Install & Configure Forefront TMG Back to Back solution Part 2

This article is the second and last part of my series about Installing and configuring Forefront TMG back to Back. In the first one I explained the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2003, web publishing rules, and incoming and outgoing SMTP mail.

Configuring OWA for exchange 2003 with FBA

Forms-based authentication(FBA) is one of the cool features that is included in the TMG software. The FBA enables the TMG’s capablility to enable the OWA logon form on the TMG firewall instead of enabling it on the exchange 2003 box. It enables you to force authentication on the TMG firewall before packets are forwared to the exchange 2003 box. If you want to create a fancy FBA logon page then check my post here.

requirements:

• FBA should be disabled on the exchange 2003 box.
• The TMG firewall that needs FBA needs to be joined to the domain. (thus we use the TMG-BE)
• A certificate with your companies webmail address should reside on the exchange 2003 and TMG-BE boxes. (the certificate should include something like webmail.test.com)
• A new forward lookup zone should be configured on the DC1 server named test.com. Create a new A record called webmail.test.com that points to 10.4.20.20
• At your provider you should create a DNS record that points webmail.test.com to ISP IP2

We want to make OWA dummy proof. Experience shows that users often forget the default URL https://webmail.test.com/Exchange . Users should be able to type the URL with HTTP or HTTPS and with or without /Exchange. So lets create the rules on the TMG-FE first :

• Rule Name : Publish Outlook Webmail Apps (OWA) – HTTP    (choose non-web publishing rule)
• Rule Number : 1
• Rule action : Allow
• Server IP : 10.6.0.2 (secondary ip on the TMG-BE external interface)
• Create New Protocol :  HTTP Server on Port 80 inbound
• Listener IP Address : External Interface IP : ISP IP2 only
• Make sure you enable : requests appear from original client
• Rule Name : Publish Outlook Webmail Apps (OWA) – HTTPS    (choose non-web publishing rule)
• Rule Number : 2
• Server IP : 10.6.0.2
• Protocol : HTTPS Server
• Listener IP Address : External Interface IP : ISP IP2 only
• Make sure you enable : requests appear from original client

Create the rules on the TMG-BE

• Name : Publish Outlook Webmail Apps (OWA) (Choose Exchange Client Access rule)
• Rule Number : 1
• Exchange version : exchange 2003
• Mail services : OWA
• Rule action : Allow
• Publishing Type : single website
• Server Connection Security : SSL
• Internal Sitename : webmail.test.com
• Ip Address : 10.4.20.20
• Request appear to come from TMG
• Public name details : webmail.test.com
• Create New Listener
• Web Listener Name : HTTP(S) OWA
• Client Connection Security : SSL (HTTPS en HTTP)
• Enable redirection http to https
• Web Listener IP Address : Perimeter Interface IP : 10.6.0.2 only
• Certificate : webmail.test.com
• Authentication Settings : HTML Form authentication
• Validation : Windows (active directory)
• SSO : disabled
• Authentication Delegation : basic authentication
• User Set : All authenticated users group
• Edit the newly reated rule ang go to the paths tab
• Add the following path : (beware the Capital E of Exchange and the \ at the end)

• on the TO tab make sure you enable : requests  from Forefront TMG

Outlook Web Access should work just fine by now. Just test it by accessing it remotely.

Configuring webserver access internally and remotely

Users need to access the webserver from outside the network but also from inside the corporate network. To accomplish this you need to config the following:

• in the new forward lookup zone create a new A record called http://www.test.com that points to 10.6.10.10
• At your provider you should create a DNS record that points http://www.test.com to ISP IP1
• The default gateway of the webserver points to the internal interface of the TMG-FE. So the webserver does not know the route to VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. Therefore you need static routes on the webserver to access those networks.

Create the rule on the TMG-FE first :

• Rule Name ; Publish HTTP traffic to the webserver (choose web publishing rule)
• Rule Number : 2
• Rule action : Allow
• Publishing Type : single website
• Server Connection Security : NON-SSL
• Internal Sitename : http://www.test.com
• Ip Address : 10.6.10.10
• Path : /*
• Public Name : http://www.test.com
• Path : /*
• Create New Listener
• Web Listener Name : HTTP WWW
• Client Connection Security : NON-SSL
• Web Listener IP Address : External Interface IP : ISP IP1 only
• Authentication Settings : None
• Authentication Delegation : No delegation, client cannot authenticate
• User Sets : All Users

Create the rule on the TMG-BE :

• Name : Allow HTTP(s), RDP, FTP traffic to the webserver (choose access rule)
• Rule Number : place above normal http traffic rule
• Rule Action : Allow
• Protocols : HTTP, HTTPS, RDP, FTP
• From : Internal Networks
• To : Webserver
• User Sets : All Users

Now you are done !. We achieved access to the webserver from the outside world and from the internal corporate network.

Configuring inbound and outbound mail (SMTP)

Since we are hosting our mail solution internally we need to achieve inbound and outbound mail traffic.

requirement:

• At your provider you should create a MX DNS record that points mail.test.com to ISP IP3
• The default gateway of the barracuda points to the internal interface of the TMG-FE. Therefore it does not know the route to the 10.4.x.x network. We need to add a static route on the Barracuda. If you have a 600 model or higher you can add the static route right away. However if you have a 400 model that option is not available. If you contact barracuda support they will enable that option for you.

Create the rule on the TMG-FE first :

• Name : Publish mail traffic to antispam firewall (mail publishing rule)
• Rule Number : place on top
• Access Type : Server to server communication SMTP,NNTP
• Services : SMTP (custom SMTP server protocol port 25 inbound with SMTP filter disabled)
• From : Anywhere
• Server IP Address : 10.6.20.20 (the barracuda)
• Network Listener IP Address : External Interface  IP : ISP IP3 only
• Make sure you enable : requests appear from original client

Create the rule on the TMG-BE :

• Name : Allow mail traffic to internal LAN (choose access rule)
• Rule Number : place on top
• Rule Action : Allow
• Protocols : SMTP
• From : Barracuda
• To : Exchange 2003 Back-End
• User Sets : All Users
• Name : Allow mail traffic to outside (choose access rule)
• Rule Number : place on top
• Rule Action : Allow
• Protocols : SMTP
• From : Exchange 2003 Back-End
• To : external
• User Sets : All Users

This concludes my 2 part series about Installing and configuring Forefront TMG Back to Back solution. I hope its usefull for you and feel free to comment.