Announcement

Collapse
No announcement yet.

TMG with single IP address and multiple service

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • TMG with single IP address and multiple service

    Just a quick question.

    For my home lab I only have one external IP address and I want to run multiple services over the same port i.e. Outlook Anywhere, Remote Desktop Gateway, OWA all use port 443. Currently my Remote Desktop Gateway and Exchange server are on different hosts so I have to re-point my firewall to the new IP address everytime I want to test something.

    If I use TMG can I host multiple services on the same port so I don't have to make the change?

    I've never used TMG before so I'm just curious.

    Thanks

    Michael
    Last edited by m80arm; 26th May 2010, 11:06.
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    Re: TMG with single IP address and multiple service

    OWA, Outlook Anywhere and ActiveSync will all work off the same Web Listener so will happily co-exist. TMG does recommend seperate rules for each service though, unlike ISA where you could just add the paths for ActiveSync and Outlook Anywhere to the OWA Publishing Rule.

    Dunno much about Remote Desktop Gateway but assuming it is happy with the type of authentication configured on the Web Listener it should work OK. You might not be able to use FBA for Exchange though.

    Edit: Found this link which suggest no authentication on the Web Listener for Remote Desktop Gateway.
    Last edited by cruachan; 26th May 2010, 12:03.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: TMG with single IP address and multiple service

      Cruachan,

      Thanks for the reply but is ISA clever enough to inspect the traffic and know that the Remote Desktop Gateway connection should go to 10.1.1.111 and OWA, Active Sync, Outlook Anywhere should go to 10.1.1.112? or is this information set on the listener?

      Basically I have quite a few services listening on port 443 that I want to expose externally for testing but these services all reside on different hosts. I just want to forward all 443 traiffic to a TMG server that will then redirect the traffic to the host responsible for the service.

      Thanks

      Michael
      Michael Armstrong
      www.m80arm.co.uk
      MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      Comment


      • #4
        Re: TMG with single IP address and multiple service

        Are you using the same certificate eg a wildcard certificate?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: TMG with single IP address and multiple service

          OWA, ActiveSync and Outlook Anywhere all use mail.xxx.net. Remote Desktop Connections users RDC.xxx.net and all certs are from a Enterprise CA.

          They can all be changed to use the same cert or different as externally they all point to the same IP address (The only external IP address I have)

          Michael
          Michael Armstrong
          www.m80arm.co.uk
          MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Re: TMG with single IP address and multiple service

            The destination for traffic matching the rule is set in the rule, not in the listener, so multiple rules can use the same listener with no issues. I think though you might need 2 seperate public DNS names for Exchange and the Gateway (E.g. webmail.domain.co.uk and remote.domain.co.uk), as from what I can gather they both use the /rpc/* (Actually Outlook Anywhere on this path) path in IIS.

            I'm still in the learning process with TMG myself, but as far as I know the publishing from ISA 2006 has been ported straight to TMG with almost no changes.

            Edit: You posted as I was typing, I see you already have seperate DNS names.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: TMG with single IP address and multiple service

              So...

              Based on what your saying I would have one listener listening on 443 but two rules. One to direct OWA, ActiveSync,Anywhere traiffic to host 10.1.1.111 and then another rule to direct Remote Desktop Gateway traffic to 10.1.1.112 even?

              I just wanted to make sure it was actually possible before I took the time to install TMG and get it working

              Michael
              Michael Armstrong
              www.m80arm.co.uk
              MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment


              • #8
                Re: TMG with single IP address and multiple service

                Will this help you out
                http://technet.microsoft.com/en-us/l.../cc995178.aspx
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: TMG with single IP address and multiple service

                  Thanks Marcel.

                  I'll take a look and try and digest it properly tonight. I think TMG will do what I want I just need learn it.

                  Michael
                  Michael Armstrong
                  www.m80arm.co.uk
                  MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  Comment


                  • #10
                    Re: TMG with single IP address and multiple service

                    That's a pretty similar setup to what we have. We publish loads of websites on the same listeners and IP addresses, and the TMG rules direct the traffic based on the URL it's destined for.

                    From the looks of things you'll only need to get a second IP if you need to have different types of authentication on the listeners. We use 2 IPs for SSL publishing, one for OWA/ActiveSync/Outlook Anywhere with FBA enabled, and a second with Basic Authentication for external access to our call control system.
                    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                    sigpic
                    Cruachan's Blog

                    Comment

                    Working...
                    X