Help with Forefront TMG 2010 configuration

I have just installed a Forefront Threat Management Gateway 2010 to act as a reverse proxy and to eliminate multiple logins to published internal websites but I can't work out why my Exchange 2007 webmail publishing rule presents its forms based authentication page in addition to the one presented for all of my other published websites. Users need to log in once for Webmail and once for all the other internal sites even though all published rules are set to use the same SSL listener. Is this how it is suppose to work or have I done something wrong?
zeetecAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
zeetecConnect With a Mentor Author Commented:
This problem is now resolved and for anyone who may experience it, here is the solution.
The issue was that in the listener the SSO domain was set to the internal domain name of .domain.local where it needed to be set to the top level domain of .domain.edu for it to work correctly across all sites.
0
 
pwindellCommented:
You don't run FBA on the Exchange box and ISA/TMG at the same time.

When you run FBA on the ISA/TMG it is expected to be SSL.  So you run FBA at the ISA/TMG and run Basic Authentication between the ISA/TMG and the "Sites" and have ISA/TMG set to do Deligation so it passes the authentication back to the web Server hosting the sites.  The SSL "sheilds" the Basic Auth.

I can't get any more specific,...I do not have TMG or Exchange2007 here to work with.
0
 
zeetecAuthor Commented:
Thanks pwindell but I am only running FBA on the ISA (using SSL) not Exchange. In regard to delegation I have tried using Basic Auth and Integrated Auth but both with the same outcome. Any other ideas? This is very frustrationg as I have now tried installing ISA 2006 on a W2K3 x86 machine but have had the same result with that version as well and I now know for sure it isn't suppose to present two separate login pages on either version.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
pwindellCommented:
ISA2006 and TMG are different products.  I can't help if you are going to flip back and forth between them.

With TMG and Exchange2007,...this article may help.  Look to see if you missed anything from what is said in it.

How to publish Exchange Server 2007 SP1 Outlook Web Access (OWA) with  Microsoft Forefront TMG
http://www.isaserver.org/tutorials/Publishing-Outlook-Web-Access-Microsoft-Forefront-TMG.html
0
 
zeetecAuthor Commented:
Thanks but I read that article the other day and had configured things the same way except for not disabling SSO on the listener as he suggests. I need SSO enabled on the listener so that the other published internal sites using the same listener won't require the re-entering of credentials.

My issue is not with getting my rules to use SSL, perform delegation or do redirections correctly as they all work fine. My issue is purely with SSO not working between my webmail site and all the others. I can log on once and get to all the other sites but get another TMG forms page only when requesting the webmail page even though they all use the same listener.

BTW - I wasn't changing the question and asking for configuration advice for another product but only mentioned that I tried using ISA 2006 because a colleague thought the issue may have been specific to the newer TMG 2010 and wanted to clarify to anyone else who may have had that thought that it wasn't.
0
 
pwindellCommented:
Ok, well it still sounds like the "web mail" (OWA) site has FBA enabled.  Are you sure the Forms Page isn't from the OWA site?  They both look alike.  I have seen this happen because ISA/TMG gives you the first one,...you authenticate,...then when you actually hit the OWA site itself the OWA sites hits you with another form that looks the same as the one from ISA/TMG but is not really the same form.

I don't have any other ideas. I'm not sure what else to tell you.  Sometimes you just have to call MS.  I still have to call them from time to time myself.
0
 
zeetecAuthor Commented:
I think I am definitely at the "call MS" stage as it definitely isn't FBA from the OWA site as I am not using the Exchange auth template but the ISA one and I even changed some strings on it so I know which one is presenting the FBA page. If you go to OWA first you wouldn't know there was a problem until you try to go to another internal site and see my customised ISA FBA page again. Weird.

Thanks for your suggestions anyway.
0
All Courses

From novice to tech pro — start learning today.