Home > Exchange, Lync > Doing More with Just One Public IP (Part 2)

Doing More with Just One Public IP (Part 2)


On to the important stuff, creating the Web Listener and Publishing Rules.

Right Click “Firewall Policy” in Forefront TMG select New – Exchange Web Client Access Publishing Rule

Give the rule a descriptive name, you will be creating 3 just for Exchange!




Select Outlook Web Access and Exchange Server 2010 and click Next

Select Publish a single Web site or load balancer and click next

We will be using SSL for everything so select the top radio button and click next. If you are not using SSL your results will vary slightly.

Enter the internal name of your client access server, this should be the name of the client access array or the subject name of the certificate. Also enter the internal IP address of the CAS server or CAS NLB address.

Enter the public name of the website. Later we will modify this rule to allow autodiscover to work properly.

Now we need to create an SSL web listener, select New.

Give the web listener a descriptive name.

The SSL settings of the web listener must match the SSL settings of the web site publishing rule. In our case we are using SSL.

Since we will be assigning multiple internal IP addresses to our TMG server and since this TMG server was configured with a single network adapter above we will select the “internal” network. Click “Select IP Addresses”

Select the IP address we will assign the NAT to, in our case it is currently the only IP on this box. Click OK then Next to continue.

Now we must assign a SSL certificate to that interface. I have already imported my mail.unplugthepbx.com certificate with the private key from my exchange server here. Note: If you desire to have autodiscover work your cert must have a Subject Alternate Name of autodiscover.domain.com.

The certificates that are installed correctly and have a corresponding private key will display with a green checkmark. Highlight and click “Select” then Next to continue

Out Web Listener will use HTML Form Authentication. Ensure this is selected in the drop down and that Windows (Active Directory) or any other form of authentication you wish to use is selected.

The next screen is for Single Sign On. This will allow any website that is published with Forefront TMG and utilizes the same Web Listener to pass your credentials directly through. Since our certificate has a couple other alternate names in it (might as well get your money worth!) this will allow pass-thru credentials into our portal and CS Web environment!

The web listener is now completed, select Finish to return to the Publishing rule wizard.

The Web Listener you just created should now be selected, click Next to continue.

We will be using NTLM authentication between TMG and the Exchange 2010 CAS server for OWA, select Next to continue.

As TMG will be acting as a reverse proxy and performing pre-authentication against Exchange and AD, we will only allow authenticated users to access the system. Select Next to continue.

We have now completed the OWA Publishing rule which also created our web listener.

Categories: Exchange, Lync
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: