Avatar of peter_ophoven
peter_ophoven asked on

Do I need a certificate for Backend Exchange Server 2003 as well as TMG 2010 Front End?

We are replacing our 2003 Exchange Front End Server Role with TMG 2010.  In our first attempt we put an SSL certificate on the TMG 2010 and published OWA.

We used an existing certificate that we had already installed on the Front End Exchange Server 2003.  It has "Webmail.Company.Com".  We assumed we had to use the same certificate that was on the Front End Server for the TMG 2010 server.
We published OWA and everything seemed to be working but we couldn't connect to the backend exchange server.
The errors seemed to indicate that there was no SSL communications between the TMG and the Back End Server.
But when we had the Front End server running we didn't have SSL between the Front End Server and the Back End Server, since we couldn't put SSL through our Firewall.

Do I need to install the same SSL certificate on the Back End Server?
The name on the existing certificate doesn't include the back end server's common or FQDN, only the front end server name space.
It seems maybe I over estimated the capabilities of the TMG program before trying to implement this solution.

Any advice would be greatly appreciated.
Microsoft Forefront ISA ServerExchangeSSL / HTTPS

Avatar of undefined
Last Comment

8/22/2022 - Mon

Yes you will need to install the same certificate on tmg and thebackend sever.

The difference is that, with the tmg, tmg will open another htps session with the backend so requires a certificate on the latter

Certificates are difficult for me to grasp as a security solution.  We created one years ago and haven't changed it.
If I request a cert from our single CA, let's say a web remote certificate.  Put the common name of the back end server, the outside web address that our clients will be connecting and the FQDN of the back end server, and then place it in the published OWA and then, I guess in the personal store of the back end exchange server (or IIS maybe).

Will this resolve the SSL problem I am having?
Will this work the same for RPC over HTTPS?

The certiciate doesnt need to include the internal server name.

On the backend server start run mmc add remove snapins , certificates, computer, local computer, personal and import the pfx file you have there and the assign it to the default website in iis.

Yes the same goes for rpc over http
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Keith Alabaster

It depends on your security model and actually what you want to achieve. Believe it ot not, I have seen installations where the https is only applied between the client and the GTMG server. Using the publishing wizard they then bridge (and redirect) the https to http between the FTMG server and the backend server. In those cases, the backend doesn't even need a certificate. Would I do it? - absolutely not but it works.


I think this may be dumb question.  With the decommission of the front end server, how can I be sure that emails will be routed to the back end server?

Will the TMG automatically detect the emails and forward them back to the mail server?
I am pretty sure through the current thread question how clients will connect via the TMG 2010 via OWA or Outlook Anywhere (RPC over HTTP), but what about emails?
Keith Alabaster

Your MX record points to the FTMG external Ip address. You run the Publish a non-web server wizard on FTMGselecting the smtp server protocol and provide the internal IP address of the exchange server holding the transport role.
The exchange server must have FTMG as its default gateway or at least to an upstream device that will route traffic back to the FTMG server if it is on a different subnet.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

My back end exchange server sends email outgoing via a different IP address than the way it receives email from the front end.
The front end gets mail from 207.xxx.xxx.3 (will be replaced by the TMG) and our outgoing interface is where all data is routed 207.xxx.xxx.2 (default route).
From your post, you are implying the TMG would need email routed back to it for sending purposes, rather than just letting my back end exchange server do the sending?
Keith Alabaster


What I am saying is that:
a) The exchange server needs to be able to get back through FTMG to the client so as to be able to establish and maintain a connection.
b) When mail is sent by the Exchange server it needs to leave with the IP address of the A records associated with your MX records. If that A record point to the external IP of the FTMG then the Exchange box will need to send outbound mail routed through the FTMG so it can carry out any NAT activity accordingly.

In SMTP, all FTMG does (unless you have the edge transport role installed), is to pass traffic through to the internal device. It does not terminate and regenerate or anything clever.

We have a Smart host on the outside of our company filtering all inbound traffic and outbound traffic.  They are checking virus, antispam, and all other unwanted email grissle.  They host our MX records.

We are not putting the TMG on the outside of all of our companies' traffic.  Only email traffic sent from our smarthost to the ip 207.xxx.xxx.3.
Can the SSL from the TMG server pass through our gateway / firewall (with just port 443 open) to the back end server?  We have about 20 ports open now for frontend exchange traffic and backend exchange traffic to communicate with each other.  Can I close all of those ports?

I am worried that the backend exchange server will have trouble talking to our outside clients without the front end server.  My back end server is also a domain controller and running on the inside interface in a different subnet than the TMG server.  You mentioned that I will need to change the backend exchange server to have its default gateway going through the TMG.  This will definitely effect other services, any way around this?

Mind you, we are migrating to a 2007 exchange server after the TMG is online.  It will host our mailboxes, hub transport and CAS roles.  And it will not be a DC, and if necessary could have its default gateway being the TMG, but not our 2003 backend server.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Keith Alabaster

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

I receive a message that the Forefront server will not allow server-to-server mail connections through a single adapter setup.
We have our Cisco ASA 5510 configured with the perimeter interface, and the public IP comes through the Cisco and passes data to the perimeter interface, and then to the TMG server.
So we don't need two adapters, but Forefront says I cannot configure the SMTP email traffic without 2.  Is there any way around this.
I would like to just forward mail through the Static IP from the public interface - and then through the TMG server to the back end exchange server, the exact way our Front end server is doing it now.
Can this be done?
Thanks again for your help.
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Keith Alabaster

So you are only using FTMG as a proxy server, not as a firewall proxy  i.e. only one nic? Can't be done then as you envision it. In single-nic mode FTMG and ISA Server can only handle proxy traffic - effectively http and https. SMTP in not a proxable protocol and would require FTMG to have two nics.

Okay.  Good to know.
I did not know that.

I will have to redesign.
Probably more secure to use it as a firewall as well as proxy.  Taking it out of omy ASA 5510 or at least pulling the public IP off of the ASA and sending directly to the system.
Would be better.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

there is no need to remove your asa you can simply run them back-to-back,
Keith Alabaster

No problem Peter

Currently I have my mx records internally pointed to both my front end exchange server and my back end exchange server.
If my Forefront server will be receiving the public IP and then pushing email into my inside network, do I need to have an MX record on my local dns for the forefront server (as I do now with the front end server)?
Does the forefront server need to deal in MX records as part of its pathway to forward the email to the back end server?

I think in my redesign, I will continue to utilize the ASA 5510 as a perimeter network interface, but instead create an external network on the forefront with the public IP address from the outside.  I will have the email come through that public IP and then keep the other interface to be scrutinized as the perimeter through the ASA 5510.
I am just wondering how the forefront will forward email to the back end server (whether it is a direct push by IP or name resolution using MX records of the internal DNS).

Thanks again.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Keith Alabaster

No - when you publish the internal mail server you give the specific IP addresses to where the mail will be forwarded (the box running the transport role).

We encountered many errors trying configure the TMG in production with the Cisco ASA 5510.  Plus, we were never able to get online with SMTP to the back - end server.

We are still working out the details, but this thread was extremely helpful.  
Thanks again.