Archive

Posts Tagged ‘Form Based Authentication’

Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 2

January 14, 2011 5 comments

This article is the second part of my series about Installing and configuring Forefront TMG back to Back with Exchange 2010. In the first one I explained the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail.

Configuring OWA for exchange 2010 with FBA

Forms-based authentication(FBA) is one of the cool features that is included in the TMG software. The FBA enables the TMG’s capablility to enable the OWA logon form on the TMG firewall instead of enabling it on the exchange 2010 box. It enables you to force authentication on the TMG firewall before packets are forwared to the exchange 2010 box. If you want to create a fancy FBA logon page then check my post here.

requirements:

  • FBA should be disabled on the exchange 2010 box.
  • The TMG firewall that needs FBA needs to be joined to the domain. (thus we use the TMG-BE)
  • A SAN certificate with your companies webmail address should reside on the exchange 2010 and TMG-BE boxes. (the SAN certificate should include something like webmail.test.com)
  • A new forward lookup zone should be configured on the DC1 server named test.com. Create a new A record called webmail.test.com that points to 10.4.20.20
  • At your provider you should create a DNS record that points webmail.test.com to ISP IP2

We want to make OWA dummy proof. Experience shows that users often forget the default URL https://webmail.test.com/owa . Users should be able to type the URL with HTTP or HTTPS and with or without /owa. So lets create the rules on the TMG-FE first :

  • Rule Name : Publish Outlook Webmail Apps 2010 (OWA) – HTTP    (choose non-web publishing rule)
  • Rule Number : 1
  • Rule action : Allow
  • Server IP : 10.6.0.2 (secondary ip on the TMG-BE external interface)
  • Create New Protocol :  HTTP Server on Port 80 inbound
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client
  • Rule Name : Publish Outlook Webmail Apps 2010 (OWA) – HTTPS    (choose non-web publishing rule)
  • Rule Number : 2
  • Server IP : 10.6.0.2
  • Protocol : HTTPS Server
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client

Create the rules on the TMG-BE

  • Name : Publish Outlook Webmail Apps 2010 Redirect (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 1
  • Exchange version : exchange 2010
  • Mail services : OWA
  • Rule action : Deny
  • Redirect to : https://webmail.test.com/owa
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Create New Listener
  • Web Listener Name : HTTP(S) OWA 2010
  • Client Connection Security : SSL (HTTPS en HTTP)
  • Enable redirection http to https
  • Web Listener IP Address : Perimeter Interface IP : 10.6.0.2 only
  • Certificate : webmail.test.com
  • Authentication Settings : HTML Form authentication
  • Validation : Windows (active directory)
  • SSO : disabled
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly reated rule ang go to the paths tab
  • Change it to the following:

  • Name : Publish Outlook Webmail Apps 2010 (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 2
  • Exchange version : exchange 2010
  • Mail services : OWA
  • Rule action : ALLOW
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Web Listener Name : HTTP(S) OWA 2010
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly created rule ang go to the paths tab
  • Change it to the following:

  • on the TO tab make sure you enable : requests  from Forefront TMG

Outlook Web Access 2010 should work just fine by now. Just test it by accessing it remotely.

Configuring webserver access internally and remotely

Users need to access the webserver from outside the network but also from inside the corporate network. To accomplish this you need to config the following:

  • in the new forward lookup zone create a new A record called http://www.test.com that points to 10.6.10.10
  • At your provider you should create a DNS record that points http://www.test.com to ISP IP1
  • The default gateway of the webserver points to the internal interface of the TMG-FE. So the webserver does not know the route to VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. Therefore you need static routes on the webserver to access those networks.

Create the rule on the TMG-FE first :

  • Rule Name ; Publish HTTP traffic to the webserver (choose web publishing rule)
  • Rule Number : 2
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : NON-SSL
  • Internal Sitename : http://www.test.com
  • Ip Address : 10.6.10.10
  • Path : /*
  • Public Name : http://www.test.com
  • Path : /*
  • Create New Listener
  • Web Listener Name : HTTP WWW
  • Client Connection Security : NON-SSL
  • Web Listener IP Address : External Interface IP : ISP IP1 only
  • Authentication Settings : None
  • Authentication Delegation : No delegation, client cannot authenticate
  • User Sets : All Users

Create the rule on the TMG-BE :

  • Name : Allow HTTP(s), RDP, FTP traffic to the webserver (choose access rule)
  • Rule Number : place above normal http traffic rule
  • Rule Action : Allow
  • Protocols : HTTP, HTTPS, RDP, FTP
  • From : Internal Networks
  • To : Webserver
  • User Sets : All Users

Now you are done !. We achieved access to the webserver from the outside world and from the internal corporate network.

Configuring inbound and outbound mail (SMTP)

Since we are hosting our mail solution internally we need to achieve inbound and outbound mail traffic.

requirement:

  • At your provider you should create a MX DNS record that points mail.test.com to ISP IP3
  • The default gateway of the barracuda points to the internal interface of the TMG-FE. Therefore it does not know the route to the 10.4.x.x network. We need to add a static route on the Barracuda. If you have a 600 model or higher you can add the static route right away. However if you have a 400 model that option is not available. If you contact barracuda support they will enable that option for you.

Create the rule on the TMG-FE first :

  • Name : Publish mail traffic to antispam firewall (mail publishing rule)
  • Rule Number : place on top
  • Access Type : Server to server communication SMTP,NNTP
  • Services : SMTP (custom SMTP server protocol port 25 inbound with SMTP filter disabled)
  • From : Anywhere
  • Server IP Address : 10.6.20.20 (the barracuda)
  • Network Listener IP Address : External Interface  IP : ISP IP3 only
  • Make sure you enable : requests appear from original client

Create the rule on the TMG-BE :

  • Name : Allow mail traffic to internal LAN (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Barracuda
  • To : Exchange 2010
  • User Sets : All Users
  • Name : Allow mail traffic to outside (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Exchange 2010
  • To : external
  • User Sets : All Users

This concludes my second part of these series about Installing and configuring Forefront TMG Back to Back solution with Exchange 2010. The final part of these series will include Activesync and Outlook Anywhere. I hope its usefull for you and feel free to comment.

Advertisements

Install & Configure Forefront TMG Back to Back solution Part 2

November 5, 2010 2 comments

This article is the second and last part of my series about Installing and configuring Forefront TMG back to Back. In the first one I explained the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2003, web publishing rules, and incoming and outgoing SMTP mail.

Configuring OWA for exchange 2003 with FBA

Forms-based authentication(FBA) is one of the cool features that is included in the TMG software. The FBA enables the TMG’s capablility to enable the OWA logon form on the TMG firewall instead of enabling it on the exchange 2003 box. It enables you to force authentication on the TMG firewall before packets are forwared to the exchange 2003 box. If you want to create a fancy FBA logon page then check my post here.

requirements:

  • FBA should be disabled on the exchange 2003 box.
  • The TMG firewall that needs FBA needs to be joined to the domain. (thus we use the TMG-BE)
  • A certificate with your companies webmail address should reside on the exchange 2003 and TMG-BE boxes. (the certificate should include something like webmail.test.com)
  • A new forward lookup zone should be configured on the DC1 server named test.com. Create a new A record called webmail.test.com that points to 10.4.20.20
  • At your provider you should create a DNS record that points webmail.test.com to ISP IP2

We want to make OWA dummy proof. Experience shows that users often forget the default URL https://webmail.test.com/Exchange . Users should be able to type the URL with HTTP or HTTPS and with or without /Exchange. So lets create the rules on the TMG-FE first :

  • Rule Name : Publish Outlook Webmail Apps (OWA) – HTTP    (choose non-web publishing rule)
  • Rule Number : 1
  • Rule action : Allow
  • Server IP : 10.6.0.2 (secondary ip on the TMG-BE external interface)
  • Create New Protocol :  HTTP Server on Port 80 inbound
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client
  • Rule Name : Publish Outlook Webmail Apps (OWA) – HTTPS    (choose non-web publishing rule)
  • Rule Number : 2
  • Server IP : 10.6.0.2
  • Protocol : HTTPS Server
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client

Create the rules on the TMG-BE

  • Name : Publish Outlook Webmail Apps (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 1
  • Exchange version : exchange 2003
  • Mail services : OWA
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Create New Listener
  • Web Listener Name : HTTP(S) OWA
  • Client Connection Security : SSL (HTTPS en HTTP)
  • Enable redirection http to https
  • Web Listener IP Address : Perimeter Interface IP : 10.6.0.2 only
  • Certificate : webmail.test.com
  • Authentication Settings : HTML Form authentication
  • Validation : Windows (active directory)
  • SSO : disabled
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly reated rule ang go to the paths tab
  • Add the following path : (beware the Capital E of Exchange and the \ at the end)

  • on the TO tab make sure you enable : requests  from Forefront TMG

Outlook Web Access should work just fine by now. Just test it by accessing it remotely.

Configuring webserver access internally and remotely

Users need to access the webserver from outside the network but also from inside the corporate network. To accomplish this you need to config the following:

  • in the new forward lookup zone create a new A record called http://www.test.com that points to 10.6.10.10
  • At your provider you should create a DNS record that points http://www.test.com to ISP IP1
  • The default gateway of the webserver points to the internal interface of the TMG-FE. So the webserver does not know the route to VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. Therefore you need static routes on the webserver to access those networks.

Create the rule on the TMG-FE first :

  • Rule Name ; Publish HTTP traffic to the webserver (choose web publishing rule)
  • Rule Number : 2
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : NON-SSL
  • Internal Sitename : http://www.test.com
  • Ip Address : 10.6.10.10
  • Path : /*
  • Public Name : http://www.test.com
  • Path : /*
  • Create New Listener
  • Web Listener Name : HTTP WWW
  • Client Connection Security : NON-SSL
  • Web Listener IP Address : External Interface IP : ISP IP1 only
  • Authentication Settings : None
  • Authentication Delegation : No delegation, client cannot authenticate
  • User Sets : All Users

Create the rule on the TMG-BE :

  • Name : Allow HTTP(s), RDP, FTP traffic to the webserver (choose access rule)
  • Rule Number : place above normal http traffic rule
  • Rule Action : Allow
  • Protocols : HTTP, HTTPS, RDP, FTP
  • From : Internal Networks
  • To : Webserver
  • User Sets : All Users

Now you are done !. We achieved access to the webserver from the outside world and from the internal corporate network.

Configuring inbound and outbound mail (SMTP)

Since we are hosting our mail solution internally we need to achieve inbound and outbound mail traffic.

requirement:

  • At your provider you should create a MX DNS record that points mail.test.com to ISP IP3
  • The default gateway of the barracuda points to the internal interface of the TMG-FE. Therefore it does not know the route to the 10.4.x.x network. We need to add a static route on the Barracuda. If you have a 600 model or higher you can add the static route right away. However if you have a 400 model that option is not available. If you contact barracuda support they will enable that option for you.

Create the rule on the TMG-FE first :

  • Name : Publish mail traffic to antispam firewall (mail publishing rule)
  • Rule Number : place on top
  • Access Type : Server to server communication SMTP,NNTP
  • Services : SMTP (custom SMTP server protocol port 25 inbound with SMTP filter disabled)
  • From : Anywhere
  • Server IP Address : 10.6.20.20 (the barracuda)
  • Network Listener IP Address : External Interface  IP : ISP IP3 only
  • Make sure you enable : requests appear from original client

Create the rule on the TMG-BE :

  • Name : Allow mail traffic to internal LAN (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Barracuda
  • To : Exchange 2003 Back-End
  • User Sets : All Users
  • Name : Allow mail traffic to outside (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Exchange 2003 Back-End
  • To : external
  • User Sets : All Users

This concludes my 2 part series about Installing and configuring Forefront TMG Back to Back solution. I hope its usefull for you and feel free to comment.

Creating a custom Forefront TMG 2010 OWA FBA logon page

October 22, 2010 30 comments

Today I looked for a solution to edit the default OWA logon page. In our company we use a Form Based Authentication that is configured on a Forefront TMG 2010 server. Currently we are running an Exchange 2003 SP2 Frontend server. The OWA logon page looks like this by default:

OR

There is a way to configure this to our liking. Kay Sellenrode of platini.nl made an FBAeditor to configure this in an easy way. This tool does not have a way to change the color of the logon button and explanation text so at the end of this post i show you how to change that as well. So lets create some fancy company OWA logon screens.

Requirements
FBAeditor – can be found here (http://blogs.platani.nl/?p=257)
Company logo 115 x 456 pixels in GIF format
Company logo 115 x 500 pixels in GIF format

Steps

  • First make a backup of C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\ with all sub directories
  • Run FBAeditor on the TMG server and browse to C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange\HTML\ (click on Source Dir)

  •  Now change the page you want to edit to : usr_pwd.htm (1.)
  • Picture name : lgntopl.gif (2.)
  • Text Language : select your country (3.)
  • Select your new company logo (4.)
  • Select apply to all pages and click apply. (5.) Now all htm files will be changed with the new company logo.
  • By pressing Preview Page you can take a look on how its going to be. (6.)

  • Many organizations don’t have 2 or more domains so we can change the domain\username text to Username
  • Now change the page you want to edit to : usr_pwd.htm (1.)
  • Select username (2.)
  • Change the text from domain\username to Username  (3.)
  • Confirm the change by clicking Change Text (4.)

  • When you are clicking on Preview Page you will see that the button and the explanation text has a color that does not match with the rest of the logon page. There is not a way that you can change this via the FBAeditor tool. We can achieve this by editing a file manually.

  • Start notepad and browse to C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange\HTML\logon_style.ccs
  • When looking through the file you’ll see a section that has entries like #eb9c12 and #f9b133. These are the colors used by the logon button.

  • You can change this by entering your own required color. You can find the color codes here
  • To change the explanation text you must look for the entries #ff6c00

  • You can change this by entering your own required color. You can find the color codes here
  • Also it is possible to change the Internet Explorer tab name by starting the FBAeditor en change the OWAWindowTitle text box to your liking
  • If required you can change the ISA html files as well they can be found here C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\ISA\HTML\
  • If all went well you have a fancy FBA logon page like this :

  • Note: I found out that the Forefront TMG caches these pages somehow so I had to reboot the server to get the new pages active. -> Arturo pointed out that you only need to start the firewall service to reflect these changes.
%d bloggers like this: