Export (0) Print
Expand All

Configure Forefront TMG for a hybrid environment

SharePoint 2013
 

Applies to: SharePoint Server 2013, SharePoint Online

Topic Last Modified: 2014-07-14

Summary: Learn how to configure Forefront TMG 2010 as a reverse proxy device in a SharePoint 2013 hybrid environment.

Stage two of a SharePoint hybrid deployment

In hybrid SharePoint Server 2013 environments in which SharePoint Online requests data from SharePoint Server 2013, you need a reverse proxy device to securely relay requests from the Internet to your on-premises SharePoint Server 2013 farm.

This article tells you how to set up Forefront Threat Management Gateway (TMG) 2010 for use as a reverse proxy for a hybrid SharePoint Server 2013 environment.

This article provides guidance for Phase 2 of the SharePoint hybrid environment deployment process, which integrates SharePoint Server 2013 and SharePoint Online.

Phase 2: Configure a reverse proxy device

 

This figure represents steps to be completed

This is the second phase in the process to configure a SharePoint hybrid solution. The procedures in these articles must be completed in the order shown:

  1. Configure a hybrid topology for SharePoint Server 2013

  2. Configure a reverse proxy device for SharePoint Server 2013 hybrid (this phase)

  3. Configure identity management for a hybrid topology in SharePoint Server 2013

  4. Configure a hybrid solution for SharePoint Server 2013

For an overview of the whole process, see Plan SharePoint Server 2013 hybrid.

For more information about specialized hybrid-related terms and concepts in this article, see Glossary for hybrid SharePoint 2013.

For complete information about Forefront Threat Management Gateway (TMG) 2010, see Forefront Threat Management Gateway (TMG) 2010.

When you have completed the procedures in this article, you can continue to Phase 3 of the hybrid deployment process, Configure identity management for a hybrid topology in SharePoint Server 2013.

In this article:

Accessibility note: SharePoint Server 2013 supports the accessibility features of common browsers to help you administer deployments and access sites. For more information, see Accessibility for SharePoint 2013.

Before you begin, there are a few things you need to know:

  • TMG has to be deployed in an edge configuration, with at least one network adapter connected to the Internet and configured for the external network in TMG and at least one network adapter connected to the intranet network and configured for the internal network in TMG.

  • The TMG server has to be a domain member in the Active Directory domain forest that contains your Active Directory Federation Services (AD FS) 2.0 server. The TMG server has to be joined to this domain to use SSL client certificate authentication, which is used for authenticating inbound connections from SharePoint Online.

    Security noteSecurity
    As a general best practice for edge deployments, you normally install Forefront TMG in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest. However, you can configure client certificate authentication only for users in the domain to which the TMG server is joined, so this practice cannot be followed for hybrid environments.
    For more information on TMG network topology considerations, see Workgroup and domain considerations.
  • Deploying TMG 2010 for use in a SharePoint Server 2013 hybrid environment in a back-to-back configuration is theoretically possible but has not been tested and may not work.

  • TMG 2010 includes both diagnostic logging and a real-time logging interface. Logging plays an important role in troubleshooting issues with connectivity and authentication between SharePoint Server 2013 and SharePoint Online. Identifying the component that is causing a connection failure can be challenging, and TMG logs are the first place you should look for clues. Troubleshooting can involve comparing log events from TMG logs, SharePoint Server 2013 ULS logs, Windows Server event logs, and Internet Information Services (IIS) logs on multiple servers.

For more information on how to configure and use logging in TMG 2010, see Using diagnostic logging.

For more information on general TMG 2010 troubleshooting, see Forefront TMG Troubleshooting.

For more information on troubleshooting techniques and tools for SharePoint Server 2013 hybrid environments, see Troubleshooting hybrid environments.

If you have not already installed TMG 2010 and configured it for your network, use this section to install TMG 2010 and prepare the TMG system.

Install TMG 2010
  1. Install Forefront TMG 2010 if it is not already installed. For more information on installing TMG 2010, see Forefront TMG Deployment.

  2. Install all the available service packs and updates for TMG 2010. For more information, see Installing Forefront TMG Service Packs.

  3. Join the TMG server computer to the on-premises Active Directory domain if it is not already a domain member.

    For more information on deploying TMG 2010 in a domain environment, see Workgroup and domain considerations.

You must import the Secure Channel SSL certificate into both the Personal store of the local computer account and the Personal store of the Microsoft Forefront TMG Firewall service account (fwsvc).

 

Edit icon

The location of the Secure Channel SSL certificate is recorded in Row 1 (Secure Channel SSL Certificate location and Filename) of Table 4b: Secure Channel SSL Certificate.

If the certificate contains a private key, you will need to provide the certificate password, which is recorded in Row 4 (Secure Channel SSL Certificate password) of Table 4b: Secure Channel SSL Certificate.

Import the certificate
  1. Copy the certificate file from the location specified in the worksheet to a folder on the local hard disk.

  2. On the reverse proxy server, open MMC and add the Certificate Management snap-in for both the local computer account and the local fwsrv service account.

    NoteNote:
    After TMG 2010 has been installed, the friendly name of the fwsrv service is the Microsoft Forefront TMG Firewall service.
  3. Import the Secure Channel SSL certificate to the Personal certificate store of the computer account.

  4. Import the Secure Channel SSL certificate to the Personal certificate store of the fwsrv service account.

For more information about how to import an SSL certificate, see Import a Certificate.

In this section, you configure a web listener and a publishing rule that will receive inbound requests from SharePoint Online and relay them to the primary web application of your SharePoint Server 2013 farm. The web listener and publishing rule work together to define the connection rules and to pre-authenticate and relay the requests. You configure the web listener to authenticate inbound connections using the Secure Channel certificate you installed in the last procedure.

For more information on configuring publishing rules in TMG, see Configuring Web publishing.

For more information on SSL bridging in TMG 2010, see About SSL bridging and publishing.

Use the following procedure to create the publishing rule and web listener.

Create the publishing rule and web listener
  1. In the Forefront TMG Management Console, in the left navigation pane, right-click Firewall Policy, and then click New.

  2. Select SharePoint Site Publishing Rule.

  3. In the New SharePoint Publishing Rule Wizard, in the Name text box, type the name of the publishing rule (for example, “Hybrid Publishing Rule”). Click Next.

  4. Select Publish a single Web site or load balancer, and then click Next.

  5. To use HTTP for the connection between TMG and your SharePoint Server 2013 farm, select Use non-secured connection to connect the published Web server or server farm, and then click Next.

    To use HTTPS for the connection between TMG and your SharePoint Server 2013 farm, select Use SSL to connect the published Web server or server farm, and then click Next.

    NoteNote:
    If you use SSL, ensure that you have a valid certificate installed on the primary web application.
  6. In the Internal Publishing Details dialog box, in the Internal site name text box, type the internal DNS name of the bridging URL, and then click Next. This is the URL that the TMG server will use to relay requests to the primary web application.

    NoteNote:
    Do not type the protocol (http:// or https://).

     

    Edit icon

    The Bridging URL is recorded in one the following locations in the SharePoint Hybrid worksheet:

    • If your primary web application is configured with a host-named site collection, use the value in Row 1 (Primary web application URL) of Table 5a: Primary web application (host-named site collection).

    • If your primary web application is configured with a path-based site collection, use the value in Row 1 (Primary web application URL) of Table 5b: Primary web application (path-based site collection without AAM).

    • If your primary web application is configured with a path-based site collection with AAM, use the value in Row 5 (Primary web application URL) of Table 5c: Primary web application (path-based site collection with AAM).

  7. In the Use a computer name or IP address to connect to the published server box, optionally type the IP address or the fully qualified domain name (FQDN) of the primary web application or network load balancer, and then click Next.

    NoteNote:
    If TMG can resolve the primary web application using the host name you provided in the previous step, you do not have to perform this step.
  8. In the Public Name Details dialog box, accept the default setting on the Accept requests for menu. In the Public name text box, type the host name of your External URL (for example, “sharepoint.adventureworks.com”), and then click Next. This is the host name in the external URL that SharePoint Online will use to connect with your SharePoint Server 2013 farm.

    NoteNote:
    Do not type the protocol (http:// or https://).

     

    Edit icon

    The External URL is recorded in Row 3 (External URL) of Table 3: Public Domain Info in the SharePoint Hybrid worksheet.

  9. In the Select a Web Listener dialog box, select New.

  10. In the New Web Listener Wizard dialog box, in the Web listener name text box, type a name for the web listener, and then click Next.

  11. In the Client Connection Security dialog box, select Require SSL secured connections with clients, and then click Next.

  12. In the Web Listener IP Addresses dialog box, select External <All IP addresses>, and then click Next.

    If you want to restrict the listener to listen only on a specific external IP address, click the Select IP Addresses button, and then in the External Network Listener IP Selection dialog box, select Specified IP addresses on the Forefront TMG computer in the selected network. Click Add to specify an IP address, and then click OK.

  13. In the Listener SSL Certificates dialog box, select Use a single certificate for this Web Listener, and click the Select Certificate button. In the Select Certificate dialog box, select the Secure Channel SSL certificate you imported to the TMG computer, click Select, and then click Next.

  14. In the Authentication Settings dialog box, select SSL Client Certificate Authentication, and then click Next. This setting enforces client certificate credentials for inbound connections using the Secure Channel certificate.

  15. Click Next to bypass Forefront TMG single sign-on settings.

  16. Review the New Listener summary page, and click Finish. This returns you to the Publishing Rule Wizard in which your newly created web listener is automatically selected.

  17. In the Select Web Listener dialog box, in the Web Listener drop-down menu, make sure the correct web listener is selected, and click Next.

  18. In the Authentication Delegation dialog box, select No delegation, but client may authenticate directly from the drop-down menu, and then click Next.

  19. In the Alternate Access Mapping Configuration dialog box, select SharePoint AAM is already configured on the SharePoint server, and then click Next.

  20. In the User Sets dialog box, select the All Authenticated Users entry, and click Remove. Then click Add, and in the Add Users dialog box, select All Users, and then click Add. Click Close to close the Add Users dialog box, and then click Next.

  21. In the Completing the New SharePoint Publishing Rule Wizard dialog box, confirm your settings, and then click Finish.

There are several settings that you must now verify or change in the publishing rule you just created.

Finalize the publishing rule configuration
  1. In the Forefront TMG Management Console, in the left navigation pane, select Firewall Policy, and in the Firewall Policy Rules list, right-click the publishing rule you just created, and click Configure HTTP.

  2. In the Configure HTTP policy for rule dialog box, on the General tab, under URL Protection, confirm that both Verify normalization and Block high bit characters are unchecked, and then click OK.

  3. Right-click the publishing rule you just created again, and click Properties.

  4. In the <rule name> Properties dialog box, on the To tab, uncheck the Forward the original host header instead of the actual one box. Under Proxy requests to published site, ensure that Requests appear to come from the original client is selected.

  5. On the Link Translation tab, ensure that the Apply link translation to this rule check box is set correctly:

    • If the internal URL of your primary web application and the external URL are identical, uncheck the Apply link translation to this rule check box.

    • If the internal URL of your primary web application and the external URL are different, check the Apply link translation to this rule check box.

  6. On the Bridging tab, under Web server, ensure that the correct Redirect requests to <HTTP port or SSL port> check box is checked and that the port in the text box corresponds to the port your internal site is configured to use.

  7. Click OK to save your changes to the publishing rule.

  8. In the Forefront TMG Management Console, on the top bar, click Apply to apply your changes to TMG. It might take one or two minutes for TMG to process your changes.

  9. To validate your configuration, right-click the new publishing rule from the Firewall Policy Rules list, and click Properties.

  10. In the <rule name> Properties dialog box, click the Test Rule button. TMG runs a series of tests to check for connectivity to the SharePoint site and displays the results of the tests in a list. Click each configuration test for a description of the test and its results. Fix any errors that appear.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft