Comments for The RDP Files

Comment on Publishing Exchange 2010 with TMG by Luis

Luis — Wed, 08 Feb 2012 21:40:47 +0000

Thanks you so much. I will say to you the result when I will finish the migration.

thanks again.

Regards,

Luis.

Comment on Publishing Exchange 2010 with TMG by Guy Yardeni

Guy Yardeni — Wed, 08 Feb 2012 21:01:29 +0000

If your LDAPS based authentication is working, allowing password changes does not require any additional certificate changes.
In other words, if you can authenticate against a DC, you can change a password against it, you just need to configure credentials on the LDAP server set and check the correct box on TMG.
For more information, see: http://technet.microsoft.com/en-us/library/cc984426.aspx

Comment on Publishing Exchange 2010 with TMG by Luis

Luis — Tue, 07 Feb 2012 09:18:19 +0000

Thanks for your quick response.

When I talk about certificate, I want to say internatl certificate, for validate users from TMG to Domain controllers.

We want to install TMG for publishing OWA.Now I have another question. In LDAPs scenario with child domains, with internal certificate create from interl PKI,, If its possible to enable users change password???

Thanks a lot.

Regards, Luis.

Comment on Publishing Exchange 2010 with TMG by Guy Yardeni

Guy Yardeni — Mon, 06 Feb 2012 17:17:55 +0000

Hi Luis,
Thanks for your comment/question.

First, we have to make sure we’re talking about the same certificate. The SSL certificate that validates the TMG and CAS servers to clients on the Internet should not have dependency on your internal domain structure. It should simply be using the same name as the DNS record that points to the TMG server along with any applicable SANs. Likewise, the certs used between TMG array domain members do not have any relation to the internal domain structure.

The certificate that does depend on our internal structure is the one being used for LDAPS into the internal system. In this case, you need to make sure that the TMG server trusts the certificates assigned to each domain controller it will use. If you have an internal PKI as part of your forest that’s the easiest case. If the TMG is joined to a forest domain, no action is necessary. If the TMG server is not joined to the same forest as the PKI installation, then the root and issuing CA certificates from the forest must be exported (without private key) and imported in the Trusted Root Publishers store on the TMG server.

So in both cases, no issue with child domains. The one area to look out for with multiple domains is with the LDAPS configuration itself when the server entry is configured on TMG. The easiest way is to use the GC protocol and educate users to use their UPN for logins since those are not domain specific. Otherwise, server entries must configure for DCs for each domain with the appropriate credential pattern: domain\username.

Hope this helps but feel free to ask additional questions,

Guy

Comment on Publishing Exchange 2010 with TMG by Luis

Luis — Mon, 06 Feb 2012 16:54:25 +0000

Hi, thanks for this post. I’ve a question about certificates when TMG its in DMZ. If I’ve a forest, with 3 or 4 subdomains, the certificate is the same for subdomains or I need to create a certificate for each other domain???

Thanks a lot.

Comment on Creating a SAN certificate request using native Windows tools by Guy Yardeni

Guy Yardeni — Mon, 30 Jan 2012 22:00:28 +0000

It should work with the latest SP. I don’t have a server to test right now, but based on this article: http://support.microsoft.com/kb/931351, this is supported and just requires the following command:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

Comment on Creating a SAN certificate request using native Windows tools by Anand

Anand — Thu, 12 Jan 2012 02:55:33 +0000

does this work in windows 2003?

Comment on Adding NAT to a Hyper-V host for access to isolated lab guests by Guy Yardeni

Guy Yardeni — Fri, 18 Nov 2011 17:55:09 +0000

I think they are essentially the same method, except that my example is focused on allowing inbound traffic through the NAT whereas the other example is showing how to allow traffic out. The one material difference is the use of VLAN tagging which would be required if the virtual environment consisted of multiple hosts. The example linked would work well for guests on a single host but wouldn’t translate to multiple hosts due to the use of an internal only virtual network.

Comment on Adding NAT to a Hyper-V host for access to isolated lab guests by Daniel Payne

Daniel Payne — Fri, 18 Nov 2011 17:39:14 +0000

Thanks for writing this – what do you think of this alternative method that someone else came up with?

http://www.infotechguyz.com/server2008/hypervrouting.html

Comment on Adding NAT to a Hyper-V host for access to isolated lab guests by Guy Yardeni

Guy Yardeni — Thu, 26 May 2011 04:30:32 +0000

RRAS isn’t supported on core so you can’t do it directly on the host (at least without a third party product but I don’t know of one that works on core), but you could do use one of the guests. Assuming that the isolation requirements allow for a guest connected to both networks, just deploy a guest running RRAS with the same configuration.