Publishing behind an SSL accelerator
In the Forefront TMG Management console tree, click Firewall Policy.
In the task pane, click the Toolbox tab.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.
Complete the New Web Listener Wizard as outlined in the following table.
Page Field or property Setting or action
Welcome to the New Web Listener Wizard
Web listener name
Type a name for the Web listener. For example, type: SSL Accelerator Listener
Client Connection Security
Select Do not require SSL secured connections with clients.
Web Listener IP Addresses
Listen for incoming Web requests on these networks
Select the External network. Click Select IP Addresses, and then select Specified IP Addresses on the Forefront TMG computer in the selected network. In the Available IP Addresses list, select the IP address on which Forefront TMG will listen for HTTP requests from the SSL accelerator, click Add, and then click OK.
Select how clients will provide credentials to Forefront TMG
In the drop-down list, select No Authentication.
Single Sign On Settings
Enable SSO for Web sites published with this listener
Single sign-on is not available in this configuration.
Completing the New Web Listener Wizard
Review the settings, and then click Finish.
In the details pane, click the Apply button to save and update the configuration, and then click OK.
To set the port to which Forefront TMG will return responses to the SSL accelerator, copy the following code to a Notepad file and save it as SetSslAcceleratorPort.vbs. Then, for a Web listener named SSL Accelerator Listener, at a command prompt, type:CScript SetSslAcceleratorPort.vbs "SSL Accelerator Listener"
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' Copyright (c) Microsoft Corporation. All rights reserved. ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. ' THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS ' CODE REMAINS WITH THE USER. USE AND REDISTRIBUTION OF THIS CODE, ' WITH OR WITHOUT MODIFICATION, IS HEREBY PERMITTED. '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Option Explicit ' Define the constant needed const Error_FileNotFound = &H80070002 Main(WScript.Arguments) Sub Main(args) If(args.Count = 1) Then SetSslAcceleratorPort args(0) Else Usage() End If End Sub Sub SetSslAcceleratorPort(wlName) ' Create the root object. Dim root ' The FPCLib.FPC root object Set root = CreateObject("FPC.Root") ' Declare the other objects needed. Dim tmgArray ' An FPCArray object Dim webListener ' An FPCWebListener object Dim text ' A String Dim input ' A String ' Get a reference to the local array object. Set tmgArray = root.GetContainingArray() ' Get a reference to the Web listener specified. On Error Resume Next Set webListener = _ tmgArray.RuleElements.WebListeners.Item(wlName) If Err.Number = Error_FileNotFound Then WScript.Echo _ "The Web listener specified could not be found." Else Err.Clear On Error GoTo 0 With webListener.Properties If .SSLAcceleratorPort = 0 Then text = "No SSL accelerator port is configured." _ & VbCrLf _ & "You can enter a nonzero value to enable" _ & VbCrLf _ & "an SSL accelerator port." Else text = "Current SSL accelerator port: " _ & .SSLAcceleratorPort _ & VbCrLf _ & "You can change this value, or enter 0" _ & VbCrLf _ & "to disable the SSL accelerator port." End If input = InputBox(text,"SSL Accelerator Port", "443") End With If CInt(input) <> _ webListener.Properties.SSLAcceleratorPort Then WScript.Echo "Changing the SSL accelerator port to " _ & CInt(input) & "..." webListener.Properties.SSLAcceleratorPort = CInt(input) End If If webListener.Properties.SSLAcceleratorPort <> 0 Then WScript.Echo "Ensuring that the SSL port is set to 0..." webListener.Properties.SSLPort = 0 End If webListener.Save End If End Sub Sub Usage() WScript.Echo "Usage:" & VbCrLf _ & " CScript " & WScript.ScriptName & " WebListener" _ & VbCrLf & "" & VbCrLf _ & " WebListener - Name of the Web listener" WScript.Quit End Sub
When you have an external SSL accelerator device in front of Forefront TMG, all Web traffic is intercepted by the device and then passed to Forefront TMG. When the device receives HTTPS traffic from a client, it terminates the SSL connection at the device, decrypting the traffic and then passing it as HTTP to Forefront TMG, which typically receives the traffic on port 80. This procedure configures Forefront TMG to recognize that there is an SSL accelerator between it and the Internet. This procedure also configures Forefront TMG to send responses to the correct port on the SSL accelerator and to provide HTTPS links in the response that will be returned by the SSL accelerator.
For the specific case in which the HTTPS request originating from the client is a Microsoft Outlook Web Access request, Forefront TMG automatically appends a header indicating to the Outlook Web Access server that it should return an HTTPS response. This takes place regardless of whether Forefront TMG has been configured to work behind the SSL accelerator.
This procedure is applicable only for an external SSL accelerator that is connected to the Internet and lies in front of the Forefront TMG computer, which communicates with it over a network connection. If you have an SSL accelerator card that is installed directly on the Forefront TMG computer or an external device that is connected to the Forefront TMG computer with a small computer system interface (SCSI), no configuration changes in Forefront TMG are required.
The Web listener must listen for HTTP requests on a separate IP address, on which no other Web listener listens for HTTP requests. This requires either an additional IP address on the network adapter that is connected to the External network, or a separate network adapter that is dedicated to the SSL accelerator. If you use a separate network adapter, you will need to define a new network containing the SSL accelerator and configure the Web listener to listen on that network.
If your SSL accelerator is connected to the Internet, the name on its SSL server certificate must match the public host name or IP address that external clients will type in their Web browser to access the published Web site.
The port to which Forefront TMG returns responses to an external SSL accelerator device in front of Forefront TMG cannot be set in Forefront TMG Management. The script provided also ensures that HTTPS listening is disabled on the Web listener.