Sưu tầm: Securing Exchange 2010 with Forefront Threat Management Gateway (TMG) 2010, Publishing Outlook Web App


I went through all the steps required to successfully install Forefront Protection 2010 for Exchange Server and Forefront Threat Management Gateway (TMG) 2010 on the same server as your Exchange Server Edge Transport role. I also looked at some basic configuration so we should now be able to send and receive email.

What about external access? TMG 2010 can also securely publish all your Exchange Server related services such as Outlook Web App (OWA), Outlook Anywhere and ActiveSync (EAS).

In this final part of the series I’ll look at publishing OWA to the internet. While my focus is mainly on OWA, Outlook Anywhere and EAS should also work after very little or no additional configuration. I’ll start by creating a new certificate request and then submitting it to certificate authority and then install the issued certificate. I’ll then go over how to correctly export the issued certificate and import it on the TMG server. I’ll then conclude the series by creating a new “Exchange Web Client Access Publishing Rule”.

A few notes before I begin.. When working with certificates, there are two options, I have opted to use my own Enterprise Root CA which has been installed on my domain controller. You are of course welcome to purchase a certificate from a third-party CA, if you decide that this is a better option for you, the basic configuration steps below will not differ all that much, the only difference will be in how you submit the request to the CA. I highly recommend purchasing a UC Certificate for this, please see the following Microsoft TechNet article for more information.

This post also assumes that your domain controllers already accept LDAP connections over SSL. To enable this, you need to install a server certificate on each of your domain controllers. The following Microsoft TechNet article may provide some guidance if you need further assistance with this.

The first step is to confirm out OWA configuration, this is done by opening the Exchange Management Console, expand “Server Configuration”, click “Client Access” and then right-click “owa (Default Web Site)” and select “Properties”

image

It is also important to change the authentication settings by clicking on the “Authentication” tab. We need to disable forms based authentication as TMG will be providing this feature. If you keep Exchange forms based authentication enabled your users will be prompted to log into OWA twice.

image

We now need to create a certificate request for the certificate that will be used to OWA. This can of course be done from the Exchange Management Shell by making use of the New-ExchangeCertifate cmdlet or by making use of the new wizard included in the Exchange Management Console. To access the wizard, click “Server Configuration”, select your CAS server and click “New Exchange Certificate”

image

“Enter a friendly name for the certificate”, I usually use the external FQDN here. Click “Next”

image

If you are using a wildcard certificate, you can enter the root domain name here, I have elected not to use a wildcard certificate. Click “Next”

image

Next, select your required configuration. Enter your configuration and click “Next”

image

Review your certificate domains, I usually enter the server name without a suffix as well, but this is not necessarily required. Ensure that you have your internal, external and both autodiscover names listed and click “Next”

image

Enter your organization and location details and click “Next”

image

Review your certificate configuration summary and click “Next”

image

Once complete, click “Finish”

image

For those looking to use the Exchange Management Shell to complete this request, the command would look something like this:

New-ExchangeCertificate -FriendlyName ‘dogfood.cgoosen.com’ –GenerateRequest -PrivateKeyExportable $true -KeySize ’2048′ -SubjectName ‘C=AU,S=”NSW”,L=”Sydney”,O=”cgoosen.com”,OU=”test lab”,CN=dogfood.cgoosen.com’ –DomainName ‘tlex01.testlab.local’,’dogfood.cgoosen.com’,’autodiscover.testlab.local’,’autodiscover.dogfood.cgoosen.com’,’tlex01′ -Server ‘TLEX01′

Now that we have completed out certificate request, it is time to submit this request to a CA. I’ll be using my Enterprise Root CA which is installed on my domain controller, so I’ll just submit the request opening https://tldc01.testlab.local/CertSrv Click “Request a certificate”

image

Then click on “advanced certificate request”

image

Since we have already created the certificate request, select “Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file”

image

Paste the certificate request in the box provided, select the “Web Server” template and click “Submit”

image

Click “Yes” to acknowledge the “Web Access Confirmation”

image

Next download only the “DER encoded” certificate.

image

Now that we have our new certificate, it’s time to install it. Once again, click “Server Configuration” and select your new certificate. Click “Complete Pending Request”

image

image

Select your new certificate and click “Complete”

image

Once completed, click “Finish”. You have now installed your new certificate.

image

We now need to assign services to the certificate, click “Server Configuration” and select your new certificate. Click “Assign Services to Certificate”

image

Select your CAS server and click “Next”

image

Ensure that you have selected “Internet Information Services” and click “Next”

image

Review the configuration summary and click “Assign”

image

Once completed, click “Finish”

image

Now that we’ve installed the new certificate and assigned services to it, lets give it a quick test internally. My internal URL is https://tlex01.testlab.local/owa

image

Before we can import the certificate on the TMG server, you need to export the certificate along with its private key from the CAS server. Open the “Certificates” MMC and make sure you are viewing the “Local Computer”. We need to export 2 certificates. The first is the Enterprise Root CA certificate located in the “Trusted Root Certificate Authorities” store.

image

The second certificate is the new exchange certificate we just installed, it should be located in the “Personal” store.

image

Lets start with the Enterprise Root CA certificate, right-click the certificate and click “Export”. Click “Next”

image

Select “DER encoded binary X.509 (.CER)” and click “Next”

image

Give it a meaningful and name be sure to note down the location and click “Next”

image

Review the settings and click “Finish”

image

Once completed successfully, click “Ok”

image

Next we export the exchange certificate along with its private key. right-click the certificate and click “Export”. Click “Next”

image

Ensure that you have selected “Yes, export the private key” and click “Next”

image

Ensure that you have selected “Export all extended properties” and click “Next”

image

You need to protect the private key by using a password, be sure to remember what password you enter here and click “Next”

image

Give it a meaningful and name be sure to note down the location and click “Next”

image

Review the settings and click “Finish”

image

Once completed successfully, click “Ok”

image

Once you have those 2 certificates, (ca_cert.cer and cas_cert.pfx if you followed my naming convention) copy them to your TMG server. The log onto the TMG server and open the “Certificates” MMC and make sure you are viewing the “Local Computer”. We now repeat the previous process in reverse.

image

First we import the Enterprise Root CA certificate, expand the “Trusted Root Certificate Authorities” store, right-click “Certificates” and select “Import”. Click “Next”

image

Locate the certificate and click “Next”

image

You will notice that it will already have the correct location specified, do not change this, just click “Next”

image

Review the settings and click “Finish”

image

Once completed successfully, click “Ok”

image

We then import the exchange certificate. Expand the “Personal” store right-click “Certificates” and select “Import”. Click “Next”

image

Locate the certificate and click “Next”

image

Enter the private key password (you do remember it, right?) Ensure that you have selected “Include all extended properties” and click “Next”

image

The correct location should already be specified, do not change this, just click “Next”

image

Review the settings and click “Finish”

image

Once completed successfully, click “Ok”

image

Once this is done, should should be able to double-click the exchange certificate and check the status. Both certificates should be “Ok”

image

The final step in the process is to create a “Exchange Web Client Access Publishing Rule”. Open the TMG Management Console, right-click “Firewall Policy”, select “New” and then select “Exchange Web Client Access Publishing Rule”

image

Give your rule a meaningful name and click “Next”

image

Select your Exchange version and select “Outlook Web Access”, then click “Next”

image

Select your publishing type and then click “Next”

image

Since we will be using SSL, select that option and click “Next”

image

Enter your internal site name, only enter the FQDN, there is no need to add HTTP/S or /OWA. Click “Next”

image

Enter your public name here, again only the FQDN. Click “Next”

image

Select your web listener, since I don’t already have one, I am going to create a new one by clicking “New”

image

Enter a meaningful name and click “Next”

image

We will be using SSL and want to require SSL connections from all clients. Click “Next”

image

Select your listener IP address, this should be your external network address. Click “Next”

image

Click “Select Certificate” and then select the exchange certificate we installed in the previously. Click “Select”

image

Click “Next”

image

Next we look at authentication settings, since our server is not a part of the domain, we are unable to use “Windows” authentication. Make sure “HTML Form Authentication” is selected, select “LDAP (Active Directory)” and click “Next”

image

I won’t be making use of SSO, make your selection and click “Next”

image

We need to add at least one LDAP server for user authentication, add your domain controllers here, type your domain name and I highly recommend that you make use of LDAP over SSL. Click “Next”

image

Review your web listener configuration and click “Finish”

image

Select the web listener you just created and click “Next”

image

Select “Basic Authentication” and then click “Next”

image

This rule will apply to “All Authenticated Users”, click “Next”

image

Review your configuration and then click “Finish” to create the rule.

image

Once the rule has been created, we need to apply it to TMG, click “Apply”

image

You should now see your rule listed..

image

Now for the fun part, lets test our configuration. If you visit your external URL, mine is https://dogfood.cgoosen.com/owa you should be presented with a OWA login form. Notice the “Secured by Microsoft Forefront Threat Management Gateway” banner at the bottom.

Enter your user name in the format “Domain\user name” and your password and click “Log On” If you have any certificate alerts, you may need to install your Root CA certificate to the “Trusted Root Certification Authorities” store on your workstation. If you are using an Enterprise Root CA, it uses Group Policy to propagate its certificate to the “Trusted Root Certification Authorities” store for all users and computers in the domain.

image

If everything has been correctly configured, you should be presented with your inbox.

image

To summaries, in this final part of the series I created a new certificate request and then submitted it to certificate authority. Once I had downloaded the issued certificate, I installed it on my exchange CAS server and assigned services to it. I then exported the issued certificate and imported it on the TMG server. To complete the process, I created a new “Exchange Web Client Access Publishing Rule”.

About thangletoan

Hallo Aloha

Posted on 10/11/2012, in Công nghệ và Giáo dục, Chính sách CNTT, Exchange 2010, Microsoft, Microsoft Exchange, Microsoft Exchange & TMG, TMG 2010 and tagged . Bookmark the permalink. Để lại bình luận.

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: