61.5 Configuring the TMG 2010 Server for the ISAPI 10g Webgate

You can configure the TMG Server to operate with the 10g ISAPI Webgate for Access Manager.

Task overview: Configuring the TMG 2010 Server for the ISAPI 10g Webgate

  1. Registering Access Manager Plug-ins as TMG Server Web Filters

  2. Ordering the ISAPI Filters

  3. Verifying Form-based Authentication.

61.5.1 Registering Access Manager Plug-ins as TMG Server Web Filters

After resetting ISAPI Webgate permissions, you need to register Access Manager webgate.dll and postgate.dll plug-ins as Web Filters within Forefront TMG Server.

Web filters screen all HTTP traffic that passes through the TMG Server host. Only compliant requests are allowed to pass through. The following procedure describes how to register Access Manager plug-ins in the TMG Server.

Note:

To undo the filter registration, you can use the following procedure with the /u option in the regsvr32 command. For example: regsvr32 /u TMG_install_dir\access\oblix\apps\webgate\bin\webgate.dll

To register Access Manager plug-ins as TMG Server Web filters

  1. Locate the TMG Server installation directory, from which you will perform the following tasks.
  2. Run net stop fwsrv to stop the TMG Server.
  3. Register the webgate.dll as an ISAPI Web filter by running: 
    regsvr32 TMG_install_dir\access\oblix\apps\webgate\bin\webgate.dll
  4. Register the postgate.dll as an ISAPI Web filter by running: 
    regsvr32 TMG_install_dir\access\oblix\apps\webgate\bin\postgate.dll
  5. Restart the TMG Server by running net start fwsrv.
  6. Proceed to "Ordering the ISAPI Filters".

61.5.2 Ordering the ISAPI Filters

It is important to ensure that the Webgate ISAPI filters are included in the right order. postgate.dll should be loaded before webgate.dll.

To order the Webgate ISAPI filters for TMG Server

  1. From the Start menu, click All Programs, click Microsoft Forefront TMG, then click Forefront TMG Management.
  2. In the left pane, select System, then select Web Filters, to display your Web-filters.
  3. Confirm the following .dll files appear.

    For example:

    • postgate.dll
    • webgate.dll
  4. Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in Step 3.
  5. Proceed with "Verifying Form-based Authentication".

61.5.3 Verifying Form-based Authentication

You need to ensure that the published Web site is accessible using the TMG proxy and verify that form-based authentication is working.

TMG supports both Basic over LDAP and Form-based or Basic authentication. You can choose the desired authentication scheme. TMG need access to login.html, which you configure as described here.

To verify that form-based authentication is working

  1. Store the login page at the docroot of the Web server protecting the resource so that the TMG server can access the login page.
  2. Ensure that the published Web site is accessible to the TMG proxy.
  3. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
  4. From the left pane, select the Firewall Policy.
  5. On the right, under the Firewall Policy Rule, select the rule that was created to protect the resource.
  6. Go to the policy rule properties, select the Path tab, then add the /login.html and click OK.
  7. Click Apply to save changes and update the configuration.
  8. Restart Forefront TMG to have changes take affect:

    • Stop Firewall Service use the command net stop fwsrv

    • Start Firewall Service use the command net start fwsrv