Planning for server certificates
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help you plan the certification infrastructure for your Forefront TMG deployment. Forefront TMG uses Windows Server 2008 Active Directory Certificate Services (AD CS) to issue and manage certificates to be used in the following scenarios:
Publishing a Web server over an HTTPS connection. For details, see About publishing Web servers.
Configuring a site-to-site VPN connection with L2TP/IPsec or IPsec tunneling. For details, see Planning for virtual private networks.
Inspecting HTTPS traffic. For details, see Planning for HTTPS inspection.
When Forefront TMG Enterprise is deployed in a workgroup environment. For details, see Workgroup and domain considerations.
For more information about AD CS, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkId=158022).
The following table summarizes the use of certificates in Forefront TMG.
| Scenario | Certificate Type | Issued by |
|---|---|---|
Web publishing: authenticating the Forefront TMG computer to the external user. |
Server certificate |
Public certification authority (CA) |
Web publishing: authenticating the backend Web server to the Forefront TMG computer. |
Server certificate |
Public CA or Local CA |
VPN: L2TP/IPsec or IPsec tunnel. |
IPsec certificate |
Local CA (recommended) |
HTTPS inspection. |
CA certificate |
Local CA or a self-signed certificate |
Workgroup environment: server authentication and data encryption. |
Server certificate |
Local CA |