Home > Exchange 2010, Forefront TMG 2010, Windows 2008 (R2) > Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 2

Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 2


This article is the second part of my series about Installing and configuring Forefront TMG back to Back with Exchange 2010. In the first one I explained the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail.

Configuring OWA for exchange 2010 with FBA

Forms-based authentication(FBA) is one of the cool features that is included in the TMG software. The FBA enables the TMG’s capablility to enable the OWA logon form on the TMG firewall instead of enabling it on the exchange 2010 box. It enables you to force authentication on the TMG firewall before packets are forwared to the exchange 2010 box. If you want to create a fancy FBA logon page then check my post here.

requirements:

  • FBA should be disabled on the exchange 2010 box.
  • The TMG firewall that needs FBA needs to be joined to the domain. (thus we use the TMG-BE)
  • A SAN certificate with your companies webmail address should reside on the exchange 2010 and TMG-BE boxes. (the SAN certificate should include something like webmail.test.com)
  • A new forward lookup zone should be configured on the DC1 server named test.com. Create a new A record called webmail.test.com that points to 10.4.20.20
  • At your provider you should create a DNS record that points webmail.test.com to ISP IP2

We want to make OWA dummy proof. Experience shows that users often forget the default URL https://webmail.test.com/owa . Users should be able to type the URL with HTTP or HTTPS and with or without /owa. So lets create the rules on the TMG-FE first :

  • Rule Name : Publish Outlook Webmail Apps 2010 (OWA) – HTTP    (choose non-web publishing rule)
  • Rule Number : 1
  • Rule action : Allow
  • Server IP : 10.6.0.2 (secondary ip on the TMG-BE external interface)
  • Create New Protocol :  HTTP Server on Port 80 inbound
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client
  • Rule Name : Publish Outlook Webmail Apps 2010 (OWA) – HTTPS    (choose non-web publishing rule)
  • Rule Number : 2
  • Server IP : 10.6.0.2
  • Protocol : HTTPS Server
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client

Create the rules on the TMG-BE

  • Name : Publish Outlook Webmail Apps 2010 Redirect (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 1
  • Exchange version : exchange 2010
  • Mail services : OWA
  • Rule action : Deny
  • Redirect to : https://webmail.test.com/owa
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Create New Listener
  • Web Listener Name : HTTP(S) OWA 2010
  • Client Connection Security : SSL (HTTPS en HTTP)
  • Enable redirection http to https
  • Web Listener IP Address : Perimeter Interface IP : 10.6.0.2 only
  • Certificate : webmail.test.com
  • Authentication Settings : HTML Form authentication
  • Validation : Windows (active directory)
  • SSO : disabled
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly reated rule ang go to the paths tab
  • Change it to the following:

  • Name : Publish Outlook Webmail Apps 2010 (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 2
  • Exchange version : exchange 2010
  • Mail services : OWA
  • Rule action : ALLOW
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Web Listener Name : HTTP(S) OWA 2010
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly created rule ang go to the paths tab
  • Change it to the following:

  • on the TO tab make sure you enable : requests  from Forefront TMG

Outlook Web Access 2010 should work just fine by now. Just test it by accessing it remotely.

Configuring webserver access internally and remotely

Users need to access the webserver from outside the network but also from inside the corporate network. To accomplish this you need to config the following:

  • in the new forward lookup zone create a new A record called http://www.test.com that points to 10.6.10.10
  • At your provider you should create a DNS record that points http://www.test.com to ISP IP1
  • The default gateway of the webserver points to the internal interface of the TMG-FE. So the webserver does not know the route to VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. Therefore you need static routes on the webserver to access those networks.

Create the rule on the TMG-FE first :

  • Rule Name ; Publish HTTP traffic to the webserver (choose web publishing rule)
  • Rule Number : 2
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : NON-SSL
  • Internal Sitename : http://www.test.com
  • Ip Address : 10.6.10.10
  • Path : /*
  • Public Name : http://www.test.com
  • Path : /*
  • Create New Listener
  • Web Listener Name : HTTP WWW
  • Client Connection Security : NON-SSL
  • Web Listener IP Address : External Interface IP : ISP IP1 only
  • Authentication Settings : None
  • Authentication Delegation : No delegation, client cannot authenticate
  • User Sets : All Users

Create the rule on the TMG-BE :

  • Name : Allow HTTP(s), RDP, FTP traffic to the webserver (choose access rule)
  • Rule Number : place above normal http traffic rule
  • Rule Action : Allow
  • Protocols : HTTP, HTTPS, RDP, FTP
  • From : Internal Networks
  • To : Webserver
  • User Sets : All Users

Now you are done !. We achieved access to the webserver from the outside world and from the internal corporate network.

Configuring inbound and outbound mail (SMTP)

Since we are hosting our mail solution internally we need to achieve inbound and outbound mail traffic.

requirement:

  • At your provider you should create a MX DNS record that points mail.test.com to ISP IP3
  • The default gateway of the barracuda points to the internal interface of the TMG-FE. Therefore it does not know the route to the 10.4.x.x network. We need to add a static route on the Barracuda. If you have a 600 model or higher you can add the static route right away. However if you have a 400 model that option is not available. If you contact barracuda support they will enable that option for you.

Create the rule on the TMG-FE first :

  • Name : Publish mail traffic to antispam firewall (mail publishing rule)
  • Rule Number : place on top
  • Access Type : Server to server communication SMTP,NNTP
  • Services : SMTP (custom SMTP server protocol port 25 inbound with SMTP filter disabled)
  • From : Anywhere
  • Server IP Address : 10.6.20.20 (the barracuda)
  • Network Listener IP Address : External Interface  IP : ISP IP3 only
  • Make sure you enable : requests appear from original client

Create the rule on the TMG-BE :

  • Name : Allow mail traffic to internal LAN (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Barracuda
  • To : Exchange 2010
  • User Sets : All Users
  • Name : Allow mail traffic to outside (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Exchange 2010
  • To : external
  • User Sets : All Users

This concludes my second part of these series about Installing and configuring Forefront TMG Back to Back solution with Exchange 2010. The final part of these series will include Activesync and Outlook Anywhere. I hope its usefull for you and feel free to comment.

About these ads
  1. Alex
    June 22, 2011 at 10:23 pm

    Hi Richard,

    The static route on Barracuda should be

    Destination Address 10.4.20.20 Gateway 10.6.0.1? (I am using IronPort)

    I have no traffic from Barracuda on TMG-BE

    Thank you

  2. Minh Sang
    October 29, 2011 at 3:57 pm

    Configuring inbound and outbound mail (SMTP)

    Hi Richard,

    In my DMZ do not have any server. I create a rule to publish smtp (TMG-FE) and allow smtp rule (on TMG-BE). I can send a email to outside but I can’t receive any emails from outside.

    Can you help me ? This is my configuration :

    On TMG-FE
    - Name : Publish SMTP
    - Rule Number : place on top
    - Access Type : Client
    - Services : SMTP
    - From : Anywhere
    - Server IP Address : 10.0.0.2 (TMG-BE External NIC)
    - Network Listener IP Address : External Interface IP
    - Requests appear from original client

    On TMG-BE

    - Name : Allow mail traffic to internal LAN
    - Rule Number : place on top
    - Rule Action : Allow
    - Protocols : SMTP
    - From : DMZ
    - To : Exchange 2010
    - User Sets : All Users

    and rules in figure below :

    http://i239.photobucket.com/albums/ff68/direct9999/TMG_BE.jpg

    http://i239.photobucket.com/albums/ff68/direct9999/TMG_FE.jpg

    OWA and ActiveSync is ok

    Thank you very much.

    • November 8, 2011 at 2:12 pm

      You have to create a listener on the TMG-BE on 10.0.0.2 and create a publishing rule that allows SMTP traffic from DMZ (on that listener) to your exchange server

  3. Cameron
    February 1, 2012 at 6:31 pm

    Richard,
    Does this implementation support TLS? If so, how does the Barracuda deal with TLS-encrypted mail? Would it need a certificate installed, or just on the FE TMG to accept TLS-encrypted messages from the sender, and the rest of the way through the Barracuda, and the BE TMG is non-TLS?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: