Microsoft
Software
Hardware
Network
Question : Settiing up forefront
Hi,
I'm setting up a forefront (tmg) server. It has to function as a gateway, because i have in my domain a exchange, sharepoint and website running.
Forefront has to receive incoming connection true the website of my domain and then redirect them to what the user ask like example:
www.domain.com/sharepoint
--> redirect to sharepoint server;
www.domain.com/owa
--> redirect to exchange;
www.domain.com
--> redirect to website iis server.
How should i start to configure ?
Thanks.
Answer : Settiing up forefront
Preliminary things:
You would be miles (kilometers?) ahead if you setup your DNS as
Split-DNS
. It hugely simplies this stuff. Let me know if you don't know how to do that. You want all your web sites to resolve to the correct Public IP for users out in Internet Land (obviously),...but you want the same sites, by the same public name, to resolve to the Internal web server's IP# for the LAN Users. So the site
www.ropo.be
resolves to 83.101.5.175 for the Internet world,...but you want the same name
www.ropo.be
to resolve to 192.168.1.11 for the LAN users.
Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS!
http://www.isaserver.o
rg/tutoria
ls/
2004ill
egaltldspl
itdns.html
The Web Listener
looks ok, but there are some preferences I would change:
Give a more meaningful name to distiugish it from other you will have to create. Good names also make everything "self documenting". The Key elements of a Listener are the IP#, Protocol.
A good name would be "
Web Listener, HTTP-80, 83.101.5.175
"
I would bind it to a specific IP# on the Networks Tab instead of just "External"
Change the Networks Tab to External, <click addresses button>, set to specific IP# (even if there is only one to start with).
Main Web site Publishing
rule looks technically correct, but again I would adjust some things:
1.
Name the Rule
Publishing, Web -
http://www.ropo.be
. Now there will be no doubt what it is there for. Name your others:
Publishing, SSL -
https://owa.ropo.be
Publish
ing, SSL -
https://sharepoint.ropo.be
2.
On the
To tab
, This rule applies to
www.ropo.be
. Computer name or IP
<leave blank>
. The Split DNS has to be in place and working correctly for this to work. If not,..then at a minimum add
www.ropo.be
192.168.1.11
to the local Host File on the ISA/TMG. This makes it match the name on listed in the
Public Name Tab
.
3.
as long as this is strictly an anonymous public access site,...the rest looks fine.
OWA and Sharepoint,..ton of problems here.
You need a properly working Split-DNS for this to work. Yes, I know that is not an absolute for any purists out there who want to debate me,...but you really, really need to listen to me on that.
1. TMG is going to insist that any site that requires Authentication will have to be used over HTTPS (SSL) and will attempt to prevent you from using it over HTTP because of the Domain Credentials being pased over the open Internet in "clear text". Yes, it can be worked around,...
but don't,
...you really, really need to listen to me on that too.
2. Two SSL Sites cannot use the same IP# unless it is a Wild Card Certificate or a Certificate that handles "multiple names". I have heard once the OWA won't work with a Wild Card Certificate but I cannot verify that. Do not fall prey to anyone or anything trying to tell you to runn SSL on some other odd-ball port number,...leave it running on the standard 443,...you really, really need to listen to me on that too,
3. If you use Forms Based Authtication with OWA (most people do), then the OWA Site and the Sharepoint Site will need unique Public IP#s because a Web Listener using Forms Based Authentication cannot use any other form of Authentication at the same time,...and to Listerners cannot both use the same Protocol on the same IP# at the same time. So OWA's Listenr can share the sawwme IP as the Main HTTP Site,...but Sharepoint would need it's own. OWA would use Forms Based Authentication over SSL,...while Sharepoint would use Basic Authentication over SSL on a different IP#. All three Sites would have their own Listener,..for example:
Web Listener, HTTP-80, 83.101.5.175
Web OWA Listener, HTTPS-443, 83.101.5.175
Web SP Listener, HTTPS-443, <some other IP#>
Here are some links to get your through the OWA Details. Keep in mind that it uses a local cetificate authority in the article,...
it does this for learning purposes only
,...go buy your Certs from recognized authorities such as Verisign , Network Solutions, Godaddy, etc. Do not install Certificate Service and "roll your on". Can you if you really want to?,...yes,...but don't,....listen to me on that too. Publishing Sharepoint over SSL is pretty much identical to soing it with OWA except it wouldn't be using forms Based Auth.,..so you can use the OWA article to "learn" how to do a Sharepoint as well. It is a 7-part article,...if you aren't using
OMA, RPC/HTTP and Activesync
you can ignore those parts.
Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall
http://www.isaserv
er.org/tut
orials/Pub
lishing-Ex
change-200
7-
OWA-Exch
ange-Activ
eSync-RPCH
TTP-using-
2006-ISA-F
irewall-
Pa
rt1.html
ht
tp://www.i
saserver.o
rg/tutoria
ls/Publish
ing-Exchan
ge-2007-
OW
A-Exchange
-ActiveSyn
c-RPCHTTP-
using-2006
-ISA-Firew
all-
Part2.
html
http:/
/www.isase
rver.org/t
utorials/P
ublishing-
Exchange-2
007-
OWA-Ex
change-Act
iveSync-RP
CHTTP-usin
g-2006-ISA
-Firewall-
Part3.html
http://www
.isaserver
.org/tutor
ials/Publi
shing-Exch
ange-2007-
OWA-Exchan
ge-ActiveS
ync-RPCHTT
P-using-20
06-ISA-Fir
ewall-
Part
4.html
http
://www.isa
server.org
/tutorials
/Publishin
g-Exchange
-2007-
OWA-
Exchange-A
ctiveSync-
RPCHTTP-20
06-ISA-Fir
ewall-Part
5.html
http
://www.isa
server.org
/tutorials
/Publishin
g-Exchange
-2007-
OWA-
Exchange-A
ctiveSync-
RPCHTTP-20
06-ISA-Fir
ewall-Part
6.html
http
://www.isa
server.org
/tutorials
/Publishin
g-Exchange
-2007-
OWA-
Exchange-A
ctiveSync-
RPCHTTP-20
06-ISA-Fir
ewall-Part
7.html
Random Solutions
DHCP / DNS for multi-domain enviornment
How to remove new line from a string
Error message from Symantec Mail Security
Blackberry Enterprise Express on Exchange 2007 Can't resolve name during MAPI Profile Setup
Need help with Syntax - DnsAvoidRegisterRecords
Shell Script
How to upgrade RAM on a Server 2003 Standard SP2
Insert into MySQL Table from MSSQL Insert Trigger
Mounting a Windows XP share under linux
Public Folder "Pretty" names not showing up in GAL