Add Certificate for External Web Listener

  • Article

In Forefront TMG, you can add a certificate for the external Web listener for Remote Web Workplace. If you have not installed the certificate on the Security Server, you must first import the certificate. Then you modify the properties of the external Web listener for the Remote Web Workplace publishing rule to use the certificate. You need to do this if you want to configure Remote Web Workplace with a public certificate from a trusted certificate authority. You also need to do this if you use the private certificate authority in Windows EBS but you issue a certificate for a different remote access URL than the one that was originally configured in Windows EBS (for example, if you want to use the URL rww.adventure-works.com instead of remote.adventure-works.com).

Note

For more information about how to request and install a certificate from a commercial certificate authority, see “Configuring server certificates for secure Web publishing” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=137107). To create a domain certificate from the private authority in Windows EBS, use the Create Certificate Wizard in Internet Information Services (IIS) Manager on the Security Server. For more information, see “Create a Domain Server Certificate in IIS 7.0” at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=137111).

Note

By default, the external Web listener for Remote Web Workplace is configured to use the certificate that is issued by the private certificate authority in Windows EBS. If you choose to use this private certificate, you must install a root certificate on client computers, which validates secure remote access to Remote Web Workplace. For more information about installing the root certificate on client computers, see Install Root Certificate on a Remote Computer.

Note

You must use an account that is in the Domain Admins group to perform this procedure.

To import a certificate to the Security Server

  1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.

  2. Click the Computers and Devices tab, click the name of your Security Server, and then, in the tasks pane, click Connect to computer.

  3. On the Security Server, start the Certificates snap-in, and then use the Certificate Import Wizard to import a certificate file. For step-by-step instructions, see “Importing a certificate to a Forefront TMG computer “ at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=137112).

Note

You must use an account that is in the Domain Admins group to perform this procedure.

To add a certificate for the external Web listener

  1. Click Start, click All Programs, click Windows Essential Business Server, and then click Windows Essential Business Server Administration Console.

  2. Click the Security tab, click Network firewall, and then in the tasks pane, click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.

  3. In the console tree, expand the name of your Security Server, and then click Firewall Policy.

  4. In the results pane, double-click Remote Web Workplace Publishing Rule.

  5. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.

  6. Select External Web Listener from the list, and then click Properties.

  7. In External Web Listener Properties, click the Certificates tab.

  8. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.

  9. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.

  10. To save changes and update the configuration, in the results pane, click Apply.