Configure Web Publishing Rules for a Single Internal Pool
Topic Last Modified: 2011-11-03
Microsoft Forefront Threat Management Gateway 2010 uses web publishing rules to publish internal resources, such as a meeting URL, to users on the Internet.
In addition to the Web Services URLs for the virtual directories, you must also create publishing rules for simple URLs. For each simple URL, you must create an individual rule on the reverse proxy that points to that simple URL.
If you are deploying mobility and using automatic discovery, you need to create a publishing rule for the external Autodiscover Service URL. Automatic discovery also requires publishing rules for the external Lync Server Web Services URL for your Director pool and Front End pool. For details about creating the web publishing rules for automatic discovery, see Configuring the Reverse Proxy for Mobility.
Use the following procedures to create web publishing rules.
Note
These procedures assume that you have installed the Standard Edition of Forefront Threat Management Gateway (TMG) 2010.
To create a web server publishing rule on the computer running TMG 2010
Click Start, point to Programs, point to Microsoft Forefront TMG, and then click Forefront TMG Management.
In the left pane, expand ServerName, right-click Firewall Policy, point to New, and then click Web Site Publishing Rule.
On the Welcome to the New Web Publishing Rule page, type a display name for the publishing rule (for example, LyncServerWebDownloadsRule).
On the Select Rule Action page, select Allow.
On the Publishing Type page, select Publish a single Web site or load balancer.
On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm.
On the Internal Publishing Details page, type the fully qualified domain name (FQDN) of the internal web farm that hosts your meeting content and Address Book content in the Internal Site name box.
Note
If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is a Front End pool, this FQDN is a hardware load balancer virtual IP (VIP) that load balances the internal web farm servers. The TMG server must be able to resolve the FQDN to the IP address of the internal web server. If the TMG server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, type the IP address of the internal web server. If you do this, you must ensure that port 53 is open on the TMG server and that it can reach a DNS server that resides in the perimeter network. You can also use entries in the local hosts file to provide name resolution.
On the Internal Publishing Details page, in the Path (optional) box, type /* as the path of the folder to be published.
Note
In the website publishing wizard you can only specify one path. Additional paths can be added by modifying the properties of the rule.
On the Public Name Details page, confirm that This domain name is selected under Accept Requests for, type the external Web Services FQDN, in the Public Name box.
On Select Web Listener page, click New to open the New Web Listener Definition Wizard.
On the Welcome to the New Web Listener Wizard page, type a name for the web listener in the Web listener name box (for example, LyncServerWebServers).
On the Client Connection Security page, select Require SSL secured connections with clients.
On the Web Listener IP Address page, select External, and then click Select IP Addresses.
On the External Listener IP selection page, select Specified IP address on the Forefront TMG computer in the selected network, select the appropriate IP address, click Add.
On the Listener SSL Certificates page, select Assign a certificate for each IP address, select the IP address that is associated with the external web FQDN, and then click Select Certificate.
On the Select Certificate page, select the certificate that matches the public names specified in step 9, click Select.
On the Authentication Setting page, select No Authentication.
On the Single Sign On Setting page, click Next.
On the Completing the Web Listener Wizard page, verify that the Web listener settings are correct, and then click Finish.
On the Authentication Delegation page, select No delegation, but client may authenticate directly.
On the User Set page, click Next.
On the Completing the New Web Publishing Rule Wizard page, verify that the web publishing rule settings are correct, and then click Finish.
Click Apply in the details pane to save the changes and update the configuration.
To modify the properties of the web publishing rule
Click Start, point to Programs, point to Microsoft Forefront TMG, and then click Forefront TMG Management.
In the left pane, expand ServerName, and then click Firewall Policy.
In the details pane, right-click the web server publishing rule that you created in the previous procedure (for example, LyncServerExternalRule), and then click Properties.
On the Properties page, on the From tab, do the following:
In the This rule applies to traffic from these sources list, click Anywhere, and then click Remove.
Click Add.
In Add Network Entities, expand Networks, click External, click Add, and then click Close.
On the To tab, ensure that the Forward the original host header instead of the actual one check box is selected.
On the Bridging tab, select the Redirect request to SSL port check box, and then specify port 4443.
On the Public Name tab, add the simple URLs (for example, meet.contoso.com and dialin.contoso.com).
Click Apply to save changes, and then click OK.
Click Apply in the details pane to save the changes and update the configuration.