Walkthrough Series: Threat Management Gateway \ Exchange publishing

Since it seems to be a popular series I wanted to consolidate links to all my TMG Publishing articles.

As you may know they are designed to be a very simple walkthrough to get you started, the in no way cover every scenario but it should be enough to get you started.Then once you have it working, backup the config and tweak to your hearts content :), Have fun securing exchange.

OWA
EWS\Outlook anywhere
Alternate method without pre-auth: using the same listener as OWA
Active sync
SMTP
Front-End \ Back-end TMG
Ehlo article and Detailed white Paper From Greg Taylor.

Publishing Exchange through TMG Back-end\Front-end configuration

Posted by Jedi Hammond

Can you believe it I finally got this done! This process can be used for Exchange 2007 or 2010.
This is a basic walkthrough on getting OWA published through a TMG Front-end\Back-end scenario.

Well lets get started!
First we have to establish the basic configuration

The lab will be configured as shown

First Obviously we need physical connectivity as defined.

2 TMG servers with 2 NICs each
Each with a NIC on the DMZ network.
The Frontend connected to the ISP
The Backend connected to the LAN

Backend server

Configure NICs
1. DMZ NIC = IP: 192.168.1.2/24, Gateway: 192.168.1.1, , DNS: Null
2. Inter NIC = IP: 192.168.2.1/24 Gateway: Null, DNS: 192.168.2.10 (Internal Domain DNS)
Join to domain
Install TMG
Configuration
1. Getting Started Wizard
2. Configure Network Settings
  1. Next
  2. Next
  3. Important: Choose Private at the Bottom so the BE can route.
  5. Finish
3. Configure System Settings
  1. I make sure mine is connected to the domain (just makes permissions easier)
4. Define Deployment options
  1. This is a preference but for this Lab I disable all updates or NIS updates
5. Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
  5. This one can make troubleshooting difficult if configured any other way
6. Network Rule Creation
  1. Edit the Internal to Perimeter Rule
7. Firewall Rule Creation

Front-end server

Configure NICs
1. DMZ NIC = IP: 192.168.1.1/24, Gateway: 192.168.1.1, , DNS: 192.168.2.10 (Internal Domain DNS)
2. Inter NIC = IP: ISP assigned Gateway: ISP assigned, DNS: null
Install TMG
Configuration
1. Getting Started Wizard
2. Configure Network Settings
  1. Next
  3. Be sure to add the additional route for the LAN network behind the back-end server.
    This also adds the internal LAN network to the Internal Network object(networking\networks), and adds a static route for the Internal network as well (Networking\routing tab)
  4. In my case I have a dynamic IP in my lab, but this would be your ISP provided IP
  6. At this point you should have routing connectivity to the domain.
3. Configure System Settings
  1. I make sure mine is connected to the domain (just makes permissions easier)
    
    You can join the domain here
4. Define Deployment options
  1. This is a preference but for this Lab I disable all updates or NIS updates
5. Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
  5. This one can make troubleshooting difficult if configured any other way
6. Publishing Rules (Same as previous Posts, sample here see other posts for more details)
  2. This is a basic auth listener that will work for OWA\EAS\OLA but doesn’t include forms
  7. Make sure this Name is accessible from the FE server (the name also needs to be on the trusted certificate on the exchange server)
  17. This may change based on your scenario
  19. Finish
7. Apply Changes and Test!!!

Note: I also like to create a test Rule that I leave disabled unless I need to determine if I have a Firewall rule issue or Network issue.

Here is another reference for the same process in a slightly different scenario
http://araihan.wordpress.com/2010/06/17/how-to-configure-back-to-back-firewall-with-perimeter-dmz-topology-step-by-step-guide/

You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG

Posted by Jedi Hammond

Some of you have been able to use my basic quick and dirty walkthrough for publishing Exchange2010 with TMG.

Good news! there is a very detailed whitepaper from Greg Taylor that goes in to much more detail.

Here is a link to the whitepaper as well as the EHLO article.

That being said I am still working on the:
Internet –> TMG FE –> TMG BE –> Exchange Publishing rules and hopefully will have the walkthrough done by the 23rd.

You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG

Publish Exchange 2010 with TMG (cont)

Posted by Jedi Hammond

Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 3/4 active sync)

Configure Active sync rule on TMG

Open Forefront TMG
Click on
In the Action Pane under Task click
Give the rule a Name ill name mine “2010 Activesync”
Next –> Next
Internal Site Name should be your CAS server FQDN (needs to be on the cert)
The external name is what you use to access active sync(Also needs to be on the cert)
Select the Listener OA listener created on Part 2.
Finish
Now Outlook anywhere is published!

Go Back To OWA

Go Back to Outlook anywhere

Move on to SMTP

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

1. OWA
2. EWS\Outlook anywhere
3. Active sync
4. SMTP

Publish Exchange 2010 with TMG (cont)

Posted by Jedi Hammond

Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 2/4 EWS\Outlook anywhere)

Configure Outlook anywhere rule on TMG

Open Forefront TMG
Click on
In the Action Pane under Task click
Give the rule a Name ill name mine “2010 OA”
Next –> Next
Internal Site Name should be your CAS server FQDN (needs to be on the cert)
The external name is what you use to access OA (Also needs to be on the cert)
Click new to make a new Listener
Name it whatever you want, I named mine “Basic Auth” because I am going to use it for Basic auth for OA\EWS.
Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
Select the certificate you imported earlier
Use HTTP Authentication
Click –> Next –> Finish –> Select the Listener.
Finish
Now Outlook anywhere is published!

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

1. OWA
2. EWS\Outlook anywhere
3. Active sync
4. SMTP

Publish Exchange 2010 with TMG (Forefront Threat Management Gateway)

Posted by Jedi Hammond

Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 1/4 OWA)

Keep in mind to do it this way you need to have the following

At least 2 External IPs listed on the external NIC (in order to have both forms based auth for OWA\ECP and Basic for OA,EWS,EAS
A multi-name trusted Certificate with all applicable names (For more information) –This is critical!
TGM can authenticate with AD already (either domain joined or authentication configured)

Start By preparing the exchange server

Configure Exchange 2010 for basic authentication
1. Run the following on the CAS server that will be published
  - Set-OwaVirtualDirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
  - set-WebServicesVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
  - set-EcpVirtualdirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
  - set-OabVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
  - set-ActiveSyncVirtualDirectory -id <CasServer>\* -BasicAuthentication $true
Copy the 3rd party certificate to the TMG server.
1. Click Start –> Run –> Type MMC
2. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
3. Click Personal –> certificates
4. Right Click on 3rd party certificate and click all tasks –> export
5. Click Next –> Yes, Export Private Key –> Base-64 –> next –> Browse for file location.
6. Next-> finish
7. Copy certificate file to the TMG server
8. Click Start –> Run –> Type MMC
9. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
10. Click Personal –> Right Click certificates –> all task –> import –> next –> select file –> next –> next finish
Configure OWA Rule on TMG
1. Open Forefront TMG
2. Click on
3. In the Action Pane under Task click
4. Give the rule a Name ill name mine “2010 OWA”
6. Next –> Next
8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
10. The external name is what you use to access OWA (Also needs to be on the cert)
12. Click new to make a new Listener
14. Name it whatever you want, I named Mine FBA because I am going to use it for Forms Based auth for OWA.
16. Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
18. Select the certificate you imported earlier
20. Use Form Authentication
22. You can configure SSO if you have other sites that will use this listener
24. Click –> Next –> Finish –> Select the Listener.
27. You CANNOT use “all users” here you need to have authenticated users or another group that requires authentication or your will not get prompted for auth. and get a 500.24 in browser
28. Finish
29. Now OWA is published!
Now on to EWS\Outlook Anywhere