TMG is Microsoft's ISA Server 2010 and for those that don't know either of those things, look away now for the rest of the post because you will be asleep by the end of it.
If you have a website that you want to publish both HTTP and HTTPS traffic for you may think this is very very easy and I can do this with no bother at all. I had this notion when I started out trying to get it to work and we spent 4 years trying to get it to go - OK not 4 years but it's been that long since I looked at this issue and it only came about due to one of my customers requiring it and me not wanting to use just our main firewall. Security is big these days...
Anyway after raising a call with Microsoft to find out why I had no hair left and also to get it fixed it took them approximately 15 minutes to resolve it - if I had done that four years ago I probably would have saved a lot of time but as they say, hindsight is a wonderful thing. If you need to do it follow these steps below, paying particular attention to Link Translation:
1 - Click Publish Web Sites
2 - Give your Publishing Rule a friendly name
3 - We are setting up an allow rule so leave the default "Allow" and click Next
4 - For this demonstration we are going to publish just a single website so leave the default option selected and click Next
5 - Select the "Use SSL to connect.." option - we will setup HTTP access later on in the demonstration.
6 - Type in the Internal site name - in most of the installations the website is internal at our Data Centre so we have to make the internal site name the same as what an external user would type. This is due to our firewall not allowing you to go out it's external interface and coming back in again. Never known why but it is something to do with loop attacks (above my head that one). You may find you don't need to do that but for consistency's sake making an internal DNS record which is the same as your external record helps you as an IT engineer explain to users that it's one address anywhere! Input the IP address of the web server internally into the bottom field and click Next.
7 - If you have a path you want to specify such as /web or /site then enter it below. For this demonstration we will leave it blank. Tick the box at the bottom that states any requests will forward the original host header. You want this on so that if you have multiple sites on one box you can use host headers. This is so that single servers know which website to send the traffic to. Without this, host headers won't function correctly. Click Next.
8 - Type in the public name, the URL people will use externally, in the Public name field. Bear in mind the URL you specify here must be the same as the URL you put on your certificate request to your third-party SSL provider. If it isn't then your users or potential customers will have issues getting to the secure parts of your website - lots of people get this wrong so do not be one of them (I did once...). Click Next.
9 - Now the important bit - the web listener. Click New to start the New Listener Wizard.
10 - Give your new listener a friendly name, preferably something that references the site you are publishing just so you can identify it later in life. Click Next.
11 - Select Require SSL secured connections with clients and click Next
12 - Select External as we want the TMG server to listen to requests coming from outside our network. You may want it to listen for internal requests so you can select Internal too but for this demo we want just External. Click the Select IP Addresses button.
13 - Select "Specified IP addresses..." option and pick the IP you have bound to the NIC of your server that you want the external interface to listen for traffic on. In this demo I have removed the server name from the images below for security reasons but on your environment you will see the server name next to each IP you have bound to the external NIC card. If you have only one IP and don't plan on hosting more than one site then you can choose the "All IP addresses..." option. Click OK and then Next.
14 - Next step is assigning your certificate to your SSL listener. This is essential to secure the connectivity when your users are on the secure parts of your site. Note for the certificate to function correctly it must be installed with it's Private Key into the Local Computer, Personal certificate store.
If you don't put it in this store with it's Private Key you'll find TMG will spit at you and tell you that you are not allowed to use the certificate. I will post a small guide on getting it right because it is annoying! Click "Select Certificate..."
15 - Select the certificate from those that are present in the list. Most likely you'll find just the one you have imported into the certificate store. To check that it is installed correctly TMG will be very friendly and give you a nice green and white tick bubble. For this demo I have removed the Issued To and Friendly Name fields but these would be present with your external URL (e.g www.mywebsite.com). Click Select and then Next.
16 - Select "No Authentication" as you probably don't want users to have to authenticate against the rule before actually getting to the website. In some instances this might be necessary for people to have switched on but an externally facing website generally doesn't use this option. Click Next.
17 - Review the summary of the listener and ensure it's what you need and then click Finish.
18 - Your listener is now selected so click Next. The next option should be by default "No delegation, and client cannot authenticate directly". Again we don't need this as we are not using authentication on our listener but in some cases you may need it. Click Next.
19 - Select the users you want this rule to apply to. In most cases for externally facing websites All Users is the correct option as this means anyone can access the site. If you attempt to add Authenticated Users without Authentication be warned TMG will not like you and your rule just won't work. Click Next.
20 - Review the summary of the rule, checking that the options are correct and click Finish
22 - Select the Connections tab and tick the "Enable HTTP connections on port:" box. Leave the rest of the settings as is and click OK.
23 - Now double click the rule and select the Bridging tab. Tick the "Redirect requests to HTTP port" box and then click OK
Now this is the point where I thought - done! It should be working now lets go and try it....wait for 1 minute for timeout....and boom it doesn't work. HTTP might be fine but any links that want to switch to HTTPS will timeout. So how do you fix it? Well it's fairly simple if you know how but of course I didn't so I spent 45 minutes pulling my greys out before I phoned Microsoft who told me how to resolve it.
24 - From the main navigation tree on the left click System
25 - Double click the Link Translation Filter
26 - Untick the "Enable this filter" option and click OK
27 - Finally click Apply to write all the changes we have made.
Final Notes....
So we have disabled the Link Translation Filter and I am pretty sure some may be asking why, others may say I am mad and others will just carry on blissfully unaware of what they have done.
Microsoft's explaination of the Link Translation Filter is that if the web publishing rule starts on HTTP and you click a link on that site that wants to convert to HTTPS, link translation will translate the traffic to HTTP because it started life like this. It is a very simplistic explanation and I am sure there is a lot more to it but the Microsoft guy from India made it simple for me - also his name was Stanley so it made talking to him easier too!!!
Hope this helps someone else who wants to achieve web publishing with ISA using both HTTP and HTTPS traffic - either that or it helps you sleep at night...
No comments:
Post a Comment