Publishing a server farm over HTTPS
Applies To: Forefront Threat Management Gateway (TMG)
To publish a server farm over HTTPS
In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
In the Tasks pane, click the Toolbox tab.
On the Toolbox tab, click Network Objects, click New, and then select Server Farm.
Complete the New Server Farm Wizard as outlined in the following table.
Page Field or property Setting or action Welcome to the New Server Farm Wizard
Server farm name
Type a name for the server farm. For example, type Content Server Farm.
Servers
Servers included in this farm
For each Web server that you want to include in the server farm, click Add. Then, in Server Details, click Browse, and in Enter the object name to select, type the NetBIOS name of the Web server. Click Check Names, click OK, and then click OK again.
Server Farm Connectivity Monitoring
Method used to monitor server farm connectivity
Select the method that Forefront TMG will use to verify connectivity with the Web servers in the server farm. If you select Send an HTTP/HTTPS GET request and you want to specify a URL that differs from the URL that will be set in the Web publishing rule for this server farm, or if you want to specify a custom Host header that differs from the Host header that will be sent based on the Web publishing rule, click Configure, type the URL and HOST header, and then click OK.
Completing the New Server Farm Wizard
Review the settings, and then click Finish.
If a message box appears indicating that the Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers system policy rule will be enabled, click OK.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.
Complete the New Web Listener Wizard as outlined in the following table.
Page Field or property Setting or action Welcome to the New Web Listener Wizard
Web listener name
Type a name for the Web listener. For example, type HTTPS Server Farm Listener.
Client Connection Security
Select Require SSL secured connections with clients.
Web Listener IP Addresses
Listen for incoming Web requests on these networks
Select the External network. Click Select IP Addresses, and then select Specified IP Addresses on the Forefront TMG computer in the selected network. Under Available IP Addresses, select the appropriate IP address, click Add, and then click OK.
</p> </td> </tr> <tr> <td colspan="2"> <p> <strong>Listener SSL Certificates</strong> </p> </td> <td colspan="1"> <p /> <p> </p> </td> <td colspan="2"> <p>Select <strong>Use a single certificate for this Web listener</strong>, click <strong>Select Certificate</strong>, and then select a certificate for which the host name that users use to access the published Web site appears in the <strong>Issued To</strong> field.</p> </td> </tr> <tr> <td colspan="2"> <p> <strong>Authentication Settings</strong> </p> </td> <td colspan="1"> <p> <strong>Select how clients will provide credentials to Forefront TMG</strong> </p> </td> <td colspan="2"> <p>For HTTP authentication (the default option), select one or more of the check boxes. In a workgroup deployment, you can select only <strong>Basic</strong>.</p> <p>If you want to require clients to provide a certificate, in the drop-down list, select <strong>SSL Client Certificate Authentication</strong>. </p> <p>For form-based authentication, in the drop-down list, select <strong>HTML Form Authentication</strong>.</p> </td> </tr> <tr> <td colspan="2"> <p /> </td> <td colspan="1"> <p> <strong>Collect additional delegation credentials in the form</strong> </p> <p>This check box appears only when <strong>HTML Form Authentication</strong> is selected.</p> </td> <td colspan="2"> <p>Select this check box only if you intend to select <strong>RADIUS OTP</strong> or <strong>SecurID</strong>.</p> </td> </tr> <tr> <td colspan="2"> <p /> </td> <td colspan="1"> <p> <strong>Select how Forefront TMG will validate client credentials</strong> </p> </td> <td colspan="2"> <p>For HTTP authentication, if you select Basic authentication in a workgroup, you can select <strong>LDAP (Active Directory)</strong> or <strong>RADIUS</strong>.</p> <p>For forms-based authentication, select one of the available options.</p> </td> </tr> <tr> <td colspan="2"> <p> <strong>Single Sign On </strong> <strong>Settings</strong> </p> </td> <td colspan="1"> <p> <strong>Enable SSO for Web sites published with this listener</strong> </p> </td> <td colspan="2"> <p>Single sign on (SSO) is available only when forms-based authentication is used. If you enable SSO, you must click <strong>Add</strong> and then specify a domain within which SSO will be applied.</p> </td> </tr> <tr> <td colspan="2"> <p> <strong>Completing the New Web Listener Wizard</strong> </p> </td> <td colspan="1"> <p /> </td> <td colspan="2"> <p>Review the settings, and then click <strong>Finish</strong>.</p> </td> </tr> </table>
In the Tasks pane, click the Tasks tab.
On the Tasks tab, click Publish Web Sites to open the New Web Publishing Rule Wizard.
Complete the New Web Publishing Rule Wizard as outlined in the following table.
Page Field or property Setting or action Welcome to the New Web Publishing Rule Wizard
Web publishing rule name
Type a name for the Web publishing rule. For example, type Server Farm (HTTPS).
Select Rule Action
Action
Select Allow.
Publishing Type
Select Publish a server farm of load balanced Web servers.
Server Connection Security
Select Use SSL to connect the published Web server or Web farm.
Internal Publishing Details (1)
Internal site name
Type the fully qualified domain name (FQDN) of one of the members of the server farm.
Internal Publishing Details (2)
Path (optional)
Type the path for your Web site.
Specify Server Farm
Select the server farm you want to publish
In the drop-down list, select the server farm that you created in step 4.
Select how Forefront TMG will load balance incoming Web requests
Select Cookie-based load balancing.
Public Name Details
Accept requests for
Select This domain name (type below).
Public name
Type the public FQDN or IP address that external users will use to access the published Web site.
Select Web Listener
Web Listener
In the drop-down list, select the Web listener that you created in step 7.
Authentication Delegation
Select the method used by Forefront TMG to authenticate to the published Web server
Select No delegation, and client cannot authenticate directly.
User Sets
This rule applies to requests from the following user sets
Do not change the default option, All Authenticated Users.
Completing the New Web Publishing Rule Wizard
Review the settings, and then click Finish.
In the details pane, click Apply, and then click OK.
Note
- The internal site name must be resolvable to an IP address.
- Forefront TMG automatically creates a link translation mapping between the internal site name and the first public name specified in the rule. This mapping is used to translate links that use the internal site name to reference the server farm on Web pages and in e-mail messages that external users may receive.
- By default, Forefront TMG changes the original Host header supplied by a browser application to a Host header corresponding to the internal site name.
- When publishing over SSL, an SSL server certificate that was issued to the public host name of the published Web site must be installed in the Personal store for the local computer on the Forefront TMG computer. If the Web publishing rule requires an SSL connection between the Forefront TMG computer and a member of the published server farm, a unique server certificate with a name corresponding to the name or IP address of the server can be installed on each member of the published server farm, or the same certificate with a name corresponding to the internal site name can be installed on all members of the server farm. For more information about obtaining and installing SSL server certificates, see Configuring server certificates for secure Web publishing.
- You can configure the way in which credentials are passed to the published server in a Web publishing rule.
- Web publishing rules match incoming client requests to the appropriate Web site on the Web server.
- You can create Web publishing rules that deny traffic, to block incoming traffic that matches the rule conditions.
- Forefront TMG does not treat paths as case-sensitive. If your Web server includes both foldera and folderA, and you publish a path to one of the folders, both folders will be published.
- For more information about other settings in Web publishing rules, see Planning for publishing.
Related Topics
Concepts