This chapter describes how to configure communication between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010. The following sections are provided:
Installing and Configuring 10g Webgate for Forefront TMG Server
Removing Access Manager Filters Before Webgate Uninstall on TMG Server
Support for integration between Access Manager and Microsoft Forefront Threat Management Gateway (TMG) 2010.
Details in this chapter presume that you are familiar with Access Manager policies and operation.
This section provides an overview of the tasks that, once perfoermed, enable this integration. Topics included are:
Microsoft Forefront Threat Management Gateway (TMG) 2010 is the next generation of the Internet Security and Acceleration (ISA) Server 2006. This chapter provides steps to configure an open (non-secured) connection between the Forefront TMG Web server and Access Manager. This communication is based on using a 10g Webgate for ISAPI. For details about using a secured connection, see your Forefront TMG Server documentation.
You can have IIS Web server and Forefront TMG installed on same or on different computer. In examples in ths chapter, both reside on same host.
The following overview outlines the tasks that you must perform and the topics where you will find the steps to set up the ISAPI Webgate with the TMG Server within this chapter.
Task overview: Installing and configuring the ISAPI Webgate on TMG Server
Getting the latest certification matrix as described in "About Confirming Certification Requirements".
"Installing and Configuring 10g Webgate for Forefront TMG Server"
Any references to specific versions and platforms in this chapter are for demonstration purposes.
For the latest Access Manager certification information, see Oracle Technology Network at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
After you install Forefront TMG 2010, other computers cannot ping the computer hosting Forefront because the default firewall policy denies all the traffic from and to the host. This section provides the information you need for:
Use the following procedure to create a custom Forefront firewall policy.
Install Forefront TMG 2010 using documentation from your vendor.
To create a custom policy to over ride the default firewall policy
Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
From the left pane, click Firewall Policy.
From the right pane, click Create Access Rule to create a custom policy,
Create a rule with the following attributes and values assigned:
Name: Name for custom policy
Action =Allow
Protocol =All Outbound
Malware Inspection = Don not enable Malware Inspection for this rule
From =External,Internal,Local Host
To= External,Internal,Local Host
Condition =All Users
Click Next to create the Access Rule, then click Apply.
Restart Forefront TMG to have changes take affect:
Stop Firewall Service use the command net stop fwsrv
Start Firewall Service use the command net start fwsrv
To protect the resource, you must create a firewall policy rule using the Forefront TMG console as described in the following procedure.
When you create a listener for Authentication Preferences, be sure to check Allow client authentication over HTTP and Require All users to authenticate. Otherwise, you will not be able to access the published Web site using the TMG proxy.
Authentication Delegation is used by the TMG server to authenticate to the published Web server.
Note:
You can have IIS and Forefront TMG installed on the same (or a different) computer. Here, both reside on same host.To create a custom policy to override the default firewall policy
Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
From the left pane, click Firewall Policy.
From the Tasks tab, click Publish Web Sites.
In the Web publishing rule name field, type a descriptive name for the rule, and then click Next.
On the Select Rule Action page, confirm that the Allow option is selected, and then click Next.
In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next.
Step 7 describes configuration with an open (non-secured) connection with the Web server. If you are using a secured connection, see your Forefront TMG Server documentation.
On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next.
Perform the following steps to set internal publishing details:
In the Internal site name field, type the internally-accessible name of the IIS/apache Web server host: iis_host.us.mycompany.com, for example.
Check the box beside Use a computer name or IP address to connect to the published serve (or enter the IP address of the IIS Web server host).
Click Next.
Protecting Resources: Perform following steps to protect resources within a particular folder in the Web site (or a single resource):
Note:
The folder must reside within htdocs/wwwroot of the corresponding Web server.Folder Containing Resources: In the Path field, type the folder name to display the full path of the published Web site in the Web site field (Res/* for example).
Single Resource: Type the resource name (test.html for example).
Click Next.
In the Accept requests for list:
Click your domain name (for example: myhost.example.com).
In the Public name field, type the publicly-accessible fully-qualified Web site domain name of the host where Forefront TMG will be installed (for example: myhost.example.com).
Click Next.
In the Web listener list, either click the Web listener to use for this Web publishing rule, or create a new Web listener as follows:
Note:
Listener can also be configured in SSL mode if required; see your Forefront TMG documentation.Click New, type a descriptive name for the new Web listener, and then click Next.
Click Do not require SSL secured connections with clients, and then click Next.
In the Listen for requests from these networks list, click the required networks (External, Internal, and Localhost) then click Next.
Click No on the message that appears.
In the Select how clients will provide credentials to Forefront TMG Server list, click No Authentication, and then click Next.
On the Single Sign On Settings page, click Next, and then click Finish.
On the Select Web Listener page:
Click Edit.
Click connections tab.
Provide any unused port for Enable HTTP connections on port attribute (This will act as Forefront TMG port.)
Click Apply; click Ok.
Click Next.
On the Single Sign On Settings page, click Next, and then click Finish.
Authentication Delegation: Perform the following steps to choose the method used by Forefront TMG to authenticate to the published Web server list.
Click No Delegation, and Client Cannot Authenticate Directly.
Click Next.
On the User Sets page:
Choose All (the default user setting - All Users) to set the rule that applies to requests from the user sets field.
Click Next, and then click Finish.
Click Apply to update the firewall policy, and then click OK.
Double-click the recently created Firewall Policy.
Bridging:
Open the Bridging tab.
Provide suitable unused port for Redirect request to HTTP port attribute (which will act as the IIS or Apache Web server port).
Click Apply to update the firewall policy, and then click OK.
IIS or Apache Web server.
Restart Forefront TMG to have changes take affect:
Stop Firewall Service use the command net stop fwsrv
Start Firewall Service use the command net start fwsrv
Double-click the rule just created:
Open the Link Translation tab.
Confirm that Apply Link Translation to this rule is checked.
Click the Mapping button to see the mapping created between Forefront TMG and IIS or Apache
To validate the Forefront TMG proxy configuration, you can simply access the protected resource using the TMG port, as described in the following procedure.
To verify Forefront TMG proxy configuration
Protected Single Resource: Enter the URL to the TMG host and port where the protected resource resides. For example:
http://TMG_hostname:TMG_port/resource_name
Protected Folder: Enter the URL to the TMG host and port where the folder containing the resource resides. For example:
http://TMG_hostname:TMG_port/folder-name/resource_name
Confirm there are no issues accessing the protected resource.
This section describes how to set up the 10g Webgate and register plug-ins as Web filters.
Task overview: Configuring Webgateand Filters for TMG Server includes
When you install Webgate with the Forefront TMG Server, the destination for the ISAPI Webgate installation (also known as the Webgate_install_dir) should be same as that of the Microsoft Forefront TMG. For example, if Forefront TMG is installed in C:\Program Files\Microsoft Forefront Threat Management Gateway, the ISAPI Webgate should also be installed there.
Task overview: Installing the ISAPI Webgate for Forefront TMG Server
Register a 10g ISAPI Webgate with Access Manager, as described in Chapter 23, "Registering and Managing 10g Webgates with Access Manager 11g."
Note:
During Webgate installation, select the TMG option.Install the ISAPI Webgate for TMG, as described in
Section 23.7, "Locating and Installing the Latest 10g Webgate for Access Manager 11g."
Proceed to the "Changing /access Directory Permissions" section.
After finishing ISAPI Webgate installation and configuration for the Forefront TMG Server, you must change permissions to the \access subdirectory. This subdirectory was created in the Forefront TMG Server (also Webgate) installation directory. You must add the user NETWORK SERVICE and grant full control to SYSTEM ADMINISTRATOR.
This enables the Forefront TMG Server to establish a connection between the Webgate and Access Server. Certain configuration files should be readable by system administrators, which is why you grant SYSTEM ADMINISTRATOR full control.
Note:
Webgate in Simple Mode: add user NETWORK SERVICE and give Full Control for thepassword.xml file in TMG_install_dir\access\oblix\config\password.xml.To change permissions for the \access subdirectory
In the file system, right-click Webgate_install_dir\access, and select Properties.
In the Properties window, click the Security tab.
Add user "NETWORK SERVICE" and then select "Allow" to give "Full Control".
For the "SYSTEM ADMINISTRATOR", select "Full Control".
Proceed to the "Configuring the TMG 2010 Server for the ISAPI 10g Webgate" section.
The following topics describe how to configure the TMG Server to operate with the 10g ISAPI Webgate for Access Manager.
Task overview: Configuring the TMG 2010 Server for the ISAPI 10g Webgate
After resetting ISAPI Webgate permissions, you need to register Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within Forefront TMG Server. Web filters screen all HTTP traffic that passes through the TMG Server host. Only compliant requests are allowed to pass through.
The following procedure describes how to register Access Manager plug-ins in the TMG Server.
Note:
To undo the filter registration, you can use the following procedure with the/u option in the regsvr32 command. For example: regsvr32 /u TMG_install_dir\access\oblix\apps\webgate\bin\webgate.dllTo register Access Manager plug-ins as TMG Server Web filters
Locate the TMG Server installation directory, from which you will perform the following tasks.
Run net stop fwsrv to stop the TMG Server.
Register the webgate.dll as an ISAPI Web filter by running:
regsvr32 TMG_install_dir\access\oblix\apps\webgate\bin\webgate.dll
Register the postgate.dll as an ISAPI Web filter by running:
regsvr32 TMG_install_dir\access\oblix\apps\webgate\bin\postgate.dll
Restart the TMG Server by running net start fwsrv.
Proceed to "Ordering the ISAPI Filters".
It is important to ensure that the Webgate ISAPI filters are included in the right order. postgate.dll should be loaded before webgate.dll.
To order the Webgate ISAPI filters for TMG Server
From the Start menu, click All Programs, click Microsoft Forefront TMG, then click Forefront TMG Management.
In the left pane, select System, then select Web Filters, to display your Web-filters.
Confirm the following .dll files appear.
For example:
Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in Step 3.
Proceed with "Verifying Form-based Authentication".
Here you ensure that the published Web site is accessible using the TMG proxy and verify that form-based authentication is working.
TMG supports both Basic over LDAP and Form-based or Basic authentication. You can choose the desired authentication scheme. TMG need access to login.html, which you configure as described here.
To verify that form-based authentication is working
Store the login page at the docroot of the Web server protecting the resource so that the TMG server can access the login page.
Ensure that the published Web site is accessible to the TMG proxy.
Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
From the left pane, select the Firewall Policy.
On the right, under the Firewall Policy Rule, select the rule that was created to protect the resource.
Go to the policy rule properties, select the Path tab, then add the /login.html and click OK.
Click Apply to save changes and update the configuration.
Restart Forefront TMG to have changes take affect:
Stop Firewall Service use the command net stop fwsrv
Start Firewall Service use the command net start fwsrv
When instructed to restart your TMG Server during Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, the net commands help to ensure that the Metabase does not become corrupted following an installation. Consider the following commands, hich provide good ways to stop and start the TMG Server:
net stop fwsrv
net start fwsrv
For more information, see your TMG Server documentation.
If you plan to uninstall the Webgate that is configured to operate with the TMG Server, you must first unregister the Access Manager filters manually, and then uninstall Webgate.
To unregister filters before Webgate uninstall
Stop the TMG Server.
Run the following command to unregister webgate.dll. For example:
regsvr32 /u TMG_install_dir\access\oblix\apps\webgate\bin\webgate.dll
Run the following command to unregister postgate.dll. For example:
regsvr32 /u TMG_install_dir\access\oblix\apps\webgate\bin\postgate.dll
The error "Failed Connection Attempt" in TMG logs on accessing any Access Manager-protected resource does not affect functionality and can be ignored.