Archive

Posts Tagged ‘OWA’

Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 3

January 15, 2011 2 comments

This is the last article of the three part series on how to to Install & Configure Forefront TMG Back to Back solution with Exchange 2010. In the first one I explained the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we went through on how to configure OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail. This last article will explain how to setup Exchange ActiveSync and Exchange Outlook Anywhere and autodiscover.

Configuring Exchange Outlook Anywhere and autodiscover

In Microsoft Exchange Server 2010, the Outlook Anywhere feature, formerly known as RPC over HTTP, lets clients that use Microsoft Office Outlook 2010, Outlook 2007, or Outlook 2003 connect to their Exchange servers from outside the corporate network or over the Internet using the RPC over HTTP Windows networking component. The Windows RPC over HTTP Proxy component, which Outlook Anywhere clients use to connect, wraps remote procedure calls (RPCs) with an HTTP layer. This allows traffic to traverse the TMG firewalls without requiring RPC ports to be opened.

requirements:

  • A SAN certificate with your companies webmail address should reside on the exchange 2010 and TMG-BE boxes. (the SAN certificate should include webmail.test.com AND autodiscover.test.com AND autodiscover.test.local AND exchange2010.test.local (exchange server name)
  • In the forward lookup zone test.com on the DC1 server create a new A record called autodiscover.test.com that points to 10.4.20.20
  • In the forward lookup zone test.local on the DC1 server create a new A record called autodiscover.test.local that points to 10.4.20.20
  • At your provider you should create a DNS record that points autodiscover.test.com to ISP IP4

Create the rules on the TMG-FE

  • Rule Name : Publish Exchange 2010 Autodiscover and Outlook Anywhere – HTTPS (non-web publishing rule)
  • Server IP : 10.6.0.3
  • Protocol : HTTPS Server
  • Listener IP Address : External Interface IP : ISP IP4 only
  • Make sure you enable : requests appear from original client

Create the rules on the TMG-BE

  • Name : Publish Exchange 2010 Autodiscover and Outlook Anywhere (Exchange Client Access rule)
  • Rule number : below OWA 2010 rule
  • Exchange version : exchange 2010
  • Mail services : Outlook Anywhere (RPC/HTTPs) and enable folders
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : autodiscover.test.com
  • Create New Listener
  • Web Listener Name : HTTPS Autodiscover
  • Client Connection Security : SSL (HTTPS)
  • Web Listener IP Address : Perimeter Interface IP : 10.6.0.3 only
  • Certificate : webmail.test.com
  • Authentication Settings : HTTP Form authentication
  • Validation : Windows (active directory)
  • SSO : disabled
  • Authentication Delegation : Basic authentication
  • User Set : All authenticated users group

Configuring Exchange ActiveSync

Exchange ActiveSync is a Microsoft Exchange synchronization protocol that’s optimized to work together with high-latency and low-bandwidth networks. The protocol, based on HTTP and XML, lets mobile phones access an organization’s information on a server that’s running Microsoft Exchange. Exchange ActiveSync enables mobile phone users to access their e-mail, calendar, contacts, and tasks and to continue to be able to access this information while they’re working offline.

Create the rules on the TMG-FE

  • None needed

Create the rules on the TMG-BE

  • Name : Publish Exchange 2010 Activesync (Exchange Client Access rule)
  • Rule Number : Below OWA 2010 and Outlook Anywhere rule
  • Exchange version : Exchange 2010
  • Mail services : Activesync
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Listener : HTTP(S) OWA 2010 (created in part 2)
  • Authentication Delegation : Basic authentication
  • User Set : All authenticated users group

Now we are able to connect to our Exchange 2010 server via OWA, PDA/Smartphones and outlook 2003/2007/2010 clients. You can test your configuration by going to a microsoft test site and run some test here. You might have noticed i didn’t speak much on how to configure the exchange side of things. However there are some good sites that explain it all:

This concludes my three part article on how to install & configure Forefront TMG Back to Back solution with Exchange 2010. I hope its usefull for you and feel free to comment.

Advertisements

Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 2

January 14, 2011 5 comments

This article is the second part of my series about Installing and configuring Forefront TMG back to Back with Exchange 2010. In the first one I explained the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail.

Configuring OWA for exchange 2010 with FBA

Forms-based authentication(FBA) is one of the cool features that is included in the TMG software. The FBA enables the TMG’s capablility to enable the OWA logon form on the TMG firewall instead of enabling it on the exchange 2010 box. It enables you to force authentication on the TMG firewall before packets are forwared to the exchange 2010 box. If you want to create a fancy FBA logon page then check my post here.

requirements:

  • FBA should be disabled on the exchange 2010 box.
  • The TMG firewall that needs FBA needs to be joined to the domain. (thus we use the TMG-BE)
  • A SAN certificate with your companies webmail address should reside on the exchange 2010 and TMG-BE boxes. (the SAN certificate should include something like webmail.test.com)
  • A new forward lookup zone should be configured on the DC1 server named test.com. Create a new A record called webmail.test.com that points to 10.4.20.20
  • At your provider you should create a DNS record that points webmail.test.com to ISP IP2

We want to make OWA dummy proof. Experience shows that users often forget the default URL https://webmail.test.com/owa . Users should be able to type the URL with HTTP or HTTPS and with or without /owa. So lets create the rules on the TMG-FE first :

  • Rule Name : Publish Outlook Webmail Apps 2010 (OWA) – HTTP    (choose non-web publishing rule)
  • Rule Number : 1
  • Rule action : Allow
  • Server IP : 10.6.0.2 (secondary ip on the TMG-BE external interface)
  • Create New Protocol :  HTTP Server on Port 80 inbound
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client
  • Rule Name : Publish Outlook Webmail Apps 2010 (OWA) – HTTPS    (choose non-web publishing rule)
  • Rule Number : 2
  • Server IP : 10.6.0.2
  • Protocol : HTTPS Server
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client

Create the rules on the TMG-BE

  • Name : Publish Outlook Webmail Apps 2010 Redirect (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 1
  • Exchange version : exchange 2010
  • Mail services : OWA
  • Rule action : Deny
  • Redirect to : https://webmail.test.com/owa
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Create New Listener
  • Web Listener Name : HTTP(S) OWA 2010
  • Client Connection Security : SSL (HTTPS en HTTP)
  • Enable redirection http to https
  • Web Listener IP Address : Perimeter Interface IP : 10.6.0.2 only
  • Certificate : webmail.test.com
  • Authentication Settings : HTML Form authentication
  • Validation : Windows (active directory)
  • SSO : disabled
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly reated rule ang go to the paths tab
  • Change it to the following:

  • Name : Publish Outlook Webmail Apps 2010 (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 2
  • Exchange version : exchange 2010
  • Mail services : OWA
  • Rule action : ALLOW
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Web Listener Name : HTTP(S) OWA 2010
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly created rule ang go to the paths tab
  • Change it to the following:

  • on the TO tab make sure you enable : requests  from Forefront TMG

Outlook Web Access 2010 should work just fine by now. Just test it by accessing it remotely.

Configuring webserver access internally and remotely

Users need to access the webserver from outside the network but also from inside the corporate network. To accomplish this you need to config the following:

  • in the new forward lookup zone create a new A record called http://www.test.com that points to 10.6.10.10
  • At your provider you should create a DNS record that points http://www.test.com to ISP IP1
  • The default gateway of the webserver points to the internal interface of the TMG-FE. So the webserver does not know the route to VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. Therefore you need static routes on the webserver to access those networks.

Create the rule on the TMG-FE first :

  • Rule Name ; Publish HTTP traffic to the webserver (choose web publishing rule)
  • Rule Number : 2
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : NON-SSL
  • Internal Sitename : http://www.test.com
  • Ip Address : 10.6.10.10
  • Path : /*
  • Public Name : http://www.test.com
  • Path : /*
  • Create New Listener
  • Web Listener Name : HTTP WWW
  • Client Connection Security : NON-SSL
  • Web Listener IP Address : External Interface IP : ISP IP1 only
  • Authentication Settings : None
  • Authentication Delegation : No delegation, client cannot authenticate
  • User Sets : All Users

Create the rule on the TMG-BE :

  • Name : Allow HTTP(s), RDP, FTP traffic to the webserver (choose access rule)
  • Rule Number : place above normal http traffic rule
  • Rule Action : Allow
  • Protocols : HTTP, HTTPS, RDP, FTP
  • From : Internal Networks
  • To : Webserver
  • User Sets : All Users

Now you are done !. We achieved access to the webserver from the outside world and from the internal corporate network.

Configuring inbound and outbound mail (SMTP)

Since we are hosting our mail solution internally we need to achieve inbound and outbound mail traffic.

requirement:

  • At your provider you should create a MX DNS record that points mail.test.com to ISP IP3
  • The default gateway of the barracuda points to the internal interface of the TMG-FE. Therefore it does not know the route to the 10.4.x.x network. We need to add a static route on the Barracuda. If you have a 600 model or higher you can add the static route right away. However if you have a 400 model that option is not available. If you contact barracuda support they will enable that option for you.

Create the rule on the TMG-FE first :

  • Name : Publish mail traffic to antispam firewall (mail publishing rule)
  • Rule Number : place on top
  • Access Type : Server to server communication SMTP,NNTP
  • Services : SMTP (custom SMTP server protocol port 25 inbound with SMTP filter disabled)
  • From : Anywhere
  • Server IP Address : 10.6.20.20 (the barracuda)
  • Network Listener IP Address : External Interface  IP : ISP IP3 only
  • Make sure you enable : requests appear from original client

Create the rule on the TMG-BE :

  • Name : Allow mail traffic to internal LAN (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Barracuda
  • To : Exchange 2010
  • User Sets : All Users
  • Name : Allow mail traffic to outside (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Exchange 2010
  • To : external
  • User Sets : All Users

This concludes my second part of these series about Installing and configuring Forefront TMG Back to Back solution with Exchange 2010. The final part of these series will include Activesync and Outlook Anywhere. I hope its usefull for you and feel free to comment.

Install & Configure Forefront TMG Back to Back solution with Exchange 2010 Part 1

January 13, 2011 22 comments

Last year I wrote a 2 part article on how to install and configure an Forefront TMG back to back solution with OWA 2003. A few weeks ago we migrated to Exchange 2010 so I thought to write this up again. In these articles I am explaining on how to implement this in your company. It will be a 3 part article. In the first one I will explain the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail. The 3rd article will explain how to setup Exchange Activesync and Exchange Outlook Anywhere. For this article we are going to use the following network setup:

This is a simple setup that is used in many companies and universities. The Backend TMG firewall (TMG-BE) will be installed and joined to the domain (test.local) and the Frontend TMG firewall (TMG-FE) will be installed and joined to a workgroup (WORKGROUP). Our company website is hosted on the webserver and will be available for the ouside world. The Barracuda Appliance will listen to incoming SMTP mail and will be used for Spam filtering and virus checking. After this check the mail will be forwarded to the Exchange 2010 Server. Outlook Web Access (OWA), Activesync and Outlook Anywhere will be made available as well.

TMG network relationships

An important issue to understand is how network relationships work in an Back to Back solution. Dr. Thomas W. Shinder made some great articles about this and i highly recommend reading them. They can be found here. For our network setup we use the following network relationships:

As you can see we will use an ROUTE relation ship between the internal network and the DMZ network (configured on the TMG-BE). And we will use an NAT relationship between the DMZ and External segment (configured on the TMG-FE). Its also important to understand that there is a NAT relationship between the internal network and the external network (configured on the TMG-BE). For ROUTE relationships you need to use access rules (from inside to outside and from oputside to inside). For NAT relationships you need to use access rules (from inside to outside) and publishing rules (from outside to inside). As said normally…… Its not widely known that you can use publising rules on a route relationship as well. We are going to use one when we are going to configure OWA.

Its also important to understand whats internal and external regarding to the TMG firewalls. For the TMG-BE it looks like this:

The TMG-BE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 as the INTERNAL network. it will see VLAN6 as the PERIMETER network and VLAN7 as the EXTERNAL network. For the TMG-FE it will look like this:

The TMG-FE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6 as the INTERNAL network and VLAN7 as the EXTERNAL network. For our article we will use the following ip adressing scheme:

Installing the TMG-BE

 Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like Internal and you external NIC to something like DMZ.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-BE to the domain
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Back-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-BE. Remember we spoke of this before. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select BACK FIREWALL and the INTERNAL adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-BE does not have a default gateway configured. We need to tell the TMG-BE how to reach VLAN1, VLAN2, VLAN3 and VLAN4. The gateway configured on the core switch will be 10.5.0.1. Lets add 4 static routes:

  • Select the DMZ interface as the PERIMETER network adapter and choose a private (ROUTE) relationship
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Installing TMG-FE

Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like DMZ and you external NIC to something like INTERNET.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-FE to a workgroup
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Front-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-FE. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select EDGE FIREWALL and the DMZ adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-FE does not have a default gateway configured. We need to tell the TMG-FE how to reach VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. The gateway configured for the routes will be the external interface of the TMG-BE (10.6.0.1) Lets add 5 static routes:

  • Choose the INTERNET networkadapter for the ISP connection
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Configuring the TMG-BE

  • Start the TMG MMC and goto Forefront TMG (TMG-BE) – Networking – Networks tab
  • Richtmouseclick on the internal networks and choose properties – choose the domains tab
  • In the domain names box add: *.test.local
  • Choose the webbrowser tab and change the following:
  • Enable Bypass proxy for webservers in this network
  • Enable directly access computers specified in the domains tab
  • Enable directly access computers specified in the addresses tab
  • Choose the Autodiscovery tab and enable publish automatic discovery
  • Configure your DNS and DHCP server for WPAD – read here
  • Lets create some firewall rules to allow DNS, HTTP, HTTPS and FTP traffic.
  • Goto Forefront TMG (TMG-BE) – Firewall Policy – Create access rule

Create the following rules:

  • Rule Name : Allow DNS traffic from DC1
  • Rule Number : 1
  • Protocols : DNS
  • From : DC1
  • To : External
  • User Sets : All users
  • Rule Name : Allow HTTP, HTTPS, FTP traffic
  • Rule number : 2
  • Protocols : HTTP, HTTPS, FTP
  • From : Internal Network
  • To : External Network
  • User Sets : All authenticated users

Configuring the TMG-FE

  • Start the TMG MMC and goto Forefront TMG (TMG-FE) – Intrusion Prevention System – Behavorial Intrusion Detection tab – choose configure Flood Mitigation settings – IP exceptions tab
  • Since there is a NAT relationship between the internal network and external network on the TMG-BE the source ip will be changed to the TMG-BE external interface. So when the packet arrives at the TMG-FE internal interface it will see alot of traffic coming from one ip address. Therefore we must add the external interface from the TMG-BE to the ip exceptions tab or else the TMG-FE will drop traffic.
  • Goto Forefront TMG (TMG-FE) – Firewall Policy – Create access rule

Create the following rule:

  • Rule Name : Allow all traffic from TMG-BE
  • Rule number : 1
  • Protocols : All protocols
  • From : TMG-BE (external interface ip) 
  • To : External Network
  • User Sets : All users

Now you can test your created rules by starting a webbrowser session from the DC1. In part 2 of this article we are going to configure OWA for exchange 2010, web publishing rules, and incoming and outgoing SMTP mail. Feel free to comment on this article.

Install & Configure Forefront TMG Back to Back solution Part 2

November 5, 2010 2 comments

This article is the second and last part of my series about Installing and configuring Forefront TMG back to Back. In the first one I explained the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2003, web publishing rules, and incoming and outgoing SMTP mail.

Configuring OWA for exchange 2003 with FBA

Forms-based authentication(FBA) is one of the cool features that is included in the TMG software. The FBA enables the TMG’s capablility to enable the OWA logon form on the TMG firewall instead of enabling it on the exchange 2003 box. It enables you to force authentication on the TMG firewall before packets are forwared to the exchange 2003 box. If you want to create a fancy FBA logon page then check my post here.

requirements:

  • FBA should be disabled on the exchange 2003 box.
  • The TMG firewall that needs FBA needs to be joined to the domain. (thus we use the TMG-BE)
  • A certificate with your companies webmail address should reside on the exchange 2003 and TMG-BE boxes. (the certificate should include something like webmail.test.com)
  • A new forward lookup zone should be configured on the DC1 server named test.com. Create a new A record called webmail.test.com that points to 10.4.20.20
  • At your provider you should create a DNS record that points webmail.test.com to ISP IP2

We want to make OWA dummy proof. Experience shows that users often forget the default URL https://webmail.test.com/Exchange . Users should be able to type the URL with HTTP or HTTPS and with or without /Exchange. So lets create the rules on the TMG-FE first :

  • Rule Name : Publish Outlook Webmail Apps (OWA) – HTTP    (choose non-web publishing rule)
  • Rule Number : 1
  • Rule action : Allow
  • Server IP : 10.6.0.2 (secondary ip on the TMG-BE external interface)
  • Create New Protocol :  HTTP Server on Port 80 inbound
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client
  • Rule Name : Publish Outlook Webmail Apps (OWA) – HTTPS    (choose non-web publishing rule)
  • Rule Number : 2
  • Server IP : 10.6.0.2
  • Protocol : HTTPS Server
  • Listener IP Address : External Interface IP : ISP IP2 only
  • Make sure you enable : requests appear from original client

Create the rules on the TMG-BE

  • Name : Publish Outlook Webmail Apps (OWA) (Choose Exchange Client Access rule)
  • Rule Number : 1
  • Exchange version : exchange 2003
  • Mail services : OWA
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : SSL
  • Internal Sitename : webmail.test.com
  • Ip Address : 10.4.20.20
  • Request appear to come from TMG
  • Public name details : webmail.test.com
  • Create New Listener
  • Web Listener Name : HTTP(S) OWA
  • Client Connection Security : SSL (HTTPS en HTTP)
  • Enable redirection http to https
  • Web Listener IP Address : Perimeter Interface IP : 10.6.0.2 only
  • Certificate : webmail.test.com
  • Authentication Settings : HTML Form authentication
  • Validation : Windows (active directory)
  • SSO : disabled
  • Authentication Delegation : basic authentication
  • User Set : All authenticated users group
  • Edit the newly reated rule ang go to the paths tab
  • Add the following path : (beware the Capital E of Exchange and the \ at the end)

  • on the TO tab make sure you enable : requests  from Forefront TMG

Outlook Web Access should work just fine by now. Just test it by accessing it remotely.

Configuring webserver access internally and remotely

Users need to access the webserver from outside the network but also from inside the corporate network. To accomplish this you need to config the following:

  • in the new forward lookup zone create a new A record called http://www.test.com that points to 10.6.10.10
  • At your provider you should create a DNS record that points http://www.test.com to ISP IP1
  • The default gateway of the webserver points to the internal interface of the TMG-FE. So the webserver does not know the route to VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. Therefore you need static routes on the webserver to access those networks.

Create the rule on the TMG-FE first :

  • Rule Name ; Publish HTTP traffic to the webserver (choose web publishing rule)
  • Rule Number : 2
  • Rule action : Allow
  • Publishing Type : single website
  • Server Connection Security : NON-SSL
  • Internal Sitename : http://www.test.com
  • Ip Address : 10.6.10.10
  • Path : /*
  • Public Name : http://www.test.com
  • Path : /*
  • Create New Listener
  • Web Listener Name : HTTP WWW
  • Client Connection Security : NON-SSL
  • Web Listener IP Address : External Interface IP : ISP IP1 only
  • Authentication Settings : None
  • Authentication Delegation : No delegation, client cannot authenticate
  • User Sets : All Users

Create the rule on the TMG-BE :

  • Name : Allow HTTP(s), RDP, FTP traffic to the webserver (choose access rule)
  • Rule Number : place above normal http traffic rule
  • Rule Action : Allow
  • Protocols : HTTP, HTTPS, RDP, FTP
  • From : Internal Networks
  • To : Webserver
  • User Sets : All Users

Now you are done !. We achieved access to the webserver from the outside world and from the internal corporate network.

Configuring inbound and outbound mail (SMTP)

Since we are hosting our mail solution internally we need to achieve inbound and outbound mail traffic.

requirement:

  • At your provider you should create a MX DNS record that points mail.test.com to ISP IP3
  • The default gateway of the barracuda points to the internal interface of the TMG-FE. Therefore it does not know the route to the 10.4.x.x network. We need to add a static route on the Barracuda. If you have a 600 model or higher you can add the static route right away. However if you have a 400 model that option is not available. If you contact barracuda support they will enable that option for you.

Create the rule on the TMG-FE first :

  • Name : Publish mail traffic to antispam firewall (mail publishing rule)
  • Rule Number : place on top
  • Access Type : Server to server communication SMTP,NNTP
  • Services : SMTP (custom SMTP server protocol port 25 inbound with SMTP filter disabled)
  • From : Anywhere
  • Server IP Address : 10.6.20.20 (the barracuda)
  • Network Listener IP Address : External Interface  IP : ISP IP3 only
  • Make sure you enable : requests appear from original client

Create the rule on the TMG-BE :

  • Name : Allow mail traffic to internal LAN (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Barracuda
  • To : Exchange 2003 Back-End
  • User Sets : All Users
  • Name : Allow mail traffic to outside (choose access rule)
  • Rule Number : place on top
  • Rule Action : Allow
  • Protocols : SMTP
  • From : Exchange 2003 Back-End
  • To : external
  • User Sets : All Users

This concludes my 2 part series about Installing and configuring Forefront TMG Back to Back solution. I hope its usefull for you and feel free to comment.

Install & Configure Forefront TMG Back to Back solution Part 1

November 4, 2010 1 comment

This week we installed and configured an Forefront TMG back to back solution in our school. In this article I am explaining on how to implement this in your company. It will be a 2 part article. In the first one I will explain the network setup, network relationships, the TMG backend and TMG Frontend installations and some simple firewall rules. In the second part we will be configuring OWA for exchange 2003, web publishing rules, and incoming and outgoing SMTP mail. For this article we are going to use the following network setup:

This is a simple setup that is used in many companies and universities. The Backend TMG firewall (TMG-BE) will be installed and joined to the domain (test.local) and the Frontend TMG firewall (TMG-FE) will be installed and joined to a workgroup (WORKGROUP). Our company website is hosted on the webserver and will be available for the ouside world. The Barracuda Appliance will listen to incoming SMTP mail and will be used for Spam filtering and virus checking. After this check the mail will be forwarded to the Exchange 2003 Back-End. Outlook Web Access (OWA) will be made available as well.

TMG network relationships

An important issue to understand is how network relationships work in an Back to Back solution. Dr. Thomas W. Shinder made some great articles about this and i highly recommend reading them. They can be found here. For our network setup we use the following network relationships:

As you can see we will use an ROUTE relation ship between the internal network and the DMZ network (configured on the TMG-BE). And we will use an NAT relationship between the DMZ and External segment (configured on the TMG-FE). Its also important to understand that there is a NAT relationship between the internal network and the external network (configured on the TMG-BE). For ROUTE relationships you need to use access rules (from inside to outside and from oputside to inside). For NAT relationships you need to use access rules (from inside to outside) and publishing rules (from outside to inside). As said normally…… Its not widely known that you can use publising rules on a route relationship as well. We are going to use one when we are going to configure OWA.

Its also important to understand whats internal and external regarding to the TMG firewalls. For the TMG-BE it looks like this:

The TMG-BE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 as the INTERNAL network. it will see VLAN6 as the PERIMETER network and VLAN7 as the EXTERNAL network. For the TMG-FE it will look like this:

The TMG-FE will see VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6 as the INTERNAL network and VLAN7 as the EXTERNAL network. For our article we will use the following ip adressing scheme:

Installing the TMG-BE

 Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like Internal and you external NIC to something like DMZ.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-BE to the domain
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Back-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-BE. Remember we spoke of this before. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select BACK FIREWALL and the INTERNAL adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-BE does not have a default gateway configured. We need to tell the TMG-BE how to reach VLAN1, VLAN2, VLAN3 and VLAN4. The gateway configured on the core switch will be 10.5.0.1. Lets add 4 static routes:

  • Select the DMZ interface as the PERIMETER network adapter and choose a private (ROUTE) relationship
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Installing TMG-FE

Before you install TMG 2010 on your machine make sure that:

  • You renamed you internal NIC to something like DMZ and you external NIC to something like INTERNET.
  • You entered all appropriate information in all NICs (according to the ip addressing scheme)
  • You joined the TMG-FE to a workgroup
  • Increase performance by changing the value at HKEY_LOCAL_MACHINE\System\CurrentControlSet\NetBT\Parameters. Change NodeType to value 2 (REG_DWORD)
  • Update system with latest service packs and updates

Ok. lets start the TMG 2010 Front-End installation:

  • Start the TMG 2010 installation and choose to run the Preparation Tool
  • Select Forefront TMG services and Management en wait untill everything is complete
  • The Forefront TMG installation will start
  • Enter your username, company name and serial number
  • Enter the installation path to your liking
  • Now we need to enter the internal network for the TMG-FE. We need to enter all subnet ips from VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 and VLAN6.

  • Start TMG-KB981324-AMD64-ENU.MSP to install  TMG 2010 Service Pack 1.
  • Start TMG-KB2288910-AMD64-ENU.exe to install Update 1 for Service Pack 1.
  • Start the TMG MMC and select Configure network settings
  • Select EDGE FIREWALL and the DMZ adapter as Local Area Network
  • In the same window we need to add some static routes. The internal interface of the TMG-FE does not have a default gateway configured. We need to tell the TMG-FE how to reach VLAN1, VLAN2, VLAN3, VLAN4 and VLAN5. The gateway configured for the routes will be the external interface of the TMG-BE (10.6.0.1) Lets add 5 static routes:

  • Choose the INTERNET networkadapter for the ISP connection
  • Select configure system settings and leave everything as default
  • Select define deployment options and enter licenses if applicable
  • Close the getting started wizard

Configuring the TMG-BE

  • Start the TMG MMC and goto Forefront TMG (TMG-BE) – Networking – Networks tab
  • Richtmouseclick on the internal networks and choose properties – choose the domains tab
  • In the domain names box add: *.test.local
  • Choose the webbrowser tab and change the following:
  • Enable Bypass proxy for webservers in this network
  • Enable directly access computers specified in the domains tab
  • Enable directly access computers specified in the addresses tab
  • Choose the Autodiscovery tab and enable publish automatic discovery
  • Configure your DNS and DHCP server for WPAD – read here
  • Lets create some firewall rules to allow DNS, HTTP, HTTPS and FTP traffic.
  • Goto Forefront TMG (TMG-BE) – Firewall Policy – Create access rule

Create the following rules:

  • Rule Name : Allow DNS traffic from DC1
  • Rule Number : 1
  • Protocols : DNS
  • From : DC1
  • To : External
  • User Sets : All users
  • Rule Name : Allow HTTP, HTTPS, FTP traffic
  • Rule number : 2
  • Protocols : HTTP, HTTPS, FTP
  • From : Internal Network
  • To : External Network
  • User Sets : All authenticated users

Configuring the TMG-FE

  • Start the TMG MMC and goto Forefront TMG (TMG-FE) – Intrusion Prevention System – Behavorial Intrusion Detection tab – choose configure Flood Mitigation settings – IP exceptions tab
  • Since there is a NAT relationship between the internal network and external network on the TMG-BE the source ip will be changed to the TMG-BE external interface. So when the packet arrives at the TMG-FE internal interface it will see alot of traffic coming from one ip address. Therefore we must add the external interface from the TMG-BE to the ip exceptions tab or else the TMG-FE will drop traffic.
  • Goto Forefront TMG (TMG-FE) – Firewall Policy – Create access rule

Create the following rule:

  • Rule Name : Allow all traffic from TMG-BE
  • Rule number : 1
  • Protocols : All protocols
  • From : TMG-BE (external interface ip) 
  • To : External Network
  • User Sets : All users

Now you can test your created rules by starting a webbrowser session from the DC1. In part 2 of this article we are going to configure OWA for exchange 2003, web publishing rules, and incoming and outgoing SMTP mail. Feel free to comment on this article.

Creating a custom Forefront TMG 2010 OWA FBA logon page

October 22, 2010 30 comments

Today I looked for a solution to edit the default OWA logon page. In our company we use a Form Based Authentication that is configured on a Forefront TMG 2010 server. Currently we are running an Exchange 2003 SP2 Frontend server. The OWA logon page looks like this by default:

OR

There is a way to configure this to our liking. Kay Sellenrode of platini.nl made an FBAeditor to configure this in an easy way. This tool does not have a way to change the color of the logon button and explanation text so at the end of this post i show you how to change that as well. So lets create some fancy company OWA logon screens.

Requirements
FBAeditor – can be found here (http://blogs.platani.nl/?p=257)
Company logo 115 x 456 pixels in GIF format
Company logo 115 x 500 pixels in GIF format

Steps

  • First make a backup of C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\ with all sub directories
  • Run FBAeditor on the TMG server and browse to C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange\HTML\ (click on Source Dir)

  •  Now change the page you want to edit to : usr_pwd.htm (1.)
  • Picture name : lgntopl.gif (2.)
  • Text Language : select your country (3.)
  • Select your new company logo (4.)
  • Select apply to all pages and click apply. (5.) Now all htm files will be changed with the new company logo.
  • By pressing Preview Page you can take a look on how its going to be. (6.)

  • Many organizations don’t have 2 or more domains so we can change the domain\username text to Username
  • Now change the page you want to edit to : usr_pwd.htm (1.)
  • Select username (2.)
  • Change the text from domain\username to Username  (3.)
  • Confirm the change by clicking Change Text (4.)

  • When you are clicking on Preview Page you will see that the button and the explanation text has a color that does not match with the rest of the logon page. There is not a way that you can change this via the FBAeditor tool. We can achieve this by editing a file manually.

  • Start notepad and browse to C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\Exchange\HTML\logon_style.ccs
  • When looking through the file you’ll see a section that has entries like #eb9c12 and #f9b133. These are the colors used by the logon button.

  • You can change this by entering your own required color. You can find the color codes here
  • To change the explanation text you must look for the entries #ff6c00

  • You can change this by entering your own required color. You can find the color codes here
  • Also it is possible to change the Internet Explorer tab name by starting the FBAeditor en change the OWAWindowTitle text box to your liking
  • If required you can change the ISA html files as well they can be found here C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplates\ISA\HTML\
  • If all went well you have a fancy FBA logon page like this :

  • Note: I found out that the Forefront TMG caches these pages somehow so I had to reboot the server to get the new pages active. -> Arturo pointed out that you only need to start the firewall service to reflect these changes.
%d bloggers like this: