Publishing a single Web site or load balancer over HTTPS

Applies To: Forefront Threat Management Gateway (TMG)

To publish a single Web site or load balancer over HTTPS

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the Tasks pane, click the Toolbox tab.

  3. On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.

  4. Complete the New Web Listener Wizard as outlined in the following table.

    Page Field or property Setting or action

    Welcome to the New Web Listener Wizard

    Web listener name

    Type a name for the Web listener. For example, type HTTPS Web Site Listener.

    Client Connection Security

    Select Require SSL secured connections with clients.

    Web Listener IP Addresses

    Listen for incoming Web requests on these networks

    Select the External network. Click Select IP Addresses, and then select Specified IP Addresses on the Forefront TMG computer in the selected network. Under Available IP Addresses, select the IP address for the Web site, click Add, and then click OK.

              </p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Listener SSL Certificates</strong>
              </p>
            </td>
            <td colspan="1">
              <p />
              <p>
    
              </p>
            </td>
            <td colspan="2">
              <p>Select <strong>Use a single certificate for this Web listener</strong>, click <strong>Select Certificate</strong>, and then select a certificate for which the host name that users use to access the published Web site appears in the <strong>Issued To</strong> field.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Authentication Settings</strong>
              </p>
            </td>
            <td colspan="1">
              <p>
                <strong>Select how clients will provide credentials to Forefront TMG</strong>
              </p>
            </td>
            <td colspan="2">
              <p>For HTTP authentication (the default option), select one or more of the check boxes. In a workgroup deployment, you can select only <strong>Basic</strong>.</p>
              <p>If you want to require clients to provide a certificate, in the drop-down list, select <strong>SSL Client Certificate Authentication</strong>. </p>
              <p>For form-based authentication, in the drop-down list, select <strong>HTML Form Authentication</strong>.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p />
            </td>
            <td colspan="1">
              <p>
                <strong>Collect additional delegation credentials in the form</strong>
              </p>
              <p>This check box appears only when <strong>HTML Form Authentication</strong> is selected.</p>
            </td>
            <td colspan="2">
              <p>Select this check box only if you intend to select <strong>RADIUS OTP</strong> or <strong>SecurID</strong>.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p />
            </td>
            <td colspan="1">
              <p>
                <strong>Select how Forefront TMG will validate client credentials</strong>
              </p>
            </td>
            <td colspan="2">
              <p>For HTTP authentication, if you select Basic authentication in a workgroup deployment, you can select <strong>LDAP (Active Directory)</strong> or <strong>RADIUS</strong>.</p>
              <p>For forms-based authentication, select one of the available options.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Single Sign On </strong>
                <strong>Settings</strong>
              </p>
            </td>
            <td colspan="1">
              <p>
                <strong>Enable SSO for Web sites published with this listener</strong>
              </p>
            </td>
            <td colspan="2">
              <p>Single sign on (SSO) is available only when forms-based authentication is used. If you enable SSO, you must click <strong>Add</strong> and then specify a domain within which SSO will be applied.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Completing the New Web Listener Wizard</strong>
              </p>
            </td>
            <td colspan="1">
              <p />
            </td>
            <td colspan="2">
              <p>Review the settings, and then click <strong>Finish</strong>.</p>
            </td>
          </tr>
        </table>
    
  5. In the Tasks pane, click the Tasks tab.

  6. On the Tasks tab, click Publish Web Sites to open the New Web Publishing Rule Wizard.

  7. Complete the New Web Publishing Rule Wizard as outlined in the following table.

    Page Field or property Setting or action

    Welcome to the New Web Publishing Rule Wizard

    Web publishing rule name

    Type a name for the Web publishing rule. For example, type Single Web Site (HTTPS).

    Select Rule Action

    Action

    Select Allow.

    Publishing Type

    Select Publish a single Web site or load balancer.

    Server Connection Security

    Select Use SSL to connect the published Web server or Web farm.

    Internal Publishing Details (1)

    Internal site name

    Type the host name that Forefront TMG will use in HTTP request messages sent to the published server.

    If you are publishing a single Web server and the internal site name that is specified in this field is not resolvable and is not the computer name or IP address of the published server, select Use a computer name or IP address to connect to the published server, and then type the resolvable computer name or IP address of the published server.

    Internal Publishing Details (2)

    Path (optional)

    Type the path for your Web site.

    Forward the original host header instead of the actual one specified in the Internal site name field on the previous page

    Select this check box only if your Web site has specific features that require the original host header that Forefront TMG receives from the client.

    Public Name Details

    Accept requests for

    Select This domain name (type below).

    Public name

    Type the public FQDN or IP address that external users will use to access the published Web site.

    Select Web Listener

    Web Listener

    In the drop-down list, select the Web listener that you created in step 4. You can then click Edit to modify properties of the Web listener selected.

    Authentication Delegation

    Select the method used by Forefront TMG to authenticate to the published Web server

    Select No delegation, but client may authenticate directly.

    User Sets

    This rule applies to requests from the following user sets

    Do not change the default option, All Authenticated Users.

    Completing the New Web Publishing Rule Wizard

    Review the settings, and then click Finish.

  8. In the details pane, click Apply, and then click OK.

  9. Note

    • When publishing over SSL, an SSL server certificate that was issued to the public host name of the published Web site must be installed in the Personal store for the local computer on every Forefront TMG computer in the array. If the Web publishing rule requires an SSL connection between the Forefront TMG computer and the published server, an SSL server certificate that was issued to the host name specified as the internal site name must be installed on the published server. For more information about obtaining and installing SSL server certificates, see Configuring server certificates for secure Web publishing.

    • Forefront TMG treats a farm of servers behind a load-balancing device as a single server. Although this option is supported for publishing a load-balanced farm, we recommend that you use the integrated load-balancing support that is provided by a server farm created in Forefront TMG rather than a load-balancing device. Forefront TMG publishing for server farms provides improved client affinity, which can be configured to operate using a cookie, rather than depending on the client IP address. This is a distinct advantage in a situation where a device between the load-balancing device and Forefront TMG, such as a NAT device, hides the client IP address.

    • You can configure the way in which credentials are passed to the published server in a Web publishing rule.

    • Web publishing rules match incoming client requests to the appropriate Web site on the Web server. 

    • You can create Web publishing rules that deny traffic, to block incoming traffic that matches the rule conditions.

    • Forefront TMG does not treat paths as case-sensitive. If your Web server includes both foldera and folderA, and you publish a path to one of the folders, both folders will be published.

    • For more information about other settings in Web publishing rules, see Planning for publishing.

    Concepts

    Publishing Web servers over HTTPS