TMG vs the AD FS 2.0 proxy

TMG 2010 can be used as a basic proxy for AD FS 2.0.  Requests made to AD FS 2.0 are sent to your internal AD FS server and the responses are sent back to the client.  The AD FS 2.0 proxy offers certain benefits over TMG.  If you are looking to add Office 365 in the future, the AD FS 2.0 proxy offers additional flexibility with endpoints and you can setup a Client Access Policy.



If you already have TMG setup as your EDGE Firewall, you can have TMG point to your AD FS 2.0 proxy to have this functionality.

Basic setup of TMG 2010

-Windows Server 2008 SP2 or higher -2GB RAM

-2 NICs (one external, one internal)

Installing TMG 2010

 

 

*Before installing TMG you should configure the internal & external IP addresses



Run Windows Update

Run Preparation Tool

Run Installation Wizard

Set: internal NIC & Network
 
Getting Started Wizard will load after the initial installation is complete

Configure Network Settings

 

 

Network Template

-Choose: Edge Firewall
LAN Settings

-Choose: Internal NIC

Internet Settings

-Choose: External NIC
Configure System Settings

 

 

Host Identification If you have not named your server or joined it to the domain, you have the option to configure it here.

-Configure: Computer Name, Domain, DNS Suffix

Define Deployment Options

 



Windows Updates Choose: Disabled

NIS Choose: Disable NIS

Web Protection Choose: Disable Web Protection

Customer Feedback Choose: None

Web Access Wizard Optional

 

-Set this if you want to configure TMG as a proxy for the Internet
Configure Firewall Policy

 

Publish the AD FS 2.0 server as a web site

Go to: Firewall Policy -> Publish Web Sites



Web Publishing Rule Name

-Use a name that makes sense (Ex: Federation)
Rule Action

-Choose: Allow
Publishing Type

-Choose: Publish a single Web site or load balancer
Server Connection Security

-Choose: Use SSL
Internal Site Name

-Use your internal server name or DNS name (Ex: adfs.adatum.com)
-It is important to not prefix this with https://
-Enter the same for the computer name or IP Address
Path

-Enter: /*
-The wildcard indicates that all folders and files after the URL are valid and will be processed by TMG 2010
Accept requests for

-Choose: This domain name (type below)
Public name:

-Same as the internal site name (Ex: adfs.adatum.com)
-It is important to not prefix this with https://
Web Listener

-Create new listener
Create new listener

-Name: Any name you want, ex: Federation Listener
-Security: Require SSL
-IP Addresses: External
-Certificate: You need a certificate that will validate.
-Authentication: No Authentication*
-Delegation: No delegation, but client may authenticate directly*
-User Sets: All Users

* This will setup the listener and site for pass through authentication. TMG will let all users through, and they can authenticate directly on the server. If you choose “No delegation, and client cannot authenticate directly”, authentication requests from the server will be dropped.



Configure Policy

Disable “Verify normalization”

-Right click policy, Configure HTTP, Uncheck “Verify normalization”
Disable “Link Translation”

-Right click policy, Properties, Link Translation Tab, Uncheck “Apply link translation to this rule”
Verify settings



Apply settings

-Service must restart for settings to apply
Configure name resolution in DNS or a host file

 

-Your test machine should have an IP address that would map as external
-The URL for your AD FS 2.0 server (Ex: https://adfs.adatum.com/ ) should point to the TMG server’s external IP address

Validating Your Configuration

 



Test Rule Button

-From the rule properties, you can click “Test Rule” which performs basic tests
Test from an external client

 

-Try accessing the IIS splash page (Ex: https://adfs.adatum.com )

-If that loads, try hitting the IDP-initiated sign-on page and logging in

Troubleshooting

 

-Try rebooting TMG server after initial configuration
-Ensure name resolution points to the TMG server’s external IP address
-Ensure you have a valid certificate associated with your listener
-Ensure Link Translation is disabled
-Ensure Authentication Delegation is set correctly. For pass through authentication, it should be set to: No Delegation, but clients may authenticate directly.
-Ensure Path is set correctly Ex: /*



Alternate Configurations

Listener Authentication
 


-Instead of pass through authentication, you can perform authentication at the listener.
-From the Listener Properties, pick the type of authentication you want to use. Ex: HTML Form Authentication
-On the Users tab of the rule properties, change the user set from “All Users” to “All Authenticated Users”
-You can choose to pass that authentication to your site by configuring Authentication Delegation on the rule. Ex: Negotiate (Kerberos/NTLM)
SSO
 


-If you have multiple sites on the same listener (ex: AD FS 2.0 & the ClaimApp), and you configured HTML forms authentication on the listener, you may want to consider enabling SSO. Without this, the user would be prompted for authentication by a TMG form for each site they visit.
 
-SSO is configured on the Listener Properties
 
-Check “Enable Single Sign On”
 
-Add the domains that SSO is enabled for Ex: .adatum.com




Forefront TMG Wiki Portal Page