refresh on the systems

Step8: Repeat the entire steps into all array members

Step9: Refresh Array members and check system

image

Check TMG related services.

image

More information on certificates visit the following URLs.

http://technet.microsoft.com/en-us/library/cc754329.aspx

http://technet.microsoft.com/en-us/library/dd362553.aspx

http://support.microsoft.com/kb/931351

Forefront TMG 2010: Frequently Asked Questions (FAQ)

What is Forefront Threat Management Gateway?

Forefront Threat Management Gateway 2010 (TMG) enables businesses by allowing employee to safely and productively use the Internet for business without worrying about malware and other threats.  It provides multiple layers of continuously updated protections – including URL filtering, antimalware inspection, intrusion prevention, application  proxy, and HTTP/HTTPS inspection – that are integrated into a unified, easy to manage gateway, reducing the cost and complexity of Web security.  Forefront TMG enables organizations to perform highly accurate Web security enforcement by stopping employee access to dangerous site, based on reputation information from multiple Web security vendors and the technology that protects Internet Explorer 8 users from malware and phishing sites.

What features does Forefront Threat Management Gateway 2010 SP1 include? 

This service pack will include a number of improved features and enhancements, including:

Improved reporting features

  * New User activity reports to monitor Web surfing information
  * New look and feel for all TMG reports

Enhancements to URL filtering

  * User override for access restriction on sites blocked by URL filtering, allowing more flexible and easier deployment of web access policy
  * Override for URL categorization on the enterprise level
  * Customized denial notification pages to fit an organization’s needs

Enhanced branch office support

  * Simplified deployment of BranchCache at the branch office (for Windows Server 2008 R2 users), using Forefront TMG as the Hosted Cache
     Server
  * Forefront TMG and a read-only domain control can be located on the same server, reducing TCO at branch offices

Support for publishing SharePoint 2010

What is a secure Web gateway?

A secure Web gateway is a solution designed to keep users safer from Web-based threats. In general, it will include Web anti-malware inspection, URL filtering, and HTTPS inspection. With its long history as Microsoft ISA Server, Forefront Threat Management Gateway 2010 adds strong inspection of Web-based protocols to help ensure they conform to standards and are not malicious. It further extends this strong application layer inspection through the Network Inspection System.

How is Forefront Threat Management Gateway 2010 different than Microsoft ISA Server 2006?

Forefront Threat Management Gateway is different in four major ways:

Secure Web Gateway: Forefront Threat Management Gateway 2010 can be used to protect internal users from Web-based attacks by integrating Web antivirus/anti-malware and URL filtering. With HTTPS inspection, it can even provide these protections in SSL-encrypted traffic.

Improved Application Layer Defenses: Forefront Threat Management Gateway 2010 includes Network Inspection System, which enables protection against vulnerabilities found in Microsoft products and protocols.

Improved Connectivity: Forefront Threat Management Gateway 2010 enhances its support for NAT scenarios with the ability to designate e-mail servers to be published on a 1-to-1 NAT basis. Additionally, Forefront Threat Management Gateway 2010 recognizes SIP traffic and provides a method to traverse the firewall.

Simplified Management: Forefront Threat Management Gateway 2010 has improved wizards to simplify its deployment as well as its continued configuration.

How is Forefront Threat Management Gateway 2010 different than Forefront Threat Management Gateway, Medium Business Edition (TMG MBE)?

Forefront Threat Management Gateway MBE is a product designed specifically for mid-sized businesses purchasing Windows Essential Business Server. Forefront Threat Management Gateway 2010 builds on its functionality to provide a complete secure Web gateway solution, with such features as URL filtering and HTTPS inspection. It also delivers enhanced application layer inspection with Network Inspection System. With these features and others, it enables organizations to provide a higher level of security to their users.

Does Forefront Threat Management Gateway 2010 require 64-bit servers?

Yes, Forefront Threat Management Gateway 2010 runs on a server with a 64-bit processor. For more details, please see the system requirements.

How is TMG 2010 licensed?

See the How to Buy page.

Is Forefront TMG part of the Forefront Protection Suite and ECAL?

Forefront TMG Web Protection Service is part of Forefront Protection Suite and ECAL. Forefront TMG 2010 is not part of these suite offerings and must be licensed separately.

What is the Forefront Threat Management Gateway Web Protection Service?

The Forefront Threat Management Gateway Web Protection Service provides continuous updates for malware filtering and access to cloud-based URL filtering to protect against the latest Web threats.  

Does Forefront TMG 2010 include Forefront TMG Web Protection Service?

No. Forefront TMG Web Protection Service is licensed separately. It can be licensed stand-alone, as part of the Forefront Protection Suite, or Enterprise CAL.

Do Forefront TMG 2010 customers have downgrade rights to ISA 2006?

Yes.  Customers who purchase Forefront TMG have downgrade rights to Microsoft Internet Security and Acceleration Server 2006.

What is the difference between Forefront Threat Management Gateway 2010 Standard and Enterprise editions?

Forefront TMG 2010 Enterprise Edition license gives customers increased scalability, provides access to a central management console, and provides extensive support for virtual environments.  The following chart outlines the differences between these editions:

Feature

Standard

Enterprise

Network Load Balancing

No

Yes

Cache Array Routing Protocol

No

Yes

Enterprise Management Console

No*

Yes

Support for unlimited virtual CPUs

No

Yes

Can I migrate ISA to TMG and change FQDN of new TMG?

Yes you can. See  Migrate ISA

Can I install TMG on a DC?

NO. Not a supported configuration.

Can I configure reverse proxy using single NIC configuration?

Single nic and reverse proxy not good idea. why not two nics? see this Reverse proxy for more info.

How many NICs I need to configure back to back TMG firewall?

Two nics in each TMG server.

What type of IP I use on 3-leg perimeter or DMZ?

Public IP is recommended.

Can I use TMG as a router?

Yes you can configure TMG as router.

What type of VPN TMG supports?

See the VPN config

How can I configure NLB on TMG?

See this link NLB step by step

How can I configure cluster of TMG?

See this link

Can I manage TMG from my admin pc?

Yes you can. Link

Can I configure TMG as proxy cache?

TMG proxy Cache step by step

How can I retrieve custom report from TMG server?

See built in TMG reporting and Proxy inspector

How can I configure reverse proxy using TMG?

See this Reverse proxy for more info

Can I configure a back end TMG server behind Cisco ASA firewall?

Yes you can.

How can I configure ISP redundancy?

Here is a guide for ISP redundancy

How can I reinstall TMG?

See this link for answer

How to configure reverse proxy using Forefront TMG 2010— step by step

In this article, I am going to explain in dept of reverse proxy and how you can utilize reverse proxy functionality of Forefront TMG 2010 in your organisation. I will write a complete how to in this article. Let’s start with a proxy server. What is a proxy or forward proxy server? A proxy or forward proxy is a server (a computer system, devices or an application program) that acts as an intermediary for requests from internal clients seeking resources from external servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page or other resource, available from a different server. The proxy server evaluates the request according to its rules or filtering rules and pass on to the server inside or outside network. A proxy server can also act as a gateway between external and internal networks. A forward proxy secures networks by hiding IP address of internal network from outside network. It also cache contents and provide filtering functionality.
Windows Server 2012 Step by Step

A reverse proxy as name suggests relays request from opposite direction i.e. from external clients to internal servers or perimeter servers i.e. a reverse proxy has more than one network cards and one NIC faces toward internet having another network card facing perimeter or internal network. A reverse is place in the neighbourhood of web servers. A reverse proxy also hides actual IP address of networks or servers from external or VPN clients. A reverse proxy encrypts data, provide load balancing, act as server cache, optimize compression and publish web sites for extranet.

Advantages: A reverse proxy server provides the following advantages over a direct connection to a web server:

  • Security  
  • SSL encryption and acceleration 
  • SSL bridging  
  • SSL offloading  
  • Load balancing  

Reverse Proxy Prerequisites: Before you can create reverse proxy in your organisation, you need prepare following infrastructure in your organisation. 

  • Prepare 3-Leg perimeter (DMZ) or back-to-back perimeter
  • Configure internet facing network adapter of TMG Reverse proxy server with publicly routable IP
  • All the intended web server(s) must have accessible public IP
  • Verify proper routing (if required depends) on your DMZ design
  • Install Forefront TMG Server
  • Configure Firewall Policy to open specific ports
  • Request and configure a digital certificate for secure reverse proxy
  • Create a Web server publishing rule and verify that the secure Web server publishing rule properties are correct.
  • Verify or configure authentication and certification on IIS virtual directories.
  • Create an external DNS entry with ISP or Domain registrar
  • Verify that you can access the Web site through the Internet

 

 

Windows Server 2012 Step by Step

 

 

Important! you can use Front End TMG server as a reverse proxy server if you don’t want to use single NIC reverse proxy in DMZ. Please note that there is no specific design and step by step guide for individual situation. I have written this article for generic reverse proxy situation. You can have a single NIC reverse proxy in DMZ or multiple NIC reverse proxy (one-external NIC, another-internal).

Configure Network Adapter of Reverse Proxy Server:

1. On the server running ISA Server 2006, open Network Connections. Click Start, point to Settings, and then click Network Connections.

2. Right-click the external network connection to be used for the external interface, and then click Properties.

3. On the Properties page, click the General tab, click Internet Protocol (TCP/IP) in the This connection uses the following items list, and then click Properties.

4. On the Internet Protocol (TCP/IP) Properties page, configure the real IP addresses and DNS server addresses as appropriate for the network to which the network adapter is attached.

5. Click OK twice.

6. In Network Connections, right-click the internal network connection to be used for the internal interface, and then click Properties. Repeat steps 3 through 5 to configure the internal network connection.

Create Local DNS Record in AD DS Server: This includes configuring DNS records to point to appropriate web server(s) in the perimeter network, so that internal users can access those web sites locally. An internal DNS A record that resolves the FQDN.

Create External DNS Record with ISP or Domain registrar: Create an external DNS A record pointing to the external interface of reverse proxy TMG server, as described in the following section. An external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy. In this step, You need help with domain registrar or ISP.

Request and configure a digital certificate for SSL: Request and install certificate using FQDN for each web server to prevent DNS spoofing. The root certification authority (CA) certificate for the CA that issued the server certificate on the Web server (the IIS server running your Office Communications Server Web components) needs to be installed on the server running TMG Server 2010. This certificate should match the published FQDN of the external Web farm where you are hosting meeting content and Address Book files.

  • You must install a Web server certificate on reverse proxy TMG Server. This certificate should match the published FQDN of your external Web farm where you are hosting web sites.
  • If your internal deployment consists of more than one Standard Edition server or Enterprise pool, you must configure Web publishing rules for each external Web farm FQDN or web servers.

 

Import Certificate:

  • On the TMG Server computer, click Start, type mmc, and then press Enter or click OK.
  • Click the File menu and then click Add/Remove Snap-in or press Ctrl+M. Under Available Snap-ins, click Certificates and then click Add
  • Select Computer Account and then click Next, Click Local Computer and then click Finish
  • Click OK in the Add Or Remove Snap-ins dialog box
  • Expand Certificates (Local Computer), then expand Personal, and then expand Certificates.
    Right-click the Certificates node, select All Tasks, and then select Request New Certificate
  • the Welcome To The Certificate Import Wizard page appears. Click Next.
  • On the File To Import page, type the location where the certificate is located
  • On the Password page, type the password provided by the entity that issued this certificate
  • On the Certificate Store page confirm that the location is Personal
  • The Completing The Certificate Import Wizard page should appear with a summary of your selections, Review the page and click Finish

To verify that your CA is in the list of trusted root CAs

  • On each edge server, open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
  • On the File menu, click Add/Remove Snap-in, and then click Add.
  • In the Add Standalone Snap-ins box, click Certificates, and then click Add.
  • In the Certificate snap-in dialog box, click Computer account, and then click Next.
  • In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
  • Click Close, and then click OK.  In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
  • In the details pane, verify that your CA is on the list of trusted CAs. Repeat this procedure on each server.

Publish Web Server using TMG Web Publishing Wizard:

Creating an HTTPS Web Listener: Follow these steps to create a new Web listener on TMG to use HTTPS
1. On the TMG computer, open the Forefront TMG Management Console.
2. Click Forefront TMG (Array Name) in the left pane and click Firewall Policy.

3. In the right pane click the Toolbox tab, right-click Web Listener under Network
Objects, and then click New Web Listener

4. The Welcome To The New Web Listener Wizard page appear, Type a name for this Web listener and click Next.

5. Leave the default option selected (SSL), and click Next.

6. On the Web Listener IP Addresses page, select External and click Next.

7. On the Listener SSL Certificate page, click Select Certificate, choose the certificate for
this listener, and then click Select

8. On the Listener SSL Certificates page, confirm that the selected certificate appears and click Next.

9.On the Authentication Settings page, choose HTML Form Authentication from the drop-down box. Leave the other options at the default selection, and click Next.

10. For the purpose of this example disable SSO settings, Click Next.

11. On the Completing The New Web Listener Wizard page, review the selections. Click Finish and then click Apply to commit the changes.

Creating a Secure Web Publishing Rule: Follow these steps to create a secure Web Publishing rule on TMG using the listener that you previously created
1. Expand Forefront TMG (Array Name) in the left pane.
2. Right-click Firewall Policy, point to New, and click Web Site Publishing Rule.

3. The Welcome To The New Web Publishing Rule Wizard page appears,. Type a name for this publishing rule and click Next.

4. On the Select Rule Action page, leave the default selection (Allow) and click Next.

5. On the Publishing Type page, leave the default option and click Next.

6. On the Server Connection Security page, you specify whether TMG will use SSL to
connect to the published Web server. For this rule, leave the default option and click Next.

7. On the Internal Publishing Details page, type the internal site name and click Next.

8. For the Web site that we are publishing, our goal is to allow access to all the content within
the Web server. Therefore, the path should be /*. Click Next.

9. On the Public Name Details page you need to specify the name that the remote clients will use to reach the published server. Type in FQDN (example webmail.wolverine.com.au), leave the other options as default and click Next.

10. On the Select Web Listener page, choose HTTPS Listener (Web Listener That Was Created Previously) from the Web Listener drop-down list, Click Next.

11. On the Authentication Delegation page, click the drop-down list and choose No Authentication. Click Next.

12. On the User Sets page, leave the default option to enforce all users to authenticate before accessing the internal Web server . Click Next to continue.

13. On the Completing The New Web Publishing Rule Wizard, review the summary of the selections for this rule. To confirm that the publishing rule is working properly, click Test Rule. If everything is configured properly. Click Finish and then click Apply to commit the changes.

Verify or Configure Authentication and Certification on IIS Virtual Directories:  Use the following procedure to configure certification on your IIS virtual directories or verify that the certification is configured correctly.

clip_image001[3]1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In Internet Information Services (IIS) Manager, expand ServerName, and then expand Web Sites.

3. Right-click <default or selected> Web Site, and then click Properties.

4. On the Web Site tab, ensure that the port number is 443 in the SSL port box, and then click OK.

5. On the Directory Security tab, click Server Certificate under Secure communications. This opens the Welcome to the Web Server Certificate Wizard. Click Next.

6. On the Server Certificate page, click Assign an existing certificate, and then click Next.

7. On the SSL Port page, ensure that the value is 443 in the SSL port this Web site should use box, and then click Next.

8. On the Certificate Summary page, verify that settings are correct, and then click Next. Click Finish.

9. Click OK to close the Default Web Site Properties dialog box.

clip_image001[4]Verify Access through Your Reverse Proxy: Use the following procedure to verify that your users can access information on the reverse proxy. You may need to complete the firewall configuration and DNS configuration before access will work correctly. For each web Server, type a URL similar to the following: https://externalwebfarmfqn/  externalwebfarmFQDN is the external FQDN of the Web farm .

Relevant Articles:

Configure DMZ using back to back topology

How do I reset the hosts file back to the default?

Install and configure TMG step by step

Add a resource record step by step

Adding CNAME using Cpanel

  Share Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine