Walkthrough Series: Threat Management Gateway \ Exchange publishing


Since it seems to be a popular series I wanted to consolidate links to all my TMG Publishing articles.

As you may know they are designed to be a very simple walkthrough to get you started, the in no way cover every scenario but it should be enough to get you started.Then once you have it working, backup the config and tweak to your hearts content :), Have fun securing exchange.

  1. OWA
  2. EWS\Outlook anywhere
    Alternate method without pre-auth: using the same listener as OWA
  3. Active sync
  4. SMTP 
  5. Front-End \ Back-end TMG 
  6. Ehlo article and Detailed white Paper From Greg Taylor.
Advertisements

Publishing Exchange through TMG Back-end\Front-end configuration


Can you believe it I finally got this done! This process can be used for Exchange 2007 or 2010.
This is a basic walkthrough on getting OWA published through a TMG Front-end\Back-end scenario.

Well lets get started!
First we have to establish the basic configuration

The lab will be configured as shown

image

First Obviously we need physical connectivity as defined.

  • 2 TMG servers with 2 NICs each
  • Each with a NIC on the DMZ network.
  • The Frontend connected to the ISP
  • The Backend connected to the LAN

Backend server

  1. Configure NICs
    1. DMZ NIC =  IP: 192.168.1.2/24, Gateway: 192.168.1.1, , DNS: Null
    2. Inter NIC = IP: 192.168.2.1/24 Gateway: Null, DNS: 192.168.2.10 (Internal Domain DNS)
  2. Join to domain
  3. Install TMG
  4. Configuration
    1. Getting Started Wizard
      image
    2. Configure Network Settings
      1. Next
        image
      2. Next
        image
      3. Important: Choose Private at the Bottom so the BE can route.
      4. image
      5. Finish
    3. Configure System Settings
      1. I make sure mine is connected to the domain (just makes permissions easier)
        image[65]
    4. Define Deployment options
      1. This is a preference but for this Lab I disable all updates or NIS updates
    5. Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
      1. image
      2. image
      3. image
      4. image
      5. This one can make troubleshooting difficult if configured any other way
        image
      6. image
      7. image
    6. Network Rule Creation
      1. Edit the Internal to Perimeter Rule
        image
      2. image
      3. image
    7. Firewall Rule Creation
      1. image
      2. image
      3. image
      4. image
        image
        image
      5. image
      6. image
      7. imageimage
      8. imageimage
      9. image
      10. image
      11. image
      12. image

Front-end server

  1. Configure NICs
    1. DMZ NIC =  IP: 192.168.1.1/24, Gateway: 192.168.1.1, , DNS: 192.168.2.10 (Internal Domain DNS)
    2. Inter NIC = IP: ISP assigned Gateway: ISP assigned, DNS: null
  2. Install TMG
  3. Configuration
    1. Getting Started Wizard
      image
    2. Configure Network Settings
      1. Next
      2. image
      3. Be sure to add the additional route for the LAN network behind the back-end server.
        This also adds the internal LAN network to the Internal Network object(networking\networks), and adds a static route for the Internal network as well (Networking\routing tab) 
        imageimage
      4. In my case I have a dynamic IP in my lab, but this would be your ISP provided IP
        image
      5. image
      6. At this point you should have routing connectivity to the domain.
    3. Configure System Settings
      1. I make sure mine is connected to the domain (just makes permissions easier)
        image
        You can join the domain here
    4. Define Deployment options
      1. This is a preference but for this Lab I disable all updates or NIS updates
    5. Remote Access Wizard (again preference But I limit config as this is a publishing lab not client access)
      1. image
      2. image
      3. image
      4. image
      5. This one can make troubleshooting difficult if configured any other way
        image
      6. image
      7. image
    6. Publishing Rules (Same as previous Posts, sample here see other posts for more details)
      1. image
      2. This is a basic auth listener that will work for OWA\EAS\OLA but doesn’t include forms
      3. image
      4. image
      5. image
      6. image
      7. Make sure this Name is accessible from the FE server (the name also needs to be on the trusted certificate on the exchange server)
        image
      8. image
      9. image
      10. image
      11. image
      12. image
      13. image
      14. image
      15. image
      16. image
      17. This may change based on your scenario
        image
      18. image
      19. Finish
    7. Apply Changes and Test!!!

 

Note: I also like to create a test Rule that I leave disabled unless I need to determine if I have a Firewall rule issue or Network issue.
image

Here is another reference for the same process in a slightly different scenario
http://araihan.wordpress.com/2010/06/17/how-to-configure-back-to-back-firewall-with-perimeter-dmz-topology-step-by-step-guide/

You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG


Inbox_blogSome of you have been able to use my basic quick and dirty walkthrough for publishing Exchange2010 with TMG.

Good news! there is a very detailed whitepaper from Greg Taylor that goes in to much more detail.

Here is a link to the whitepaper as well as the EHLO article.

That being said I am still working on the:
Internet –> TMG FE –> TMG BE –> Exchange Publishing rules and hopefully will have the walkthrough done by the 23rd.

You Had Me At EHLO… : Publishing Exchange Server 2010 with Forefront UAG and TMG

Publish Exchange 2010 with TMG (cont)


Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 3/4 active sync)

Configure Active sync rule on TMG

  1. Open Forefront TMG
  2. Click on image_thumb5[1]
  3. In the Action Pane under Task click  image_thumb6[2]
  4. Give the rule a Name ill name mine “2010 Activesync”
  5. image
  6. Next –> Next
  7. image
  8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
  9. image
  10. The external name is what you use to access active sync(Also needs to be on the cert)
  11. image
  12. Select the Listener OA listener created on Part 2.
  13. image_thumb24[1]
  14. image
  15. image
  16. Finish
  17. Now Outlook anywhere is published!
  • Go Back To OWA
  • Go Back to Outlook anywhere

  • Move on to SMTP

    Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

    1. OWA
    2. EWS\Outlook anywhere
    3. Active sync
    4. SMTP

  • Publish Exchange 2010 with TMG (cont)


    Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 2/4 EWS\Outlook anywhere)

    Configure Outlook anywhere rule on TMG

    1. Open Forefront TMG
    2. Click on image_thumb5[1]
    3. In the Action Pane under Task click  image_thumb6[1]
    4. Give the rule a Name ill name mine “2010 OA”
    5. image
    6. Next –> Next
    7. image_thumb8[1]
    8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
    9.  image_thumb9[1]
    10. The external name is what you use to access OA (Also needs to be on the cert)
    11. image
    12. Click new to make a new Listener
    13. image_thumb11[1]
    14. Name it whatever you want, I named mine “Basic Auth” because I am going to use it for Basic auth for OA\EWS.
    15. image_thumb12[1]
    16. Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
    17. image
    18. Select the certificate you imported earlier
    19. image_thumb14[1]
    20. Use HTTP Authentication
    21. image 
    22. Click –> Next –> Finish –> Select the Listener.
    23. image
    24. image 
    25. image_thumb19[1]
    26. Finish
    27. Now Outlook anywhere is published!

    Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

    1. OWA
    2. EWS\Outlook anywhere
    3. Active sync
    4. SMTP

    Publish Exchange 2010 with TMG (Forefront Threat Management Gateway)


    Walkthrough on publishing all roles through TMG with AD pre-auth on TMG. (Part 1/4 OWA)

    Keep in mind to do it this way you need to have the following

    1. At least 2 External IPs listed on the external NIC (in order to have both forms based auth for OWA\ECP and Basic for OA,EWS,EAS
    2. A multi-name trusted Certificate with all applicable names (For more information) –This is critical!
    3. TGM can authenticate with AD already (either domain joined or authentication configured)

    Start By preparing the exchange server

    1. Configure Exchange 2010 for basic authentication
      1. Run the following on the CAS server that will be published
        • Set-OwaVirtualDirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
        • set-WebServicesVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
        • set-EcpVirtualdirectory -id <CasServer>\* -BasicAuthentication $true -WindowsAuthentication $true -FormsAuthentication $false
        • set-OabVirtualDirectory -id <CasServer>\* -WindowsAuthentication $true -BasicAuthentication $true
        • set-ActiveSyncVirtualDirectory -id <CasServer>\* -BasicAuthentication $true
    2. Copy the 3rd party certificate to the TMG server.
      1. Click Start –> Run –> Type MMC
      2. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
      3. Click Personal –> certificates
      4. Right Click on 3rd party certificate and click all tasks –> export
      5. Click Next –> Yes, Export Private Key –> Base-64 –> next –> Browse for file location.
      6. Next-> finish
      7. Copy certificate file to the TMG server
      8. Click Start –> Run –> Type MMC
      9. Click File –> add remove Snap-in –> Certificates –> ADD –> Computer account-> Next –> finish-> ok
      10. Click Personal –> Right Click certificates –> all task –> import –> next –> select file –> next –> next finish
    3. Configure OWA Rule on TMG
      1. Open Forefront TMG
      2. Click on image
      3. In the Action Pane under Task click  image
      4. Give the rule a Name ill name mine “2010 OWA”
      5. image
      6. Next –> Next
      7. image
      8. Internal Site Name should be your CAS server FQDN (needs to be on the cert)
      9. image
      10. The external name is what you use to access OWA (Also needs to be on the cert)
      11. image
      12. Click new to make a new Listener
      13. image
      14. Name it whatever you want, I named Mine FBA because I am going to use it for Forms Based auth for OWA.
      15. image
      16. Select one of the External IPs listed (not all IP addresses or you cant do multiple auth methods)
      17. image
      18. Select the certificate you imported earlier
      19. image
      20. Use Form Authentication
      21. image
      22. You can configure SSO if you have other sites that will use this listener
      23. image
      24. Click –> Next –> Finish –> Select the Listener.
      25. image
      26. image
      27. image 
        You CANNOT use “all users” here you need to have authenticated users or another group that requires authentication or your will not get prompted for auth. and get a 500.24 in browser
      28. Finish
      29. Now OWA is published!
    4. Now on to EWS\Outlook Anywhere

     

    Publish Exchange 2010 with TMG (Forefront Threat Management Gateway) Series:

    1. OWA
    2. EWS\Outlook anywhere
    3. Active sync
    4. SMTP