Publishing Exchange 2010 with TMG

Posted: August 15, 2011 in Exchange, ISA/TMG Server, Security

Part II: Creating the publishing rules

If you’ve read part I of this series, you’ve hopefully got your TMG standalone array up and ready to publish Exchange 2010 services. Before creating the publishing rules themselves, we need to address authentication.

Since our TMG servers are members of a workgroup in the DMZ (same applies if using an AD domain in the DMZ with no trusts to the internal AD forest), we will need to configure a method of authentication. I typically prefer the use of LDAPS since it is supported by default on AD domain controllers and is very simple to configure.

Setting up LDAPS Infrastructure

LDAPS uses a secure lookup to validate users against the AD domain. SSL is used to secure either LDAP (port 389/636) or global catalog (port 3268/3269) queries between TMG and select DCs on the internal system.

The setup steps are as follows:

  1. Configure select DCs with a certificate – any DCs that are participating in LDAPS must have a server authentication certificate. This certificate would be deployed automatically by an AD based enterprise CA.
  2. Export the trust root certificate from one of the DCs and copy the file over to each TMG server.
  3. Import the certificate into the ‘Trusted Root Certificate authorities’ folder on each TMG server.
  4. Ensure that firewalls allow traffic from the TMG servers to the selected DCs over ports 636 and 3269.

     A few tips to assist with this task:

  • If you just deployed your CA, run the command ‘certutil –pulse’ on a DC to issue the certificate.
  • Reboot the domain controller after issuing the CA to activate a listener on ports 636 (secure LDAP) and 3269 (secure global catalog).
Configure LDAPS authentication

Within the TMG console, follow these steps to configure LDAPS:

  • Right click on the ‘Web Access Policy’ node.
  • Select ‘Configure (Related)’ and then ‘RADIUS Server Settings’
  • Select the ‘LDAP Servers’ tab and click the ‘Add’ button to create an LDAP set
  • Enter a name for the LDAP set (e.g. Internal DCs), the domain name and credentials used for authentication

NOTE: this account needs minimal rights in AD and a non-expiring password

  • Make sure that ‘Use Global Catalog (GC)’ and ‘Connect LDAP servers over secure connection’ are checked.
  • Add the selected internal DCs that were used in the preparation steps.
  • Define the mask for this LDAP set using ‘domain\*’ for the expression and the created LDAP set and click OK
  • Define another mask for this LDAP set using ‘*@domain.com’ for the expression and the created LDAP set and click OK
  • Repeat the above steps for any additional domains as needed
Publish Exchange Services

Publishing the services is fairly simple by following the wizard. Here are the steps:

First, to create the listener that will be used for all of the rules:

  • Select the ‘Firewall Policy’ folder and the Toolbox tab on the right.
  • Navigate to ‘Network Objects’ and right click ‘Web Listener’ to create a new listener with the following info:
  1. Name: Exchange 2010 Listener
  2. Require SSL secured connections with clients
  3. Web Listener IP Addresses: All Networks (and Local Host)
  4. Use a single certificate for this Web Listener: select the certificate for webmail.domain.com
  5. Authentication Settings: HTML Form Authentication and LDAP (Active Directory) client authentication
  6. Enable SSO for Web sites published with this web listener with the name: domain.com
  • Open the properties of the recently created listener, select the ‘Connections’ tab and configure the following:
  1. Enable HTTP connections on port 80
  2. Redirect all traffic from HTTP to HTTPS

Next, to publish OWA:

  • Select the Firewall Policy section and from the the ‘Tasks’ tab on the right and click on ‘Publish Exchange Web Client Access’
  • Name the rule ‘Exchange 2010 OWA’
  • Select the ‘Exchange Server 2010’ version option and check ‘Outlook Web Access’
  • Accept the default selection of ‘Publish a single web site or load balancer’
  • Accept the default selection of ‘Use SSL to connect to the published server…’
  • On the ‘Internal Publishing Details’ page, enter: webmail.domain.com
  • Check ‘Use a computer name or IP address to connect to the published server and enter the CAS array FQDN
  • Enter the ‘Public Name’ of ‘webmail.domain.com’
  • On the ‘Select Web Listener’ page, select the ‘Exchange 2010 Listener’
  • Accept the default authentication delegation using ‘Basic authentication’
  • Accept the default of ‘All Authentication Users’ and complete the wizard

Edit the recently created rule, select the ‘Paths’ tab and add a new path as follows:

  • Folder: ‘/’
  • External path: same as published folder

Next, follow the same steps to create the ActiveSync publishing rule. Change only the name and select the ‘Exchange ActiveSync’ option on the ‘Select Services’ page. Adding the root folder path isn’t necessary for this rule.

Then, following same process create the Outlook Anywhere rule with an appropriate name and the ‘Outlook Anywhere (RPC/HTTPS)’ services option. Adding the root folder path isn’t necessary for this rule.

Finally, we need to create a rule for Autodiscover, since that service uses a separate URL and some different options.

  • Right click on the ‘Exchange 2010 Outlook Anywhere’ Rule and select ‘Copy’
  • Right click on the next rule down and select ‘Paste’
  • Edit the new rule and make the following changes:
  1. Name: Exchange 2010 Autodiscover
  2. Public Name: autodiscover.domain.com
  3. Users: All Users (remove Authenticated Users)
  4. Authentication delegation: No delegation, but client may authenticate directly

All the services are now published and the only thing remaining is to improve the user experience by configuring redirection to allow any URL to be entered in the browser. The third and final part of this post addresses redirection.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s