Solved

Settiing up forefront

Posted on 2010-08-14
17
1,060 Views
Last Modified: 2012-08-14
Hi,

I'm setting  up a forefront (tmg) server. It has to function as a gateway, because i have in my domain a exchange, sharepoint and website running.

Forefront has to receive incoming connection true the website of my domain and then redirect them to what the user ask like example: www.domain.com/sharepoint --> redirect to sharepoint server; www.domain.com/owa --> redirect to exchange; www.domain.com --> redirect to website iis server.

How should i start to configure ?

Thanks.
0
Comment
Question by:jonas-p
  • 8
  • 8
17 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33436552
So you have set up FTMG SP1 already as a functioning proxy/firewall?
If not, then you really need to get some professional guidance before you start. I can help you but not right from the beginning. Doing this by 'email' and from different timezones would take way too long.
0
 

Author Comment

by:jonas-p
ID: 33444855
Hi,

Yes i known it's difficult but, i installled already the software and i known that is true 'Firewall Policy'.
I already configured some policies and the web listener.

I have set up my internal sites. But how do you configure that when i type in my browser http://sharepoint.domain.com it has to point out to the sharepoint internal site?
(the same with other sites: owa, default website, ...

thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33445613
Use the Domain name as the difference instead of the URL.   Publish each in a normal straightforward way.

www.domain.com
owa.domain.com
sharepoint.domain.com  (not www.domain.com/sharepoint))

HTTP can run multiple sites on the same IP# & Port#
SSL require a unique IP# for each,...port stays at 443

0
 

Author Comment

by:jonas-p
ID: 33450269
Oke i don't understand, this is what i configured (see picture)
But i never configured that www.domain.com/owa should go to 192.168.1.11 ; ...


forefront-firewall-pol.jpg
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33454261
Well first that screen shot only shows the Name of the Rule,...it doesn't show how the Rule is configured.

The Rule's "Name" means nothing.
0
 

Author Comment

by:jonas-p
ID: 33454457
Okay, sorry

But where what should i show then?
"Publish each in a normal straightforward way" , okay but where do i do that?

thanks
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33456039
I just mean if you follow through the Wizard, it will be the obvious answers.  I believe OWA and Sharepoint have their own unique Wizards,...so you will go through three Wizards separately and they do a pretty good job of explaining each screen along the way as you read them.

Anyway, there are several Tabs in the dialog box of the Properties of the Rule.  I might be able to spot something if you list the settings from each of those Tabs in order.

Deal with HTTP Sites first.  Deal with HTTPS Sites (like OWA last).  However I don't  "do" Sharepoint,  so I am limited to helping with only simple basic stuff with that.   Each HTTPS (SSL Site requires it's own Certificate and a unique External IP#).  HTTP can share the IP#,...so with a regular HTTP Site,..OWA (SSL),...and Sharepoint (maybe SSL?) ,...you would need a minimum of two Public IP#

HTTP sIte  & one SSL site = Shares one IP#
2nd SSL Site = a second IP#

DNS
Important!  You need to use Split-DNS.  The Sites must be resolved from the same Name no matter if the users are inside the LAN or outside the LAN.  However internal users must resolve Sites to the internal private IP# of the site itself and therefore do not go through the TMG to get there.    External users (which obviously don't use your internal DNS) must resolve the Sites to the External public IP# and come to the Site through the TMG Publishing Rules
0
 

Author Comment

by:jonas-p
ID: 33463889
Oke i managed to set up forefront. I configured a weblistener and than established to publish multiple sites.
But the only website that's working is the www.domain.com

When i go to the mail.domain.com or the sharepoint.domain.com i get following message in my browser:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact server administrator. (12202)

What could be the problem?
Thanks.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 29

Expert Comment

by:pwindell
ID: 33464582
There is no way anyone can answer that. We can't see your config.   As said in the last post:.....
Anyway, there are several Tabs in the dialog box of the Properties of  the Rule.  I might be able to spot something if you list the settings  from each of those Tabs in order.

Don't know what  "established to publish multiple sites" means,...Rule for each site?,...somehow tried to cram it all in one rule?

0
 

Author Comment

by:jonas-p
ID: 33475017
Okey sorry,

So take snapshots of the rules and the weblistener, see attachments.

Thanks

weblistener.jpg
home-website.jpg
owa-website.jpg
sharepoint-website.jpg
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33477465
Ok, give me time to look that over.
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 33478286
Preliminary things:
    You would be miles (kilometers?) ahead if you setup your DNS as Split-DNS.  It hugely simplies this stuff.  Let me know if you don't know how to do that.  You want all your web sites to resolve to the correct Public IP for users out in Internet Land (obviously),...but you want the same sites, by the same public name, to resolve to the Internal web server's IP# for the LAN Users.  So the site www.ropo.be resolves to 83.101.5.175 for the Internet world,...but you want the same name www.ropo.be to resolve to 192.168.1.11 for the LAN users.

Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS!
http://www.isaserver.org/tutorials/2004illegaltldsplitdns.html

The Web Listener looks ok, but there are some preferences I would change:
Give a more meaningful name to distiugish it from other you will have to create.  Good names also make everything "self documenting".    The Key elements of a Listener are the IP#, Protocol.  
A good name would be "Web Listener, HTTP-80, 83.101.5.175"
I would bind it to a specific IP# on the Networks Tab instead of just "External"
Change the Networks Tab to External, <click addresses button>, set to specific IP# (even if there is only one to start with).


Main Web site Publishing rule looks technically correct, but again I would adjust some things:
1. Name the Rule Publishing, Web - http://www.ropo.be.  Now there will be no doubt what it is there for.  Name your others:
Publishing, SSL - https://owa.ropo.bePublishing, SSL - https://sharepoint.ropo.be

2. On the To tab,  This rule applies to www.ropo.be.  Computer name or IP <leave blank>.  The Split DNS has to be in place and working correctly for this to work.  If not,..then at a minimum add www.ropo.be   192.168.1.11 to the local Host File on the ISA/TMG.  This makes it match the name on listed in the Public Name Tab.
3.  as long as this is strictly an anonymous public access site,...the rest looks fine.
OWA and Sharepoint,..ton of problems here.  You need a properly working Split-DNS for this to work. Yes, I know that is not an absolute for any purists out there who want to debate me,...but you really, really need to listen to me on that.

1. TMG is going to insist that any site that requires Authentication will have to be used over HTTPS (SSL) and will attempt to prevent you from using it over HTTP because of the Domain Credentials being pased over the open Internet in "clear text".   Yes, it can be worked around,...but don't,...you really, really need to listen to me on that too.

2. Two SSL Sites cannot use the same IP# unless it is a Wild Card Certificate or a Certificate that handles "multiple names".  I have heard once the OWA won't work with a Wild Card Certificate but I cannot verify that.  Do not fall prey to anyone or anything trying to tell you to runn SSL on some other odd-ball port number,...leave it running on the standard 443,...you really, really need to listen to me on that too,

3. If you use Forms Based Authtication with OWA (most people do), then the OWA Site and the Sharepoint Site will need unique Public IP#s because a Web Listener using Forms Based Authentication cannot use any other form of Authentication at the same time,...and to Listerners cannot both use the same Protocol on the same IP# at the same time.   So OWA's Listenr can share the sawwme IP as the Main HTTP Site,...but Sharepoint would need it's own.  OWA would use Forms Based Authentication over SSL,...while Sharepoint would use Basic Authentication over SSL on a different IP#.  All three Sites would have their own Listener,..for example:

Web Listener, HTTP-80, 83.101.5.175Web OWA Listener, HTTPS-443, 83.101.5.175Web SP Listener, HTTPS-443, <some other IP#>

Here are some links to get your through the OWA Details.  Keep in mind that it uses a local cetificate authority in the article,...it does this for learning purposes only,...go buy your Certs from recognized authorities such as Verisign , Network Solutions, Godaddy, etc. Do not install Certificate Service and "roll your on".  Can you if you really want to?,...yes,...but don't,....listen to me on that too.   Publishing Sharepoint over SSL is pretty much identical to soing it with OWA except it wouldn't be using forms Based Auth.,..so you can use the OWA article to "learn" how to do a Sharepoint as well.  It is a 7-part article,...if you aren't using OMA, RPC/HTTP and Activesync you can ignore those parts.


Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part1.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part2.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part3.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part4.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part5.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part6.html
http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-2006-ISA-Firewall-Part7.html
0
 

Author Comment

by:jonas-p
ID: 33484374
Okay,

thanks for you response, that helps a lot !
Now first about the split DNS, if i understand what you mean it's already in please.
I have domain with a webhosting company, there is running a DNS server that handles everything on the external side. Everything: the www, mail, sharepoint, ... is pointing to the public IP of my router.
Then on my internal dns all the same names are configured to but the point the internal IP adresses.
So i think that's fine? But why i use internal ip's, i don't really know so that's just a mistake.

Now about a names already changed that and you right. The other two rules is a problem for me. Because i only have one public IP available . But the sharepoint and owa site, does it has to be SSL?
Because i configured my IIS of the owa to not require SSL and works perfect now. (at this time i have one IIS server running that publishes my www site and my owa site and don't need https, aswell as internal as external) So it seems possible to publish the owa site without SSL, not ?

Then about the sharepoint site, when i look to the iss server that publishing the site, it says  "this site does not have a secure binding (https) and connot accept SSL connections. So doesn't this mean it can be published on http?

Thanks a lot for al your help already.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33485041
Then on my internal dns all the same names are configured to but the point the internal IP adresses. So i think that's fine?

Yes. Excellent
But why i use internal ip's, i don't really know so that's just a mistake.

LAN users are supposed to go directly to the resource and not try to make a "U-Turn" through the firewall.  You should be able to take the Firewall (TMG) and throw it out in the street and the users should still be able to get to the those resources

SSL.  You can force Sharepoint and OWA to run without SSL and get away with it,...but it is not recommended.  If you want toys & features and want security at the same time, then you have to pay the cost of doing so,...and that cost is getting more than one Public IP# and buying the required Certificates.
0
 

Author Comment

by:jonas-p
ID: 33486941
okay thanks,

Unfortuanally thats not a simple as it is. Maybe i will get a trusted certificated at Godaddy.
But it's not possible at this time, so there only one option left for me:

put the it all on one machine: server with exchange, sharepoint on it.

Just one question left because i don't understand it all. Publishing SSL sites (owa, sharepoint ,...) you need multiple public ip's ? Also when you have a certificated? Or when you have a certificated you can publish multiple SSL on one public IP?

Thanks.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33487245
put the it all on one machine: server with exchange, sharepoint on it.

I'm not going anywhere near that,...don't want nothing to do with it.  Exchange & OWA need to box dedicated to them.  You're on your own there.

Just  one question left because i don't understand it all. Publishing SSL  sites (owa, sharepoint ,...) you need multiple public ip's ? Also when  you have a certificated? Or when you have a certificated you can publish  multiple SSL on one public IP?

Normal Cert.
   1 Cert per site
   1 IP# per Cert
   Hence two IP#s required

Wild Card Cert or other type of Cert that handles multiple Names
   1 Cert may handle more than one Site
   1 IP# per Cert
    Hence only one IP# is required
0
 

Author Closing Comment

by:jonas-p
ID: 33487657
.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

709 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now