?
Solved

Publishing more than one SSL/ HTTPS website in Forefront TMG

Posted on 2010-09-15
43
Medium Priority
?
4,366 Views
Last Modified: 2012-05-10
Hi,

I'm needing to publish more than one SSL/HTTPS website on my Forefront TMG server. However I already have one website using port 443, and are not able to publish such things as my exchange client access website or another website using the same port.

Can anyone give me some advice on how to overcome this problem ?

Thanks
0
Comment
Question by:TechLad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 20
  • 17
  • 3
  • +1
43 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 33681111
If you want to publish on deferent port take a look here:

http://www.kalabaster.com/dasblog/2009/11/08/SSLPortNotSupportedInISAAndFTMGHowToChangeTheseDefaultsOfPorts563And443Only.aspx

also, you can publish another website using the same listener ( certificate, ip address and port), but deferent public name :

1.create a dns A record let say site2 ( public name will be site2.domain.com)
2.on the new rule specify the public name.

a third solution would be using internal and external path:

from the rule path tab:

specify the external path as /site2/*

then you can access site2 as https://domain/site2
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 33681317
more clarification for method three:

create and new publish rule with the same listener ( IP,port and certificate )and the same public name (domain.com). you need only to change to tab to point into the site (web server) and change the internal and external path; external path should be /site/* so you can access the website as https://domain.com/site2. for the internal path you can use /*.

but make sure that anther rules which use the same listener dont have /* external path but any thing else like /site1/*


hope this will help.
0
 

Author Comment

by:TechLad
ID: 33689675
Any step by step instructions on these ways ?
0
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

 

Author Comment

by:TechLad
ID: 33689722
None of them explain how I can publish more than one HTTPS website on the same listner using port 443. I've already got one website using that listner and port, and are unable to publish my exchange client access server, on a diffrent domain member.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33710735
Add another IP-address to the TMG server and use that for publishing Exchange.

I use this approch. 1 IP for the sharepoint (with AAM) and MSCRM listener and 1 IP for a dedicated Exchange listener.

0
 

Author Comment

by:TechLad
ID: 33710834
Does that require more NIC ?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33710875
Nope. You just add it as an additional IP on the same NIC.

If your exsisting listeners is set to "all IP" you have to correct this to your old IP. When you create a new Exchange listener you set it to your new IP.

You can't use multiple host headers with SSL in a traditional way like you do with none SSL sites, so adding an additional IP is one way to get past this.
0
 

Author Comment

by:TechLad
ID: 33711080
can you run it by step by step for me please ?
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 1000 total points
ID: 33711464
On the TMG server:

1. Open the NIC properties (ie. "Local connection")
2. Properties - Internet Protocol TCP/IP (v4) - Advanced - Add an additional IP

On the TMG you need the change the listener from "All IP addresses" to your spesific IP




ip.jpg
0
 

Author Comment

by:TechLad
ID: 33712059
I'm not sure im doing this correct. I assume you add an additional IP address to the NIC which faces the internet. It's working to a point that way but I have two diffrent SSL certificates for two diffrent site.

For some reason both website seem to have the same ssl certificate, even when I've clearly assisned it otherwise.
0
 
LVL 37

Expert Comment

by:meverest
ID: 33712770
Hi, does each hostname resolve to the right IP address?

i.e. when you "ping my.primary.host.com" does it respolve to a different Ip address than "ping my.exchange.server.address"?

What happens when you try to access by the IP address (e.g. http://a.b.c.d and http://a.b.c.e)?

Cheers.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33712805
Did you set the correct SSL cert on each listener?
0
 

Author Comment

by:TechLad
ID: 33714708
It is returning the external IP address when you ping both addresses, as for the certificate the correct certificate is selected for the two diffrent websites. I'm not sure that this is the problem but worth a try, rather than assisgning the certificate for each IP address, and use a single certificate for this listner option insted.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33714918
Do you have two external IP addresses on the TMG server configured?

i.e.

MySite Listener: IP: xxx.xxx.xxx.100, SSL: mysite.com
Exchange Listener: IP: xxx.xxx.xxx.101, SSL: exchange.domain.com (prefered UC SAN cert)

Split DNS:

External A-record: mysite.com -> xxx.xxx.xxx.100
Internal A-record: mysite.com -> 10.0.0.5

External A-record: exchange.domain.com -> xxx.xxx.xxx.101
Internal A-record: exchange.domain.com -> 10.0.0.8

(the internal address should match your IP structure)

0
 

Author Comment

by:TechLad
ID: 33714993
No it only has one external NIC and one internal NIC on the TMG, It does have it's own DNS service on the TMG server
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33715018
A NIC can have multiple IP addresses. You don't need a new NIC to add an IP.

I just wrote an example regarding DNS how it can be done.
0
 

Author Comment

by:TechLad
ID: 33715042
then that part of adding addistional IP addresses outlined in ID: 33711464 has been correctly done. Do you have to add the internal IP of the web server  aswell in each web listner ?
0
 

Author Comment

by:TechLad
ID: 33715412
I need someone to post me a step by step guide on how to do this whole thing. It's starting to really get me frustrated, I have no idea where i'm going wrong. Please can someone help me on that ?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33716785
I'm afraid I can't give you a complete step-by-step, but maybe help you understand(?). I use ISA 2006 so I'm not sure TMG looks the same even thought the configuration is the same.

The "Listener" is what the TMG listen on from the Internet. You don't have to add the internal IP of the web server on the Listener. Internal traffice should not be routed through the TMG, so split DNS is the way to go.

1. You got the extra IP configured on the NIC. Make sure it's registered in your DNS.
Also make sure you exsisting rules is set to listen on the "old" IP. If you don't change this, it will not work.

2. Apply this IP to the Exchange Listener (see picture http:#33711464 )
3. Configure a new Exchange ie. Active Sync rule
4. Public name = FQDN seen from the Internet
5. Listener = pick the Exchange listener
6. To = internal site FQDN (like Exchange CAS)


Dunno if this just makes you more confused...
0
 

Author Comment

by:TechLad
ID: 33717522
This is the problem im having as outlined in my screen shot I've followed everything I'm sure of it. I've got two ssl certificates for two sites intranet and webmail mjncomputers.co.uk. when i've setup say my intranet website that site works perfect. However when I publish the exchange owa it seems to use the ssl certificate for both site when it has been clearly setup diffrent.

 Would a screen shot word document of how i've configured this help you more with this question ?
Untitled.png
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33718167
Seems like you're missing the DNS part.

"intranet.mjncomputers.co.uk" and "webmail.mjncomputers.co.uk" are resolving to the same public IP.

You need to create a A-record (host) on DynDns.com for webmail in this case.

0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33718185
What version of Exchange do you have?
0
 

Author Comment

by:TechLad
ID: 33718268
webmail.mjncomputers.co.uk already has been setup from the start in dyndns. As for exchange i'm running exchange 2007
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33718292
Seems to me like they point to the same IP:

intranet.mjncomputers.co.uk     internet address = 86.181.230.245
webmail.mjncomputers.co.uk      internet address = 86.181.230.245
0
 

Author Comment

by:TechLad
ID: 33718317
So those need to be changed in dyndns to ?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33718340
If you want webmail to work with SSL you need to point it to the new IP you added on your NIC.

There is no need to change the intranet record. Only the webmail record.
0
 

Author Comment

by:TechLad
ID: 33718366
So I assum we're talking about Forfront adding an additional IP address to the external NIC to the internet or on the exchnage server ? and pointing webmail to that new address ?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33718704
Yes, we're talking about adding an IP to the external NIC on the Forfront server.

You don't want to show your Exchange to the Internet :)

 
0
 

Author Comment

by:TechLad
ID: 33719279
I have attached a Microsoft Word document for you with some screen shots, for you to look over and see if you can pinpoint at what stage i've gone wrong. It's got my totally confused.
The-IP-address-of-the-external-c.doc
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33719560
I couldn't see anything wrong in the word doc.

Your Forefront server uses internal IP addresses and the external NIC is connected to your router (IP: 86.181.230.245). Both "webmail" and "intranet" is pointed to your router (through DNS), so it should NAT the request to the Forefront server based on the host header.

Could you verify that your router is correct regarding NAT to your new IP on the Forefront server?
(I'm not a router expert, so I can not give you any advice regarding this)


Take a look at this article to see if you missed something basic: http://www.isaserver.org/tutorials/Publishing-Outlook-Web-Access-Microsoft-Forefront-TMG.html
0
 

Author Comment

by:TechLad
ID: 33719825
I'm not sure if the router is correct. These are the ports that have currently been opened to the Forefront TMG server. If need be you can create custom rules to add in the router. but its limited as to what it can do you can only assign one rule for one device.
n2n2.png
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33720005
According to the picture, all https and http request are forwarded to 192.168.1.1. That could explain the issue you are seeing.

I'd be on deep water if I told you what to do with the router, but I think that's the issue. Do you have any documentation of the router or support?
0
 

Author Comment

by:TechLad
ID: 33722513
I dont have any intructions on the router at the moment. What sort of rule should be open ?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33722861
All the router knows is that it should forward HTTPS traffice towards 192.168.1.1.

The TMG has a Listener listening on 192.168.1.1 and allows only the "intranet.mjcomputers.co.uk" URL.

When you try "webmail.mjcomputers.co.uk", the router sees that this is HTTPS traffic and will forward the request to 192.168.1.1. The TMG listener for this IP do not allow the URL, so it will be denied.

Since you can't use the same IP (192.168.1.1) when using SSL (it don't support host headers like HTTP traffic), a solution would be to use a custom port for one of the sites.

ie.
intranet -> custom https (TCP 4343)
webmail -> default https (TCP 443)

If your router support this, I guess it should work. The back side is that users have to type the port number in the URL.

"https://intranet.mjcomputers.co.uk:4343"

0
 

Author Comment

by:TechLad
ID: 33727194
Would you recomend a router that would work better ? not that I dissagree with that was just wanting to search around?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33729836
I'm not into routers so I can't say buy this or that and you'll be fine :(

I'm also not sure a router will support this, since the external interface on the TMG is "internal". From the Internet you'll only see the routers public IP. Not the TMG's.
0
 

Author Comment

by:TechLad
ID: 33732933
I did try creating and changing the port number it was working to a point, one site worked and the exchange owa came up with page cannot be displayed. Not sure if that's an error on my part or as you say that the router just cannot support it. But at least it was not coming up with the same ssl certificate for both sites.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33732970
If you're using custom ports you need to define it both on your router and TMG. Also setup that it redirect ie. port 4343 to 443 on the Bridging tab on the rule.

Assuming your router supports forwarding custom ports.
0
 

Author Comment

by:TechLad
ID: 33756931
My router seems to support custom ports, I did however find another router I got a while back and never used, a Linksys RV042 but its a VPN router.
0
 

Author Closing Comment

by:TechLad
ID: 33916353
Thanks everyone
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question