Settiing up forefront


I'm setting  up a forefront (tmg) server. It has to function as a gateway, because i have in my domain a exchange, sharepoint and website running.

Forefront has to receive incoming connection true the website of my domain and then redirect them to what the user ask like example: --> redirect to sharepoint server; --> redirect to exchange; --> redirect to website iis server.

How should i start to configure ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
So you have set up FTMG SP1 already as a functioning proxy/firewall?
If not, then you really need to get some professional guidance before you start. I can help you but not right from the beginning. Doing this by 'email' and from different timezones would take way too long.
jonas-pAuthor Commented:

Yes i known it's difficult but, i installled already the software and i known that is true 'Firewall Policy'.
I already configured some policies and the web listener.

I have set up my internal sites. But how do you configure that when i type in my browser it has to point out to the sharepoint internal site?
(the same with other sites: owa, default website, ...

Use the Domain name as the difference instead of the URL.   Publish each in a normal straightforward way.  (not

HTTP can run multiple sites on the same IP# & Port#
SSL require a unique IP# for each,...port stays at 443

The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

jonas-pAuthor Commented:
Oke i don't understand, this is what i configured (see picture)
But i never configured that should go to ; ...

Well first that screen shot only shows the Name of the Rule, doesn't show how the Rule is configured.

The Rule's "Name" means nothing.
jonas-pAuthor Commented:
Okay, sorry

But where what should i show then?
"Publish each in a normal straightforward way" , okay but where do i do that?

I just mean if you follow through the Wizard, it will be the obvious answers.  I believe OWA and Sharepoint have their own unique Wizards, you will go through three Wizards separately and they do a pretty good job of explaining each screen along the way as you read them.

Anyway, there are several Tabs in the dialog box of the Properties of the Rule.  I might be able to spot something if you list the settings from each of those Tabs in order.

Deal with HTTP Sites first.  Deal with HTTPS Sites (like OWA last).  However I don't  "do" Sharepoint,  so I am limited to helping with only simple basic stuff with that.   Each HTTPS (SSL Site requires it's own Certificate and a unique External IP#).  HTTP can share the IP#, with a regular HTTP Site,..OWA (SSL),...and Sharepoint (maybe SSL?) , would need a minimum of two Public IP#

HTTP sIte  & one SSL site = Shares one IP#
2nd SSL Site = a second IP#

Important!  You need to use Split-DNS.  The Sites must be resolved from the same Name no matter if the users are inside the LAN or outside the LAN.  However internal users must resolve Sites to the internal private IP# of the site itself and therefore do not go through the TMG to get there.    External users (which obviously don't use your internal DNS) must resolve the Sites to the External public IP# and come to the Site through the TMG Publishing Rules
jonas-pAuthor Commented:
Oke i managed to set up forefront. I configured a weblistener and than established to publish multiple sites.
But the only website that's working is the

When i go to the or the i get following message in my browser:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact server administrator. (12202)

What could be the problem?
There is no way anyone can answer that. We can't see your config.   As said in the last post:.....
Anyway, there are several Tabs in the dialog box of the Properties of  the Rule.  I might be able to spot something if you list the settings  from each of those Tabs in order.

Don't know what  "established to publish multiple sites" means,...Rule for each site?,...somehow tried to cram it all in one rule?

jonas-pAuthor Commented:
Okey sorry,

So take snapshots of the rules and the weblistener, see attachments.


Ok, give me time to look that over.
Preliminary things:
    You would be miles (kilometers?) ahead if you setup your DNS as Split-DNS.  It hugely simplies this stuff.  Let me know if you don't know how to do that.  You want all your web sites to resolve to the correct Public IP for users out in Internet Land (obviously),...but you want the same sites, by the same public name, to resolve to the Internal web server's IP# for the LAN Users.  So the site resolves to for the Internet world,...but you want the same name to resolve to for the LAN users.

Supporting ISA Firewall Networks Protecting Illegal Top-level Domains: You Need a Split DNS!

The Web Listener looks ok, but there are some preferences I would change:
Give a more meaningful name to distiugish it from other you will have to create.  Good names also make everything "self documenting".    The Key elements of a Listener are the IP#, Protocol.  
A good name would be "Web Listener, HTTP-80,"
I would bind it to a specific IP# on the Networks Tab instead of just "External"
Change the Networks Tab to External, <click addresses button>, set to specific IP# (even if there is only one to start with).

Main Web site Publishing rule looks technically correct, but again I would adjust some things:
1. Name the Rule Publishing, Web -  Now there will be no doubt what it is there for.  Name your others:
Publishing, SSL - https://owa.ropo.bePublishing, SSL -

2. On the To tab,  This rule applies to  Computer name or IP <leave blank>.  The Split DNS has to be in place and working correctly for this to work.  If not,..then at a minimum add to the local Host File on the ISA/TMG.  This makes it match the name on listed in the Public Name Tab.
3.  as long as this is strictly an anonymous public access site,...the rest looks fine.
OWA and Sharepoint,..ton of problems here.  You need a properly working Split-DNS for this to work. Yes, I know that is not an absolute for any purists out there who want to debate me,...but you really, really need to listen to me on that.

1. TMG is going to insist that any site that requires Authentication will have to be used over HTTPS (SSL) and will attempt to prevent you from using it over HTTP because of the Domain Credentials being pased over the open Internet in "clear text".   Yes, it can be worked around,...but don't, really, really need to listen to me on that too.

2. Two SSL Sites cannot use the same IP# unless it is a Wild Card Certificate or a Certificate that handles "multiple names".  I have heard once the OWA won't work with a Wild Card Certificate but I cannot verify that.  Do not fall prey to anyone or anything trying to tell you to runn SSL on some other odd-ball port number,...leave it running on the standard 443, really, really need to listen to me on that too,

3. If you use Forms Based Authtication with OWA (most people do), then the OWA Site and the Sharepoint Site will need unique Public IP#s because a Web Listener using Forms Based Authentication cannot use any other form of Authentication at the same time,...and to Listerners cannot both use the same Protocol on the same IP# at the same time.   So OWA's Listenr can share the sawwme IP as the Main HTTP Site,...but Sharepoint would need it's own.  OWA would use Forms Based Authentication over SSL,...while Sharepoint would use Basic Authentication over SSL on a different IP#.  All three Sites would have their own Listener,..for example:

Web Listener, HTTP-80, OWA Listener, HTTPS-443, SP Listener, HTTPS-443, <some other IP#>

Here are some links to get your through the OWA Details.  Keep in mind that it uses a local cetificate authority in the article, does this for learning purposes only,...go buy your Certs from recognized authorities such as Verisign , Network Solutions, Godaddy, etc. Do not install Certificate Service and "roll your on".  Can you if you really want to?,...yes,...but don't,....listen to me on that too.   Publishing Sharepoint over SSL is pretty much identical to soing it with OWA except it wouldn't be using forms Based Auth., you can use the OWA article to "learn" how to do a Sharepoint as well.  It is a 7-part article,...if you aren't using OMA, RPC/HTTP and Activesync you can ignore those parts.

Publishing Exchange 2007 OWA, Exchange ActiveSync and RPC/HTTP using the 2006 ISA Firewall

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jonas-pAuthor Commented:

thanks for you response, that helps a lot !
Now first about the split DNS, if i understand what you mean it's already in please.
I have domain with a webhosting company, there is running a DNS server that handles everything on the external side. Everything: the www, mail, sharepoint, ... is pointing to the public IP of my router.
Then on my internal dns all the same names are configured to but the point the internal IP adresses.
So i think that's fine? But why i use internal ip's, i don't really know so that's just a mistake.

Now about a names already changed that and you right. The other two rules is a problem for me. Because i only have one public IP available . But the sharepoint and owa site, does it has to be SSL?
Because i configured my IIS of the owa to not require SSL and works perfect now. (at this time i have one IIS server running that publishes my www site and my owa site and don't need https, aswell as internal as external) So it seems possible to publish the owa site without SSL, not ?

Then about the sharepoint site, when i look to the iss server that publishing the site, it says  "this site does not have a secure binding (https) and connot accept SSL connections. So doesn't this mean it can be published on http?

Thanks a lot for al your help already.
Then on my internal dns all the same names are configured to but the point the internal IP adresses. So i think that's fine?

Yes. Excellent
But why i use internal ip's, i don't really know so that's just a mistake.

LAN users are supposed to go directly to the resource and not try to make a "U-Turn" through the firewall.  You should be able to take the Firewall (TMG) and throw it out in the street and the users should still be able to get to the those resources

SSL.  You can force Sharepoint and OWA to run without SSL and get away with it,...but it is not recommended.  If you want toys & features and want security at the same time, then you have to pay the cost of doing so,...and that cost is getting more than one Public IP# and buying the required Certificates.
jonas-pAuthor Commented:
okay thanks,

Unfortuanally thats not a simple as it is. Maybe i will get a trusted certificated at Godaddy.
But it's not possible at this time, so there only one option left for me:

put the it all on one machine: server with exchange, sharepoint on it.

Just one question left because i don't understand it all. Publishing SSL sites (owa, sharepoint ,...) you need multiple public ip's ? Also when you have a certificated? Or when you have a certificated you can publish multiple SSL on one public IP?

put the it all on one machine: server with exchange, sharepoint on it.

I'm not going anywhere near that,...don't want nothing to do with it.  Exchange & OWA need to box dedicated to them.  You're on your own there.

Just  one question left because i don't understand it all. Publishing SSL  sites (owa, sharepoint ,...) you need multiple public ip's ? Also when  you have a certificated? Or when you have a certificated you can publish  multiple SSL on one public IP?

Normal Cert.
   1 Cert per site
   1 IP# per Cert
   Hence two IP#s required

Wild Card Cert or other type of Cert that handles multiple Names
   1 Cert may handle more than one Site
   1 IP# per Cert
    Hence only one IP# is required
jonas-pAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.