E-mail
Introduction
mobilEcho's iPad clients connect to the mobilEcho server running inside your firewall securely via HTTPS and need to traverse your firewall via either VPN, HTTP reverse proxy or an open HTTPS port. This article provides step by step instructions that enable connections by your user running mobilEcho client from outside your network using the "reverse proxy" functions of the Microsoft Forefront Threat Management Gateway (TMG) software, which is the successor to ISA Server 2006.
Forefront Threat Management Gateway (TMG) is a secure web gateway that enables safe employee web use through comprehensive protection against malware, malicious web sites and vulnerabilities. Building on its predecessor, ISA Server 2006, TMG provides new URL filtering, anti-malware, and intrusion-prevention technologies to protect businesses against the latest web-based threats. These technologies are integrated with core network protection features such as firewall and VPN to create a unified, easy-to-manage gateway.
The Forefront TMG solution includes two separately licensed components:
• Forefront TMG server that provides URL filtering, antimalware inspection, intrusion prevention, application- and network-layer firewall and HTTP/HTTPS inspection in a single solution.
• Forefront TMG Web Protection Service that provides the continuous updates for malware filtering and access to cloud-based URL filtering technologies aggregated from multiple Web security vendors to protect against the latest Web-based threats.
Understanding Forefront Threat Management Gateway (TMG) Network Topology
Forefront TMG includes four different network templates, that can fit in your existing network topology. It is important to choose the most appropriate for your organization option. After installing TMG, the Getting Started Wizard will appear, where you need to make initial configuration to your TMG. The first menu of the Getting Started Wizard is Configure Network Setting, where you need to make your choice about what network template to use. See bellow the available options.
- Edge Firewall - In this topology, Forefront TMG is located at the network edge, where it serves as the organization’s edge firewall, and is connected to two networks: the internal network and the external network (usually the Internet).
- 3-Leg Perimeter - This topology implements a perimeter (DMZ) network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks and the external network.
- Back/Front Firewall - In this topology, Forefront TMG is located at the network’s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.
- Single Network Adapter - This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet.
 | INFO
|
Overview
| INFO This document covers the case when TMG is used as an Edge Firewall. If your organization uses TMG in a different network topology please contact |
If you are using Microsoft Forefront Threat Management Gateway (TMG) to dedicate and protect your internal network from Internet threats and viruses, you need to make certain configurations to your TMG server to get it working with mobilEcho. To use TMG as reverse proxy and firewall for your mobilEcho server you need to create two separate networks on your TMG computer: internal and external. The two TMG network adapters should be properly configured, one with a private (internal IP address) and one with a public (external IP address). The mobilEcho server should be part of the internal network.
To use mobilEcho with TMG you need to complete the steps described in this document:
- Obtain a SSL server certificate and install it to your mobilEcho server and to the TMG server computer.
- Create a web listener in TMG.
- Create new web site publishing rule for the mobilEcho file server, so that the clients from outside your network can connect to mobilEcho.
- Create an external DNS record in your DNS server.
The mobilEcho client app supports these forms of authentication with a reverse proxy server:
- Pass-through authentication
- HTTP authentication (username & password)
- Certificate authentication
Install the SSL Server Certificate
Request and install a SSL certificate using the FQDN for each mobilEcho file server you want to publish via TMG in order to prevent DNS spoofing. You need to install the root SSL certificates on the TMG computer. These certificates should match the FQDN of each published server.
Follow the steps bellow to import a certificate to the TMG computer:
1. On the TMG computer, click Start, type mmc, and then press Enter or click OK.
2. Click the File menu and then click Add/Remove Snap-in or press Ctrl+M. Under Available Snap-ins, click Certificates and then click Add.
3. Select Computer Account and then click Next, click Local Computer and then click Finish.
4. Click OK in the Add Or Remove Snap-ins dialog box.
5. Expand Certificates (Local Computer), then expand Personal, and then expand Certificates.
6. Right-click the Certificates node, select All Tasks, and then select Request New Certificate.
7. The Welcome To The Certificate Import Wizard page appears. Click Next.
8. On the File To Import page, type the certificate location.
9. On the Password page, type the password provided by the entity that issued this certificate.
10. On the Certificate Store page confirm that the location is Personal.
11. The Completing The Certificate Import Wizard page should appear with a summary of your selections. Review the page and click Finish.
Verify that your CA is in the list of trusted root CAs:
1. On each edge server, open an MMC console. Click Start, and then click Run. In the Open box, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. In the Add Standalone Snap-ins box, click Certificates, and then click Add.
4. In the Certificate snap-in dialog box, click Computer account, and then click Next.
5. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish.
6. Click Close, and then click OK. In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.
7. In the details pane, verify that your CA is on the list of trusted CAs. Repeat this procedure on each server.
Go to top
Create a New Web Listener for the mobilEcho File Server
1. Open the Forefront TMG Management Console.
2. Expand Forefront TMG (Array Name or Computer Name) in the left pane and click Firewall Policy.
3. In the right pane click the Toolbox tab, click Network Objects, right-click Web Listener and select New Web Listener from the menu.
4. The Welcome to the New Web Listener Wizard page appears. Give a name to the Web Listener (e.g. mobilEcho WL) and click Next.
5. On the Client Connection Security page select Require SSL secured connections with clients and click Next.
6. On the Web Listener IP Addresses page select External and click Next.
7. On the Listener SSL Certificates page select Use a single certificate for this Web Listener and click the Select Certificate button. Select the appropriate certificate and click the Select button to confirm your choice.
8. Confirm that the correct certificate appears on the Listener SSL Certificates page and click Next.
9.On the Authentication Settings page choose No Authentication from the drop-down menu and click Next.
10. On the Single Sign On Settings page verify that the SSO setting is disabled and click Next.
11. Review your selections on the Completing The New Web Listener Wizard page and click Finish.
12. Click the Apply button to commit the changes.
13. In the left pane of the Forefront TMG Management Console click Monitoring, then click on the Configuration tab in the middle pane. Keep clicking on the Refresh Now link in the right pane (Tasks tab) until there is a green icon with the checkbox in front of the TMG computer name (array name).
Go to top
Create a New Web Site Publishing Rule for the mobilEcho File Server
| INFO The steps bellow are tested when the mobilEcho file server's computer is configured to use TMG as a gateway. |
1. In the Forefront TMG Management Console expand Forefront TMG (Array Name or Computer Name) in the left pane.
2. Right-click Firewall Policy, select New, and click Web Site Publishing Rule.
3. The Welcome to the New Web Publishing Rule Wizard page appears. Enter a name for the Web publishing rule (e.g. mobilEcho WP) and click Next.
4. On the Select Rule Action page verify that the Allow option is selected and click Next.
5. On the Publishing Type page choose the applicable option for your case and click Next.
6. On the Server Connection Security page choose the Use SSL to connect to the published Web server or server farm option and click Next.
7. On the Internal Publishing Details page type "intname.domain.com" in the Internal site name field, where domain is a placeholder for the domain name the server you want to publish belongs to, and intname is a name you give to this server, which should be different than the external name in order to prevent routing loop. Click Next to commit the changes.
 | NOTE Create a DNS entry in the internal DNS server of your organization for "intname.domain.com". |
8. On the Internal Publishing Details page enter "/*" in the Path(optional) field to allow access to the entire content of the mobilEcho file server. Click Next.
9. On the Public Name Details page you need to specify the name that the remote clients will use to connect to the published server. Enter "mobilecho.domain.com" in the Public name field, where domain is a placeholder for the domain name of the server you want to publish. Leave the other options the way they are by default and click Next.
10. On the Select Web Listener page select the web listener that you have created for mobilEcho from the drop-down menu and click Next.
11. On the Authentication Delegation page select the No delegation, but client may authenticate directly option from the drop-down menu and click Next.
12. On the User Sets page verify that the default All Users option is present and click Next to continue.
13. On the Completing The New Web Publishing Rule Wizard page review the summary of your selections. Click Test Rule to confirm that the publishing rule is working properly. Click Finish to complete the process.
14. Click the Apply button to commit the changes.
15. In the left pane of the Forefront TMG Management Console click Monitoring, then click on the Configuration tab in the middle pane. Keep clicking on the Refresh Now link in the right pane (Tasks tab) until there is a green icon with the checkbox in front of the TMG computer name (array name).
Go to top
Configure an External DNS Entry for the mobilEcho File Server
After the TMG configuration process has been completed you need to create a DNS record in the external DNS servers in order to redirect all mobilEcho connections to the external network adapter of TMG. The DNS entry should resolve the name of your mobilEcho file server (mobilecho.domain.com) to the external IP address of the TMG server. All mobilEcho client requests will be sent to and managed by TMG. In this configuration scenario TMG does not require clients to authenticate, all users will access the mobilEcho file server without any knowledge that the response is coming from the Microsoft Forefront TMG instead.
Go to top