vrijdag 14 januari 2011

Configure Microsoft TMG 2010 SharePoint publishing rule

As promised in my previous rule I would make a blog on how to configure the Threat Management Gateway.

We still start with the same situation:
image

Let me give you a little bit more detail about the possible network configuration.

image

  • I have my internet connection with the external IP-Address 223.1.1.10
    • At my ISP I asked a DNS registration biportal.corp.com to point to the given IP-Address
  • The inside IP-Address of my router is 192.168.1.254, the router internal firewall is configured to forward all external https request to the internal address 192.168.1.10 of the TMG01 server.
  • The TMG01 server has 2 NIC’s
    • One connected to the switch1 with fixed IP-Address 192.168.1.10
    • And the other with IP-Address 10.0.0.10 Fixed connected to the switch 2 of the internal network
    • The internal DNS has a registration tmg01.corp.local for the 10.0.0.10 IP-Address
  • And as last the SHP01 with 1 NIC using IP-Address 10.0.0.40 connected to switch2
    • The internal DNS has multiple registrations for the SHP01 server IP-Address 10.0.0.40
      • biportal.corp.local
      • publicbiportal.corp.local
      • mysite.corp.local
      • publicmysite.corp.local
      • projects.corp.local
      • publicprojects.corp.local

That’s all about the network configuration for now, let’s start configuring TMG. It’s quite simple just use the wizard for SharePoint in the TMG management interface:

image

The first we need to do is give the rule a name:
image

Then we need to make a choice on what type of rule we like to add.
Current I did choose for single web site or load balancer, in the future I might like to add a second SharePoint Application Server.

image

Then we to select of we like to use SSL for the communication between the TMG01 server and the SHP01 server. When you choose Use SSL you need to add SSL Certificates on the SHP01 server. For now I choose not to encrypt the internal traffic.

image

Then we need to give the internal site name that is used as to address. Test on your TMG server that it can resolve the internal site name. When this is not possible select the Use a computer and add the IP address of the SharePoint Server or LoadBalancer. In my case this is not needed, should it be needed I should have add the IP-Address 10.0.0.40

image

Then we need to specify the public name, you can select any domain but this is less secure. I use the biportal.corp.com domain. This means that only requests from this domain are allowed to be forwarded to the internal site.

image

Then we need to configure the web listener for the rule, because we don’t have one yet we select New. First to do is give it a name:

image

Then we need to tell that SSL should be used by the external clients to communicate with the TMG server. We like to have this using SSL because this traffic is going over the WWW and don’t like to make information free available.

image

Then we need to tell TMG on which IP-Address it would listen, select External and click Select IP Addresses. On the windows select Specified IP addresses, click Add IP and give the Addresses you need or select the displayed interface IP Address. When you select the Interface IP Address as below you grant that all external WWW IP-Addresses are accepted to be forwarded. When you now that you only want to publish to specific organizations you need to acquire there external WWW IP-Address and add that to the Selected IP Addresses.

image
image

Because we selected SSL to use for the external communication we now need to specify the SSL Certificate. On the screen you can select different certificates to each IP Addresses you did add, I select the simple solution to use a single certificate. I will not explain how to request certificates, mine is internal created and published to the TMG01 server.

imageimage

Now we need to specify how external users need to authenticate. When you choose as I to use HTML Form Authentication users do get a TMG web form to login, because I selected Windows (Active Directory) they need to use a Domain account to authenticate. For example corp\Arjan.Fraaij. When you do this they don’t get a SharePoint login any more. You can also choose No Authentication then users are direct redirected to the SharePoint site and need to login there with there account which also can be a domain account depending on your SharePoint authentication configuration.

The other 2 are HTTP or SSL authentication, where again you can choose to use Windows (Active Directory) and is integrated. Which means that when someone is anonymous they still get a login screen but when they on a remote site location in the same domain they will be granted access without the need to login.

image

Then we need to tell TMG to use SSO for the external domain. This makes sure users don’t need to login again when they switch to mysite.corp.com or projects.corp.com

image

The listener configuration is now finished. Click finish to continue the configuration of the Firewall rule.

image

image

Most organizations have SharePoint configured to use NTLM (Default setting). I want to make sure that I have a high secure environment and do use Kerberos in my SharePoint configuration. So I could choose Kerberos constrained delegation making sure only Kerberos authenticated can be used. When you are not sure choose the below setting that also allows NTLM authentication

image

I will not explain configuring SPN’s and Delegation settings. Please look at one of my other blogs about SharePoint configuration and using DELEG Config.

Now we need to tell TMG about the Alternate Access Mapping configuration in SharePoint. I am not sure but I think this is a reminder screen, I don’t now what TMG needs to do with this because it is a SharePoint side configuration. See my previous blog post about configuring AAM.

image

Next you can specify which users can make use of the configured rule. For now I did choose All authenticated. I recommend to add a new set of users to split them from your internal other domain accounts like server services accounts. You can define specific Active Directory groups or users. Okay because I recommend let’s me do so.

Select the All Authenticated Users in the window you see and click Remove. Then click Add and click New in the next window you see.

Give the new set a name:
image

In the new appearing window Click Add and select windows users and groups…

image

You will get the well know AD selection screen. I created a domain group to grant access to users. Select the group or users you want and click OK.

image
image

We have finished the user selection.
image

We also finished the rule configuration!
image

Start trying to access SharePoint by from the WWW using URL https://biportal.corp.com!

It could be that it does not work directly, I changed the below setting of the Rule to make it work:

image

You need to repeat some of these steps for the other URL’s https://mysite.corp.com and https://projects.corp.com.

Addition 17-1-2011: (Need to relogin after not using SharePoint for 10 minutes)

This caused by the configuration of the listner. You can change this on the Forms tab of the listener configuration by clicking Advanced:
image

On the advanced settings you can change the timeout for public and private connections. When you look at this people can always call your servicedesk with telling you about the timeout while others don’t have this issue. This depends on the choice they made during the TMG Login screen. End users need to tell if they try to login from a public of private computer.
image

Default the timeout for public computers will be 10 minutes.

 

Hope you enjoyed! Comments, better solution and recommendation I like to know about them.

Dynamic Intelligence | LinkedIn | Blog | Twitter

Geen opmerkingen: