Securing Exchange Active. Sync with Client Certificates WAN Access. Hopefully you managed to get yourself started with client certificates in the last post, or maybe this was something you had already sorted out in your own lab without any assistance of mine. The thing is, an Active. Sync configuration that only works over the LAN isnt all that worthwhile is it Youll want to make it work across them Intertubes as well dont you Now granted, this does not have to be complicated as such. Microsoft Exchange 2010 Owa Dmz Host' title='Microsoft Exchange 2010 Owa Dmz Host' />If you have gotten it working directly on your Exchange and youre piping the traffic through a regular firewall which just happens to do a port forward on the incoming traffic it doesnt require much effort just forward the port and let Exchange handle the rest. I dont know about you though, but I prefer some kind of reverse proxy in between that inspects the traffic and authenticates the connection before passing it through to the back end server. Perhaps not entirely unsurprising I have chosen Microsoft Fore. Front Threat Management Gateway 2. ISA Server for this purpose in my infrastructure. Posts recomendados Instalacin y configuracin de Microsoft Forefront TMG para acceso de OWA seguro Instalando en la DMZ un Exchange 2010 con la funcin de. Detailed guide on publishing lync web services through forefront threat management gateway Tmg 2010. Download the free trial version below to get started. Doubleclick the downloaded file to install the software. Now were ready to run the MCXStandalone. First youll need to copy the McxStandalone. CProgramDataMicrosoftLync ServerDeploymentcache4. Cisco UCS and Application Delivery for Microsoft HyperV Virtualization of Exchange 2010 with NetApp Storage. Remote SQL Logging for Forefront Threat Management Gateway TMG 2010 using Microsoft Azure. In this article Ill demonstrate how to create and prepare an SQL. Learn how to configure an SSL certificate for Exchange Server 2010. If you would like to read the next part in this article series please go to Publishing and authenticating access to Exchange using AD FS and WAP Part 2. The Art Of War Sun Tzu Pdf Indonesia Currency. Hi all We are running into a frustrating issue and are looking for some help. Up until recently, we were running a BackEnd Exchange 2003 server along. Lets try to build on what we have already done, and create some firewall rules that will make this work. The three headed dog. When you authenticate yourself to Fore. Front with username and password the firewall is able to read your actual credentials, and after checking these to be good with Active Directory they are passed along to the Exchange Server. So as far as Exchange is concerned its just like you authenticated directly to Exchange. But client certificates do not work this way. TMG is not able to pass along the certificate and present it directly to Exchange. This is a desired design that improves the security of the credentials. So how does TMG pass along your identity This is where Kerberos enters the stage. You can read all the details in the Tech. Net Library if you want to understand the protocol multiple readings might be necessary take a look here http technet. The short take of it is that we need to configure Kerberos Constrained Delegation KCD for this to work, and there are some additional things you need to do before creating the firewall rules. Keep in mind that this requires your TMG Server to be joined to the same domain as the Exchange Server. And from what I can tell based on my testing they need to be in the same AD sitesubnet as well. Configuring Active Directory. First order of the day is to open up Active Directory Users and Computers on your Domain Controller or your workstation if you have remote tools installed. Locate the object for your Fore. Front TMG Server. Do not touch the Exchange Server account. Go to the Delegation tab of the properties. Configure it as shown below look up the Service Type and Computer account by clicking the Add button In case youre wondering I have intentionally blanked out the User or Computer column in my screenshot The computer account you need to add is the Exchange Server hosting the CAS role. The service type is supposed to be http even though we are using https it is not a bug or typo. SSL is something you layer on top of http, its not an entirely different protocol. Configuring Exchange. If you followed my previous article you might have Basic Authentication enabled under the Authentication options for the Microsoft Server Active. Sync virtual directory. Client certificates is enabled in a different config view shown in the next paragraph. But this will not get you very far with Kerberos. The concept with Kerberos is that Active Directory grants the tickets to TMG, which are passed along to the Exchange Server, and thus you will need to enable Windows Authentication as well. Actually you can disable Basic if you like, but maybe you like to keep it for other purposes. IIS Manager. Basic and Windows are enabled. To accept or requirelet me seeIn my previous post I briefly mentioned that you could have the SSL settings set to either Accept or Require certificates. The client certificate from the Active. Sync device will be passed along as a Kerberos ticket, and will work even if you set it to Ignore on the Exchange Server. The effect of setting it to require here is that the TMG Server will have to present a client certificate in addition to the Kerberos ticket. You can mull it over what you prefer Ill get back to the TMG settings affected later on down this page. Locate SSL Settings in IIS Manager. Set to IgnoreAcceptRequire. Creating a Web Listener. You have now laid the foundations in your infrastructure for creating the necessary firewall rules so you may now switch to your Fore. Front TMG console. Now, you can run through the Web Publishing Wizard and create the Web Listener as part of this process, but I think its more clean to create the listener before creating the publishing rule. The important screenshots are shown below Ive created a listener called HTTP HTTPS through the Wizard already Connections. HTTP should not be checkedenabled. Authentication. Select SSL Client Certificate Authentication, and if you like you can check Use a fallback authentication method if you have some devices that do not support certificates. Authentication Advanced. You would think that you need to check Require SSL client certificate, but this only applies when using Forms Based Authentication which is not supported by Active. Sync. You would also need to configure the correct server certificate on the Certificates tab. In the Advanced dialog you would most likely after testing things working change the Client Certificate Trust List to only trust certificates issued by your CA. Creating a publishing rule. After youve got the listener configured we move on to creating the actual publishing rule. You can use the Web Publishing Wizard, but choosing Publish Exchange Web Client Access will make it slightly easier for you. Pick any name that suits your rule naming scheme. Choose your Exchange Server version Ive only tested with Exchange 2. Exchange Active. Sync. Remember that you must use SSL for this specific scenario. Type the internal host name, and while its optional to specify an IP address I recommend it. Ensures youre not getting irritating SSL errors when bridging the traffic if there some mismatch in DNS names and certificate names. Select the Web Listener we just created. Should not be necessary to edit the properties. Select Kerberos constrained delegation. The SPN should already be filled in based on the internal name you specified earlier in the wizard. Its important that this matches up with the SPN you specified in Active Directory. Depending on how your AD and DNS is configured you might have to use the full FQDN instead of just the short name. Torrent Steve Maxwell. Short name worked for me, but keep it in mind if youre having problems getting it working. Using Client Certificates for the Bridging. If you specified Required on your Active. Sync virtual directory you have to edit the rule you just created to accommodate this. If you set it to Ignore or Accept you can skip this step. For this to work you need a certificate installed on your TMG Server. But it should not be in the Computer store that other rules require. You need to import it into the Firewall Service certificate store. You just need a plain Computer certificate with the FQDN as subject name. Import into this store Next you should go to the Bridging tab of your publishing rule.