Web listener overview

When you create a Web publishing rule, you specify a Web listener to be used when applying the rule. The Web listener properties determine:

  • Which Internet Protocol (IP) addresses and ports on the specified networks will listen for Web requests.
  • Which authentication method will be used, when authentication is required.
  • Number of client connections that are allowed.

The Web listener is used to:

  • Indicate the IP address and port to which a client makes a connection.
  • Enable Microsoft Forefront Threat Management Gateway to preauthenticate the connection.

Web listeners can be used by more than one Web publishing rule.

The Web listener network, or networks, that you select depend on which network clients will use to connect to the published Web server. For example, if the Web site you are publishing allows client requests from the Internet (the External network), you should select the External network for the Web listener. By selecting the External network, you are selecting the IP addresses on the Forefront TMG computer that are associated with the external network adapter. If you do not limit the IP addresses, all IP addresses associated with the selected network adapter will be included in the listener configuration.

Web listeners are used by a Web publishing rule. The rule specifies source network objects in addition to specifying a Web listener. The network objects specified as sources in the Web publishing rule must include the networks selected for the Web listener.

You can specify that a Web listener will listen on one or more specific IP addresses. When you do so for an HTTPS Web listener, you can choose to assign a single certificate to all of the IP addresses, or to assign a different certificate to each IP address. Assigning a different certificate to each IP address enables you to publish several sites over HTTPS by using the same Web listener, without using a wildcard certificate. For example, you can publish mail.contoso.com by using a certificate with that name on one IP address, and team.contoso.com by using a certificate with that name on a different IP address.

Alternatively, you can publish multiple Secure Sockets Layer (SSL) Web sites by using a single Web listener and a wildcard certificate. For instructions for implementing this scenario, see Using wildcard certificates.

By using the same listener for several sites, you can take advantage of the Forefront TMG single sign-on (SS0) feature, which requires a common Web listener for all of the SSO sites.

You can create Web publishing rules that allow or deny access to a set of computers or to a group of users. If the rule applies specifically to users, Forefront TMG checks the incoming Web request properties to determine how the user will be authenticated. For example, a Web publishing rule might allow access only to specific users. Forefront TMG will authenticate the user requesting the object, to determine whether the Web publishing rule allows the requesting user access. The user must authenticate, using one of the authentication methods specified for the incoming Web requests.

Forefront TMG provides a secure, encrypted logon environment for browsers that support Microsoft Windows NT Challenge/Response authentication, and for other browsers that use Basic authentication. Authentication methods can be set for all IP addresses on the server, or separately for each IP address.

Single sign-on (SSO) enables your users to move safely from one application to another, without having to reauthenticate. SSO is configured on the Single Sign On Settings page of the New Web Listener Wizard, and is available for HTML forms-based authentication.

For more information about authentication in Forefront TMG, see Overview of client authentication.

By limiting the number of client connections allowed simultaneously to the Forefront TMG computer, you can prevent attacks that may overwhelm the system's resources. This is particularly useful when publishing servers.

For instructions for configuring the maximum number of concurrent connections allowed, see the procedure for modifying a Web listener in Modifying network objects.