Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Assumption:

I assume you have the following infrastructure ready.

  • Domain Controller: DC1PVDC01
  • Certificate Authority: DC1PVCA01
  • AD FS Server: DC1PVADFS01
  • Exchange Server: DC1PVEXCH01

Naming Convention:

  • DC1= Data Center 1 (location)
  • P=Production Systems
  • V=Virtual Server
  • DC=Domain Controller

So on so forth.

Proposed Web Application Proxy Server:

Option Description
Virtual Machine Name DC1PVWAP01
Memory 4GB
vCPU 1
Hard Disk 1 50GB
Network Adapter 2
Guest Operating System Windows Server 2012 R2
Hyper-v Integration Service Installed

Windows Server Role:

Role Web Application Proxy

 

Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated WAP network name. The following binding order will be maintained within Windows operating systems:

  1. First in Order- WAP internal adapter connected to the trusted network.
  2. Second in Order- WAP external adapter connected to the un-trusted network.

The following are the network configuration for WAP server.

Option IP Address Subnet Default Gateway DNS
Internal Network 10.10.10.2 255.255.255.0 Not required 10.10.10.1
External Network 192.168.1.1 255.255.255.0 192.168.1.254 Not required

Important! External Network can be assigned public IP if WAP server isn’t placed behind frontend router/firewall. In an edge configuration WAP external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and WAP wizard/console names. For example:

  • WAP adapter connected to the trusted network: Internal Network
  • WAP adapter connected to the un-trusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your un-trusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the WAP Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a WAP cluster.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

  1. Internal Network (Highest)
  2. External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose Public Host Name Public IP Address
Exchange webmail.yourdomain.com 203.17.x.x
SharePoint sharepoint.yourdomain.com 203.17.x.x

 

External Firewall Rules

The following NAT rules will be added into perimeter network to publish application and services through WAP. This rule is only apply if you please Web Application Proxy (WAP) behind a firewall or Cisco ASA otherwise you don’t need it.

Rule(s) Description Source IP Destination IP Address Port NAT Destination
1 Exchange Any 203.17.x.x 443 192.168.1.2
2 SharePoint Any 203.17.x.x 443 192.168.1.3

 

Building Web Application Proxy Server on Windows Server 2012 R2 Steps:

  1. Install Windows Server 2012 R2.
  2. Configure TCP/IP of Windows Server 2012 R2
  3. Join Web Application Proxy server to Domain
  4. Install Web Application Proxy Role
  5. Configure Kerberos Constraint Delegation
  6. Configure the firewall to allow HTTPS traffic on port 443 for clients to communicate with the AD FS server
  7. Configure Firewall if WAP Server placed behind a Cisco ASA
  8. Install Public certificate into Web Application Proxy Server
  9. Publish Application

Configure Kerberos Constraint delegation

1. On the domain controller, open Server Manager. To do this, click Server Manager on the Start screen.

2. Click Tools, and then click ADSI Edit.

3. On the Action menu, click Connect To, and then on the Connection Settings dialog box, accept the default settings to connect to the default naming context, and then click OK.

4. In the left pane, expand Default naming context, expand DC=yourdomain, DC=com, expand CN=Computers, right-click CN=DC1PVWAP01, and then click Properties.

5. On the CN=DC1PVWAP01 Properties dialog box, on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit.

6. On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/DC1PVWAP01.yourdomain.com and click Add. Then enter HTTP/DC1PVWAP01 and click Add. The Values list now contains two new entries; for example, HTTP/DC1PVWAP01.yourdomain.com and HTTP/DC1PVWAP01.

7. On the Multi-valued String Editor dialog box, click OK.

8. On the CN=DC1PVWAP01 Properties dialog box, click OK.

9. In Server Manager, click Tools, and then click Active Directory Users and Computers.

10. In the navigation pane, under yourdomain.com, click Computers. In the details pane, right-click the Web Application Proxy server, and then click Properties.

11. On the DC1PVWAP01 Properties dialog box, on the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.

12. Click Add, and on the Add Services dialog box, click Users or Computers.

13. On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web servers that use Integrated Windows authentication; for example, WebServ1, and then click OK.

14. On the Add Services dialog box, in the Available services list, select the http service type, and then click OK.

15. On the DC1PVWAP01 Properties dialog box, click OK.

Configure AD FS (Optional when using pass-through pre-authentication)

1. On the Start screen, type AD FS Management, and then press ENTER.

2. Under the AD FSTrust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Import data about the relying party published online or on a local network. In Federation metadata address (host name or URL), type the federation metadata URL or host name for the partner, and then click Next.

5. On the Specify Display Name page type a name in Display name, under Notes type a description for this relying party trust, and then click Next.

6. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party then click Next.

7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

8. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box. For more information about how to proceed with adding claim rules for this relying party trust, see the Additional references.

9. in the AD FS Management console, you must set the endpoint to be Proxy Enabled

Configure Certificate Template in CA

Note: This steps is only applicable when using Enterprise certificate authority.

1. Open the Certificate Templates snap-in.

2. In the details pane, right-click an existing certificate that will serve as the starting point for the new certificate, and then click Duplicate Template.

3. Choose whether to duplicate the template as a Windows Server 2003–based template or a Windows Server 2008–based template.

4. On the General tab, enter the Template display name and the Template name, and then click OK.

5. Define any additional attributes such as mark “private key exportable” for the newly created certificate template.

Export & Import Certificates into Web Application Proxy Server

This is a very important steps for published app to work correctly. You must export .pfx certificate from application servers (Exchange, SharePoint or Lync Server) to Web Application Proxy Server so that internet explorer, web application proxy server and application servers validate same certificates.

Exporting a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  8. Leave the default settings and then enter your password if required.
  9. Choose to save the file and then click Finish. You should receive an “export successful” message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Install Web Application Proxy Role

1. On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

3. On the Select server roles dialog, select Remote Access, and then click Next.

4. Click Next twice.

5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.

6. On the Confirm installation selections dialog, click Install.

7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Configure Web Application Proxy

1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. In the navigation pane, click Web Application Proxy.

3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

5. On the Federation Server dialog, do the following, and then click Next:

  • In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.yourdomain.com.
  • In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

7. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.yourdomain.com.

8. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

9. On the Results dialog, verify that the configuration was successful, and then click Close.

Publish Application using AD FS Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://sp.yourdomain.com/app1/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://sp/app1/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish an integrated Windows authenticated application

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://owa.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://owa/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.
  • In the Backend server SPN box, enter the service principal name for the backend server; for example, HTTP/owa.yourdomain.com.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Client Certificate Pre-Authentication

You can publish an application using pre-authenticated client certificate. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://app.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://app.yourdomain.com/&#8217;

-Name ‘Client certificate preauthentication application’

-ExternalPreAuthentication ClientCertificate

-ClientCertificatePreauthenticationThumbprint ‘123456abcdef123456abcdef123456abcdef12ab’

Publish Application using Pass-through Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Preauthentication page, click Pass-through, and then click Next.

4. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://maps.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://maps/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

5. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

6. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Windows Store App or Oauth2

You can publish an application using pre-authenticated Windows Store App. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Set-WebApplicationProxyConfiguration –OAuthAuthenticationURL ‘https://fs.yourdomain.com/adfs/oauth2/&#8217;

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://storeapp.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://storeapp.yourdomain.com/&#8217;

-Name ‘Windows Store app Server’

-ExternalPreAuthentication ADFS

-ADFSRelyingPartyName ‘Store_app_Relying_Party’

-UseOAuthAuthentication

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Web Application Proxy is a role in Windows Server 2012 R2. Web Application Proxy brings some functionality of Microsoft Forefront TMG and Microsoft Forefront UAG but not all of them. Since Microsoft phased out Forefront product line except FIM. Web Application Proxy provides functionality or role in Windows Server 2012 R2 for customer who still wants use Microsoft platform to publish their application such as Exchange 2013, Lync 2013 and SharePoint 2013 to external clients and vendors.

Web Application Proxy provides pre-authentication and authorization method using Active Directory Federation Services including multifactor authentication and access control. Deployment of ADFS is separate to Web Application Proxy which means you must have a separate server hosting ADFS role.

Benefits of Web Application Proxy

  • Pre-authentication—Only authenticated traffic can get into the corporate network.
  • Network Isolation—Incoming web traffic cannot directly access backend servers.
  • Selective Publishing—Only specific applications and paths within these applications are accessible.
  • DDoS Protection—Incoming traffic arrives at Web Application Proxy before hitting the corporate network. Because Web Application Proxy acts as a proxy, many DDoS attacks can be prevented from reaching the backend servers.
  • Selective Ports- Apply deny ALL and allow selected ports. This policy will prevent SQL injection.
  • Extended validation– URL validation and verification using public certificate authority. Support strong security and encryption using SHA and 2048 bit certificate encryption.

Web Application Proxy Infrastructure

  • Active Directory Domain Services (AD DS)
  • Internal Domain Naming System (DNS)
  • External DNS Name Resolver or ISP
  • Active Directory Federation Services (AD FS)
  • Active Directory Certificate Services (AD CS)
  • Web Application Proxy Server(s)
  • Public Certificate Authority
  • Internal Enterprise Certificate Authority
  • Backend Application Server(s)

Web Application Proxy Network

Web Application proxy can be deployed in several topologies. In all these scenario Web Application Proxy needs two network adapter.

Edge Firewall: Behind a frontend firewall like Cisco ASA to separate it from internet. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server.

DMZ: Behind a frontend firewall like Cisco ASA to separate it from internet and before corporate firewall like Cisco ASA to separate it from corporate network. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server. For client certificate authentication, you must also configure the firewall to allow traffic on port 49443.

Edge Configuration: One network adapter directly connected to internet and another network adapter connected to corporate network. Web Application Proxy can be a member of an Active Directory Domain.

TCP/IP Configuration Examples

Scenario Internal NIC External NIC
non-domain joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: 10.10.10.254

DNS:10.10.10.21

IP:192.168.0.10Subnet: 255.255.255.0

Gateway: NIL

DNS: NIL

Domain Joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: NIL

DNS:10.10.10.21

IP: 203.17.x.x Public IPSubnet: 255.255.255.0

Gateway:203.17.x.254 Public Gateway

DNS: 8.8.8.8 or Public DNS

DNS Requirement

  • Internal DNS: Web Application Proxy must resolve internal fully qualified domain name of backend application server such as Exchange or SharePoint server. You must configure correct DNS record and TCP/IP Settings of Web Application Proxy Server either using DNS server or editing hosts file in WindowsSystems32DriversEtc location.
  • External DNS: External client must resolve fully qualified domain name of application. In this case, you must configure HOST (A) record in public DNS server. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.

Load Balancer Consideration

Web Application Proxy does not have in-built load balancer or ISP redundancy functionality. Depending on your requirements, you can use any hardware or software load-balancer to balance load between two or more Web Application Proxy Servers.

Domain Joined or non-domain joined

Web Application Proxy can be deployed without joining the server to an Active Directory domain or by joining the Web Application Proxy server to a standalone domain in a perimeter network.

You can deploy Web Application Proxy with a read-only domain controller. However, if you want to deploy Web Application Proxy and DirectAccess on the same server, you cannot use a read-only domain controller.

Authentication Consideration

Web Application Proxy can work with the following authentication protocols.

  • AD FS pre-authentication
  • Integrated Windows authentication
  • Pass-through pre-authentication

Network Time Protocol (NTP)

You must have a proper NTP server in your organization. NTP server can be your domain controller or a Cisco Core Switch. Timestamp must identical between AD FS and Web Application Proxy Server.

Certificate Authority

There are two types of certificate requirements for Web Application Proxy Server- Public CA and Enterprise CA.

  • Public CA: External clients to be able to connect to published web applications using HTTPS, Web Application Proxy must present a certificate that is trusted by clients. In this case you must bind a public certificate with published application in backend server and web application proxy server.
  • Enterprise CA: AD FS certificates must match federation service value. AD FS can use internal Enterprise CA. For examples, Common Name (CN) of Certificate is adfs.superplaneteers.com

Supported Certificate Template

Web Server Certificate with single common name, subject alternative name (SAN) certificates, or wildcard certificates.

Pass-Through Pre-Authentication

When you publish Exchange and SharePoint using Web Application proxy Server, you can pass-through authentication to the specific application instead of AD FS or Web Application Proxy. In this case Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS. Pass-through authentication is still a worry-free deployment because it prevent DDoS and SQL injection and provide network isolation.

Configure custom HTML error message on Forefront TMG 2010 and redirect users to corporate notice

Log on to Forefront TMG Server, Browse to %Program Files%Microsoft Forefront TMGerrorhtmls . Copy default.htm file and paste inside a folder called banned. Now modify the file using Microsoft Office word and add corporate logo and notice. Once you have modified this file, it will automatically create a folder named default_files containing this logo files. Now in an IIS server, copy the banned folder to %windir%inetpubwwwroot to publish a website that will be sub-domain to your domain for example http://banned.microsoftguru.com.au .

If you do not want sub-domain then you can publish this site as http://yourdomain.com.au/notice . For this article, i am going to publish custom error url as sub-domain.

Log on to an IIS server. right click on IIS server, Click Add web Site, Type Site Name, Point Physical Path as shown on the picture. In the host name, type FQDN of the web site. You don’t need to create a separate web server to do this you can add web site to an existing web server.

 3 4

5

Log on to DNS server, Open DNS management console, right click on forward lookup zone, add CNAME

 6 7

Log on to Forefront TMG server as an administrator, click Networking, right click on internal network, click on property, click on web browser, check Bypass proxy for web servers in the network.

 9 

Apply changes and click ok. Open internet explorer and test newly created website.

8

From the TMG console, click web access policy, In the Tasks Tab, click on configure web access policy,

 12 13

 1418

  16 17  

 21 22

Here, cache drive shown in system partition, however in production environment setup cache drive in separate partition.

24 23 

  26 11

Right click on newly created deny policy, click on property, click on action tab, on the redirect web client box type custom url to redirect  users.

25

To test this policy, log on to a computer using a test username and browse any website classified in the banned category. you will be redirected to new website as follows.

8

 

Relevant Articles

How to configure WPAD server

TMG step by step