none
TMG publish rd web access

    Question

  • Hi , I would like to ask you some things about certificates on TMG and RD Web Access.

    I have 1 dc,dns,ca , 1 rdsh , 1 rdvh , 1 rdcb , 1 rdwa and 1 tmg. All of them have w08r2 sp1 and all updates. The local fqdn is rdweb.hw.local for rdwa and tmg.hw.local for tmg.

    I have an external DNS A record for the external interface of TMG such as core.hq.com.

    I have local ca for certificate distribution. I intend to install manual the certificate into trusted root certificate authorities to all external clients. I don’t want to use rd gateway.

    Now I am trying to publish the rdwa through tmg. Which is the right common name to use for the certificate on tmg and rdweb ? If I name it rdweb.hw.local then all internal users will be fine but external cannot access through tmg. If I name it core.hw.com then will happen the opposite.

    Thanks.

    Friday, April 01, 2011 5:09 PM

Answers

  • a) I would sugest buying a single public SSL certificate for the TMG. this would cost you about 40 USD at www.godaddy.com and will avoid the need for installing the root on the client computers.

    b) what is more important with you internal issuing CA than the fact you need to install its certificate, is that you need to make its CRL accessible from outside. So that the clients do not only trust the CA, but also can validate its CRLs anytime even from internet. This would another problem when you want to use the internal CA to issue the SSL server certificates. Go for the public one.

    c) the common name for the certificate on TMG will be the "core.hq.com"

    d) for the RDWEB/RDGW you can issue internal SSL certificates with their appropriate computer names such as the "rdweb.hw.local". these will not be accessed from the internet directly. Only TMG will see their certificates, so that only the TMG will need to trust your internal CA, which is not problem to establish (especially when you plan the TMG to be domain member).

    e) if you want to publish the RDGW, you use the Publish Mail Server, select RPC over HTTP (Outlook Anywhere) and after the rule is finished, just leave there only the /RPC/* path

    f) if you want to publish the RDWEB, you use the normal Publish Web Server and publish the /rdweb virtual directory.

    g) for both the RDGW and RDWEB publishing, you can use the same Web Listener. You can enable Forms Based Authentication on the web listener, although the RDGW does not support FB authentication. FB has a feature called fall-back authentication, so that you can configure what authentication will be offered for the RDGW client that is "non-browser client".

    ondrej.

     

    Saturday, April 02, 2011 9:01 AM

All replies

  • a) I would sugest buying a single public SSL certificate for the TMG. this would cost you about 40 USD at www.godaddy.com and will avoid the need for installing the root on the client computers.

    b) what is more important with you internal issuing CA than the fact you need to install its certificate, is that you need to make its CRL accessible from outside. So that the clients do not only trust the CA, but also can validate its CRLs anytime even from internet. This would another problem when you want to use the internal CA to issue the SSL server certificates. Go for the public one.

    c) the common name for the certificate on TMG will be the "core.hq.com"

    d) for the RDWEB/RDGW you can issue internal SSL certificates with their appropriate computer names such as the "rdweb.hw.local". these will not be accessed from the internet directly. Only TMG will see their certificates, so that only the TMG will need to trust your internal CA, which is not problem to establish (especially when you plan the TMG to be domain member).

    e) if you want to publish the RDGW, you use the Publish Mail Server, select RPC over HTTP (Outlook Anywhere) and after the rule is finished, just leave there only the /RPC/* path

    f) if you want to publish the RDWEB, you use the normal Publish Web Server and publish the /rdweb virtual directory.

    g) for both the RDGW and RDWEB publishing, you can use the same Web Listener. You can enable Forms Based Authentication on the web listener, although the RDGW does not support FB authentication. FB has a feature called fall-back authentication, so that you can configure what authentication will be offered for the RDGW client that is "non-browser client".

    ondrej.

     

    Saturday, April 02, 2011 9:01 AM
  • Thanks.
    Saturday, April 02, 2011 2:06 PM