Solved

Publishing more than one SSL/ HTTPS website in Forefront TMG

Posted on 2010-09-15
43
4,134 Views
Last Modified: 2012-05-10
Hi,

I'm needing to publish more than one SSL/HTTPS website on my Forefront TMG server. However I already have one website using port 443, and are not able to publish such things as my exchange client access website or another website using the same port.

Can anyone give me some advice on how to overcome this problem ?

Thanks
0
Comment
Question by:TechLad
  • 20
  • 17
  • 3
  • +1
43 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
If you want to publish on deferent port take a look here:

http://www.kalabaster.com/dasblog/2009/11/08/SSLPortNotSupportedInISAAndFTMGHowToChangeTheseDefaultsOfPorts563And443Only.aspx

also, you can publish another website using the same listener ( certificate, ip address and port), but deferent public name :

1.create a dns A record let say site2 ( public name will be site2.domain.com)
2.on the new rule specify the public name.

a third solution would be using internal and external path:

from the rule path tab:

specify the external path as /site2/*

then you can access site2 as https://domain/site2
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
more clarification for method three:

create and new publish rule with the same listener ( IP,port and certificate )and the same public name (domain.com). you need only to change to tab to point into the site (web server) and change the internal and external path; external path should be /site/* so you can access the website as https://domain.com/site2. for the internal path you can use /*.

but make sure that anther rules which use the same listener dont have /* external path but any thing else like /site1/*


hope this will help.
0
 

Author Comment

by:TechLad
Comment Utility
Any step by step instructions on these ways ?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
0
 

Author Comment

by:TechLad
Comment Utility
None of them explain how I can publish more than one HTTPS website on the same listner using port 443. I've already got one website using that listner and port, and are unable to publish my exchange client access server, on a diffrent domain member.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Add another IP-address to the TMG server and use that for publishing Exchange.

I use this approch. 1 IP for the sharepoint (with AAM) and MSCRM listener and 1 IP for a dedicated Exchange listener.

0
 

Author Comment

by:TechLad
Comment Utility
Does that require more NIC ?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Nope. You just add it as an additional IP on the same NIC.

If your exsisting listeners is set to "all IP" you have to correct this to your old IP. When you create a new Exchange listener you set it to your new IP.

You can't use multiple host headers with SSL in a traditional way like you do with none SSL sites, so adding an additional IP is one way to get past this.
0
 

Author Comment

by:TechLad
Comment Utility
can you run it by step by step for me please ?
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 250 total points
Comment Utility
On the TMG server:

1. Open the NIC properties (ie. "Local connection")
2. Properties - Internet Protocol TCP/IP (v4) - Advanced - Add an additional IP

On the TMG you need the change the listener from "All IP addresses" to your spesific IP




ip.jpg
0
 

Author Comment

by:TechLad
Comment Utility
I'm not sure im doing this correct. I assume you add an additional IP address to the NIC which faces the internet. It's working to a point that way but I have two diffrent SSL certificates for two diffrent site.

For some reason both website seem to have the same ssl certificate, even when I've clearly assisned it otherwise.
0
 
LVL 37

Expert Comment

by:meverest
Comment Utility
Hi, does each hostname resolve to the right IP address?

i.e. when you "ping my.primary.host.com" does it respolve to a different Ip address than "ping my.exchange.server.address"?

What happens when you try to access by the IP address (e.g. http://a.b.c.d and http://a.b.c.e)?

Cheers.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Did you set the correct SSL cert on each listener?
0
 

Author Comment

by:TechLad
Comment Utility
It is returning the external IP address when you ping both addresses, as for the certificate the correct certificate is selected for the two diffrent websites. I'm not sure that this is the problem but worth a try, rather than assisgning the certificate for each IP address, and use a single certificate for this listner option insted.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Do you have two external IP addresses on the TMG server configured?

i.e.

MySite Listener: IP: xxx.xxx.xxx.100, SSL: mysite.com
Exchange Listener: IP: xxx.xxx.xxx.101, SSL: exchange.domain.com (prefered UC SAN cert)

Split DNS:

External A-record: mysite.com -> xxx.xxx.xxx.100
Internal A-record: mysite.com -> 10.0.0.5

External A-record: exchange.domain.com -> xxx.xxx.xxx.101
Internal A-record: exchange.domain.com -> 10.0.0.8

(the internal address should match your IP structure)

0
 

Author Comment

by:TechLad
Comment Utility
No it only has one external NIC and one internal NIC on the TMG, It does have it's own DNS service on the TMG server
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
A NIC can have multiple IP addresses. You don't need a new NIC to add an IP.

I just wrote an example regarding DNS how it can be done.
0
 

Author Comment

by:TechLad
Comment Utility
then that part of adding addistional IP addresses outlined in ID: 33711464 has been correctly done. Do you have to add the internal IP of the web server  aswell in each web listner ?
0
 

Author Comment

by:TechLad
Comment Utility
I need someone to post me a step by step guide on how to do this whole thing. It's starting to really get me frustrated, I have no idea where i'm going wrong. Please can someone help me on that ?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
I'm afraid I can't give you a complete step-by-step, but maybe help you understand(?). I use ISA 2006 so I'm not sure TMG looks the same even thought the configuration is the same.

The "Listener" is what the TMG listen on from the Internet. You don't have to add the internal IP of the web server on the Listener. Internal traffice should not be routed through the TMG, so split DNS is the way to go.

1. You got the extra IP configured on the NIC. Make sure it's registered in your DNS.
Also make sure you exsisting rules is set to listen on the "old" IP. If you don't change this, it will not work.

2. Apply this IP to the Exchange Listener (see picture http:#33711464 )
3. Configure a new Exchange ie. Active Sync rule
4. Public name = FQDN seen from the Internet
5. Listener = pick the Exchange listener
6. To = internal site FQDN (like Exchange CAS)


Dunno if this just makes you more confused...
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:TechLad
Comment Utility
This is the problem im having as outlined in my screen shot I've followed everything I'm sure of it. I've got two ssl certificates for two sites intranet and webmail mjncomputers.co.uk. when i've setup say my intranet website that site works perfect. However when I publish the exchange owa it seems to use the ssl certificate for both site when it has been clearly setup diffrent.

 Would a screen shot word document of how i've configured this help you more with this question ?
Untitled.png
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Seems like you're missing the DNS part.

"intranet.mjncomputers.co.uk" and "webmail.mjncomputers.co.uk" are resolving to the same public IP.

You need to create a A-record (host) on DynDns.com for webmail in this case.

0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
What version of Exchange do you have?
0
 

Author Comment

by:TechLad
Comment Utility
webmail.mjncomputers.co.uk already has been setup from the start in dyndns. As for exchange i'm running exchange 2007
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Seems to me like they point to the same IP:

intranet.mjncomputers.co.uk     internet address = 86.181.230.245
webmail.mjncomputers.co.uk      internet address = 86.181.230.245
0
 

Author Comment

by:TechLad
Comment Utility
So those need to be changed in dyndns to ?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
If you want webmail to work with SSL you need to point it to the new IP you added on your NIC.

There is no need to change the intranet record. Only the webmail record.
0
 

Author Comment

by:TechLad
Comment Utility
So I assum we're talking about Forfront adding an additional IP address to the external NIC to the internet or on the exchnage server ? and pointing webmail to that new address ?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Yes, we're talking about adding an IP to the external NIC on the Forfront server.

You don't want to show your Exchange to the Internet :)

 
0
 

Author Comment

by:TechLad
Comment Utility
I have attached a Microsoft Word document for you with some screen shots, for you to look over and see if you can pinpoint at what stage i've gone wrong. It's got my totally confused.
The-IP-address-of-the-external-c.doc
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
I couldn't see anything wrong in the word doc.

Your Forefront server uses internal IP addresses and the external NIC is connected to your router (IP: 86.181.230.245). Both "webmail" and "intranet" is pointed to your router (through DNS), so it should NAT the request to the Forefront server based on the host header.

Could you verify that your router is correct regarding NAT to your new IP on the Forefront server?
(I'm not a router expert, so I can not give you any advice regarding this)


Take a look at this article to see if you missed something basic: http://www.isaserver.org/tutorials/Publishing-Outlook-Web-Access-Microsoft-Forefront-TMG.html
0
 

Author Comment

by:TechLad
Comment Utility
I'm not sure if the router is correct. These are the ports that have currently been opened to the Forefront TMG server. If need be you can create custom rules to add in the router. but its limited as to what it can do you can only assign one rule for one device.
n2n2.png
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
According to the picture, all https and http request are forwarded to 192.168.1.1. That could explain the issue you are seeing.

I'd be on deep water if I told you what to do with the router, but I think that's the issue. Do you have any documentation of the router or support?
0
 

Author Comment

by:TechLad
Comment Utility
I dont have any intructions on the router at the moment. What sort of rule should be open ?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
All the router knows is that it should forward HTTPS traffice towards 192.168.1.1.

The TMG has a Listener listening on 192.168.1.1 and allows only the "intranet.mjcomputers.co.uk" URL.

When you try "webmail.mjcomputers.co.uk", the router sees that this is HTTPS traffic and will forward the request to 192.168.1.1. The TMG listener for this IP do not allow the URL, so it will be denied.

Since you can't use the same IP (192.168.1.1) when using SSL (it don't support host headers like HTTP traffic), a solution would be to use a custom port for one of the sites.

ie.
intranet -> custom https (TCP 4343)
webmail -> default https (TCP 443)

If your router support this, I guess it should work. The back side is that users have to type the port number in the URL.

"https://intranet.mjcomputers.co.uk:4343"

0
 

Author Comment

by:TechLad
Comment Utility
Would you recomend a router that would work better ? not that I dissagree with that was just wanting to search around?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
I'm not into routers so I can't say buy this or that and you'll be fine :(

I'm also not sure a router will support this, since the external interface on the TMG is "internal". From the Internet you'll only see the routers public IP. Not the TMG's.
0
 

Author Comment

by:TechLad
Comment Utility
I did try creating and changing the port number it was working to a point, one site worked and the exchange owa came up with page cannot be displayed. Not sure if that's an error on my part or as you say that the router just cannot support it. But at least it was not coming up with the same ssl certificate for both sites.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
If you're using custom ports you need to define it both on your router and TMG. Also setup that it redirect ie. port 4343 to 443 on the Bridging tab on the rule.

Assuming your router supports forwarding custom ports.
0
 

Author Comment

by:TechLad
Comment Utility
My router seems to support custom ports, I did however find another router I got a while back and never used, a Linksys RV042 but its a VPN router.
0
 

Author Closing Comment

by:TechLad
Comment Utility
Thanks everyone
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now