Question : Settiing up forefront

Hi,

I'm setting  up a forefront (tmg) server. It has to function as a gateway, because i have in my domain a exchange, sharepoint and website running.

Forefront has to receive incoming connection true the website of my domain and then redirect them to what the user ask like example: www.domain.com/sharepoint --> redirect to sharepoint server; www.domain.com/owa --> redirect to exchange; www.domain.com --> redirect to website iis server.

How should i start to configure ?

Thanks.

Answer : Settiing up forefront

Preliminary things:
   You would be miles (kilometers?) ahead if you setup your DNS as Split-DNS.  It hugely simplies this stuff.  Let me know if you don't know how to do that.  You want all your web sites to resolve to the correct Public IP for users out in Internet Land (obviously),...but you want the same sites, by the same public name, to resolve to the Internal web server's IP# for the LAN Users.  So the site www.ropo.be resolves to 83.101.5.175 for the Internet world,...but you want the same name www.ropo.be to resolve to 192.168.1.11 for the LAN users.

Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS!
http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

The Web Listener looks ok, but there are some preferences I would change:
Give a more meaningful name to distiugish it from other you will have to create.  Good names also make everything "self documenting".    The Key elements of a Listener are the IP#, Protocol.  
A good name would be "Web Listener, HTTP-80, 83.101.5.175"
I would bind it to a specific IP# on the Networks Tab instead of just "External"
Change the Networks Tab to External, <click addresses button>, set to specific IP# (even if there is only one to start with).


Main Web site Publishing rule looks technically correct, but again I would adjust some things:
1. Name the Rule Publishing, Web - http://www.ropo.be.  Now there will be no doubt what it is there for.  Name your others:
Publishing, SSL - https://owa.ropo.be
Publishing, SSL - https://sharepoint.ropo.be

2. On the To tab,  This rule applies to www.ropo.be.  Computer name or IP <leave blank>.  The Split DNS has to be in place and working correctly for this to work.  If not,..then at a minimum add www.ropo.be   192.168.1.11 to the local Host File on the ISA/TMG.  This makes it match the name on listed in the Public Name Tab.
3.  as long as this is strictly an anonymous public access site,...the rest looks fine.

OWA and Sharepoint,..ton of problems here.  You need a properly working Split-DNS for this to work. Yes, I know that is not an absolute for any purists out there who want to debate me,...but you really, really need to listen to me on that.

1. TMG is going to insist that any site that requires Authentication will have to be used over HTTPS (SSL) and will attempt to prevent you from using it over HTTP because of the Domain Credentials being pased over the open Internet in "clear text".   Yes, it can be worked around,...but don't,...you really, really need to listen to me on that too.

2. Two SSL Sites cannot use the same IP# unless it is a Wild Card Certificate or a Certificate that handles "multiple names".  I have heard once the OWA won't work with a Wild Card Certificate but I cannot verify that.  Do not fall prey to anyone or anything trying to tell you to runn SSL on some other odd-ball port number,...leave it running on the standard 443,...you really, really need to listen to me on that too,

3. If you use Forms Based Authtication with OWA (most people do), then the OWA Site and the Sharepoint Site will need unique Public IP#s because a Web Listener using Forms Based Authentication cannot use any other form of Authentication at the same time,...and to Listerners cannot both use the same Protocol on the same IP# at the same time.   So OWA's Listenr can share the sawwme IP as the Main HTTP Site,...but Sharepoint would need it's own.  OWA would use Forms Based Authentication over SSL,...while Sharepoint would use Basic Authentication over SSL on a different IP#.  All three Sites would have their own Listener,..for example:

Web Listener, HTTP-80, 83.101.5.175
Web OWA Listener, HTTPS-443, 83.101.5.175
Web SP Listener, HTTPS-443, <some other IP#>

Here are some links to get your through the OWA Details.  Keep in mind that it uses a local cetificate authority in the article,...it does this for learning purposes only,...go buy your Certs from recognized authorities such as Verisign , Network Solutions, Godaddy, etc. Do not install Certificate Service and "roll your on".  Can you if you really want to?,...yes,...but don't,....listen to me on that too.   Publishing Sharepoint over SSL is pretty much identical to soing it with OWA except it wouldn't be using forms Based Auth.,..so you can use the OWA article to "learn" how to do a Sharepoint as well.  It is a 7-part article,...if you aren't using OMA, RPC/HTTP and Activesync you can ignore those parts.


Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part2.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part3.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part4.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part5.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part6.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part7.html