Sunday, January 06, 2013 2:02 PM
I would like to publish various HTTPS websites via TMG to the internet. I have a single public ip address that is assigned to my physical firewall.I have installed TMG in a back firewall configuration with a private IP address on a perimeter network and another private IP address on an internal network. I believe I can create a NAT for the firewall interface that can forward all HTTPS requests to the perimeter private IP address on the TMG. My idea is to create multiple rules to use the TMG to redirect traffic to the various internal HTTPS websites.
Firewall Public IP
Firewall Internal IP - 192.168.0.1
TMG Perimeter IP - 192.168.0.2
TMG Internal IP - 192.168.1.88
HTTPS Websites - 192.168.1.200, 192.168.50.200
Does this configuration sound feasible. Also I assume I will have to configure network rules on the TMG so it acts like a router?
Any help would be appreciated.
Sunday, January 06, 2013 5:27 PM
it is possible to publish multiples websites with only one public IP address - correct:
The network rules configured by TMG should be enough for the publishing. You simply need to extend the IP address range of the INTERNAL network defintion on your TMG Server with the IP address ranges 192.168.1.200, 192.168.50.200 and make sure that TMG is able to access the internal IP Subnets
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
Monday, January 07, 2013 9:37 AM
Thank you for your speedy reply.
I have had a quick look at the link you sent and it states:
"You cannot use host headers when you are using Secure Sockets Layer (SSL), because HTTP requests that use SSL are encrypted. Host headers are part of the encrypted request and cannot be interpreted or routed to the correct site." As I am looking to publish HTTPS websites I assume the host header method does not work?
I probably should have been more specific in my post but we are attempting to publish multiple Exchange OA/OWA instances (from separate test domains).
My plan is to NAT the public interface to the TMG server. Then on TMG create multiple web publishing rules to direct the traffic from the TMG to the relevant URLs...
As I do not have a router I was hoping to use the TMG box as the IPv4 default gateway. I have already included the IP address ranges into the Internal network as you suggest. Does this all sound feasible?
Tuesday, January 08, 2013 7:01 AMModerator
Thank you for the post.
“As I am looking to publish HTTPS websites I assume the host header method does not work?” – yes, SSL doesn't use host headers, so you need separate IP addresses or separate ports.
Nick Gu - MSFT
Wednesday, January 09, 2013 9:24 PM
Thanks for your response. I am struggling then to work out what is feasible with just one public IP address. Currently my Cisco firewall uses the public IP and my TMG box has 2 private addresses. Do you have a suggestion as to the best configuration with 1 public ip address and still being able to publish Exchange? I assume I could remove the Cisco firewall and reconfigure the TMG as a edge firewall and then create a web publishing rule to Exchange?
I also assume the complication would be trying to publish multiple Exchange environments. I was thinking I should either not run the two test Exchange environments concurrently or change the ports one server.
Any help gratefully received.