Publishing behind an SSL accelerator

Applies To: Forefront Threat Management Gateway (TMG)

To publish behind an SSL accelerator

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the Tasks pane, click the Toolbox tab.

  3. On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.

  4. Complete the New Web Listener Wizard as outlined in the following table.

    Page Field or property Setting or action

    Welcome to the New Web Listener Wizard

    Web listener name

    Type a name for the Web listener. For example, type: SSL Accelerator Listener

    Client Connection Security

    Select Do not require SSL secured connections with clients.

    Web Listener IP Addresses

    Listen for incoming Web requests on these networks

    Select the External network. Click Select IP Addresses, and then select Specified IP Addresses on the Forefront TMG computer in the selected network. In the Available IP Addresses list, select the IP address on which Forefront TMG will listen for HTTP requests from the SSL accelerator, click Add, and then click OK.

              </p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Authentication Settings</strong>
              </p>
            </td>
            <td colspan="1">
              <p>
                <strong>Select how clients will provide credentials to Forefront TMG</strong>
              </p>
            </td>
            <td colspan="2">
              <p>In the drop-down list, select <strong>No Authentication</strong>.</p>
              <p>
    
              </p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Single Sign On Settings</strong>
              </p>
            </td>
            <td colspan="1">
              <p>
                <strong>Enable SSO for Web sites published with this listener</strong>
              </p>
            </td>
            <td colspan="2">
              <p>Single sign-on is not available in this configuration.</p>
            </td>
          </tr>
          <tr>
            <td colspan="2">
              <p>
                <strong>Completing the New Web Listener Wizard</strong>
              </p>
            </td>
            <td colspan="1">
              <p />
            </td>
            <td colspan="2">
              <p>Review the settings, and then click <strong>Finish</strong>.</p>
            </td>
          </tr>
        </table>
    
  5. In the details pane, click the Apply button to save and update the configuration, and then click OK.

  6. To set the port to which Forefront TMG will return responses to the SSL accelerator, copy the following code to a Notepad file and save it as SetSslAcceleratorPort.vbs. Then, for a Web listener named SSL Accelerator Listener, at a command prompt, type:
    CScript SetSslAcceleratorPort.vbs "SSL Accelerator Listener"

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. 
    ' THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS
    ' CODE REMAINS WITH THE USER. USE AND REDISTRIBUTION OF THIS CODE, 
    ' WITH OR WITHOUT MODIFICATION, IS HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Option Explicit
    
    ' Define the constant needed
    const Error_FileNotFound = &H80070002
    
    Main(WScript.Arguments)
    
    Sub Main(args)
        If(args.Count = 1) Then
            SetSslAcceleratorPort args(0)
        Else
            Usage()
        End If
    End Sub
    
    Sub SetSslAcceleratorPort(wlName)
    
        ' Create the root object.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        ' Declare the other objects needed.
        Dim tmgArray        ' An FPCArray object
        Dim webListener     ' An FPCWebListener object
        Dim text            ' A String
        Dim input           ' A String
    
        ' Get a reference to the local array object.
        Set tmgArray = root.GetContainingArray()
    
        ' Get a reference to the Web listener specified.
        On Error Resume Next
        Set webListener = _
            tmgArray.RuleElements.WebListeners.Item(wlName)
        If Err.Number = Error_FileNotFound Then
            WScript.Echo _
                "The Web listener specified could not be found."
        Else
            Err.Clear
            On Error GoTo 0
            With webListener.Properties
                If .SSLAcceleratorPort = 0 Then
                    text = "No SSL accelerator port is configured." _
                           & VbCrLf _
                           & "You can enter a nonzero value to enable" _
                           & VbCrLf _
                           & "an SSL accelerator port."
                Else
                    text = "Current SSL accelerator port: " _
                           & .SSLAcceleratorPort _
                           & VbCrLf _
                           & "You can change this value, or enter 0" _
                           & VbCrLf _
                           & "to disable the SSL accelerator port."
                End If
                input = InputBox(text,"SSL Accelerator Port", "443")
            End With
            If CInt(input) <> _
                webListener.Properties.SSLAcceleratorPort Then
                WScript.Echo "Changing the SSL accelerator port to " _
                    & CInt(input) & "..."
                webListener.Properties.SSLAcceleratorPort = CInt(input)
            End If
            If webListener.Properties.SSLAcceleratorPort <> 0 Then
                WScript.Echo "Ensuring that the SSL port is set to 0..."
                webListener.Properties.SSLPort = 0
            End If
            webListener.Save
        End If
    End Sub
    
    Sub Usage()
        WScript.Echo "Usage:" & VbCrLf _
            & "  CScript " & WScript.ScriptName & " WebListener" _
            & VbCrLf & "" & VbCrLf _
            & "    WebListener - Name of the Web listener" 
        WScript.Quit
    End Sub
    
  7. Note

    • When you have an external SSL accelerator device in front of Forefront TMG, all Web traffic is intercepted by the device and then passed to Forefront TMG. When the device receives HTTPS traffic from a client, it terminates the SSL connection at the device, decrypting the traffic and then passing it as HTTP to Forefront TMG, which typically receives the traffic on port 80. This procedure configures Forefront TMG to recognize that there is an SSL accelerator between it and the Internet. This procedure also configures Forefront TMG to send responses to the correct port on the SSL accelerator and to provide HTTPS links in the response that will be returned by the SSL accelerator.

    • For the specific case in which the HTTPS request originating from the client is a Microsoft Outlook Web Access request, Forefront TMG automatically appends a header indicating to the Outlook Web Access server that it should return an HTTPS response. This takes place regardless of whether Forefront TMG has been configured to work behind the SSL accelerator.

    • This procedure is applicable only for an external SSL accelerator that is connected to the Internet and lies in front of the Forefront TMG computer, which communicates with it over a network connection. If you have an SSL accelerator card that is installed directly on the Forefront TMG computer or an external device that is connected to the Forefront TMG computer with a small computer system interface (SCSI), no configuration changes in Forefront TMG are required.

    • The Web listener must listen for HTTP requests on a separate IP address, on which no other Web listener listens for HTTP requests. This requires either an additional IP address on the network adapter that is connected to the External network, or a separate network adapter that is dedicated to the SSL accelerator. If you use a separate network adapter, you will need to define a new network containing the SSL accelerator and configure the Web listener to listen on that network.

    • If your SSL accelerator is connected to the Internet, the name on its SSL server certificate must match the public host name or IP address that external clients will type in their Web browser to access the published Web site.

    • The port to which Forefront TMG returns responses to an external SSL accelerator device in front of Forefront TMG cannot be set in Forefront TMG Management. The script provided also ensures that HTTPS listening is disabled on the Web listener.

    Concepts

    Publishing Web servers over HTTPS