Announcement

Collapse
No announcement yet.

Forefront TMG SSL pass through

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Forefront TMG SSL pass through

    I use an backup application which sends encrypted backups remotely using ssl. If I try and publish the server via TMG it fails as the ssl certs do not match. Is it possible to configure TMG to allow traffic to a certain domain to pass through directly to the server instead of using the TMG ssl cert?

    At present the TMG server has one external ip address and a web listinder on it.

    I may be able to get more external ip addresses once I start moving services over from the old firewall.

    Thanks

  • #2
    Re: Forefront TMG SSL pass through

    Thouroghly confused by that.

    Do you have a Backup app internally sending data to an external server? If so you should only have to publish the Backup server if the remote server also has to connect to it. For anything going outbound SSL shouldn't be an issue.

    If you need to publish multiple SSL sites then you have no option but to use multiple IPs. I would assume that you are already publishing OWA?
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Forefront TMG SSL pass through

      sorry, hopefully this will make more sense:

      The backup server is hosted in our internal network. We use laptops which are often out travelling but have internet access.

      The backup software talks to the backup server via ssl and expects a certain ssl certificate. so when using it within the network the software works fine but when I try and publish the backup server so it can be used externally, the backup software complains that the ssl cert is incorrect - i believe this is due to the current weblisner being a different wildcard cert which I use to protect some other web sites.

      Is it possible to setup TMG to allow the backup software to talk directly to the backup server? I am hoping to use a host based rule that will allow this (via 1-to-1 nat ?) ie: any request to https://backup.mydomain.com is forwarded by TMG to an internal ip address without touching it.

      Comment


      • #4
        Re: Forefront TMG SSL pass through

        Right, I understand now. Publishing the same site and the same URL both internally and externally is straightforward, just have 2 web listeners listening for requests on each of the networks. However as far as I am aware you can't have multiple certificates attached to the same Web Listener (You couldn't in ISA 2006, can't find any documentation for TMG but I would imagine it would be a documented feature for upgrading as it would negate the need for multiple IPs in a lot of cases) so that leaves 3 choices as far as I can see.

        Choice 1 is to change the wildcard certifcate presented by TMG to also cover the backup software. I don't know if this is possible with your setup or if your software will accept this.

        Option 2 (My preference) is get another IP, and publish the backup server with the appropriate certificate on the listener. That's the most secure and most elegant option IMO.

        Option 3, which I don't really like, also involves a second IP address. You could use whatever ADSL router or other internet device you have to route traffic for another IP to a different server not behind TMG. That's really the only way to take TMG out of the equation.

        You can't do 1-1 NAT and just have TMG pass the traffic on. The external to internal network relationship is NAT, and so you must publish servers on any internal networks to external. Publishing requires a web listener, and an SSL web listener requires a certificate. You can do what you want using access rules so long as one of the networks is not External, so from Internal to a Perimeter network you don't need to publish, but that's because the network relationship is Route and not NAT in that case.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Forefront TMG SSL pass through

          Thanks for your reply.

          (1) Cant do as these are current live services that are working fine

          (2) I can get another IP but not sure of the SSL cert as I wont have the private key to setup a listner.

          (3) Dont like it eaither

          If i get a second IP address can I setup a port forwarding rule to forward all 443 requests to the second ip to the backup server directly?
          We have something like this already on our old firewall.

          Comment


          • #6
            Re: Forefront TMG SSL pass through

            I _think_ it's possible to use certutil to export a certificate with it's private key so you can install it on the TMG server. There's no reason why a certificate and it's private key can't be installed on multiple servers, so if it's an internal PKI and you can't export with the private key you should be able to create a new cert request using certutil and mark the pricate key as exportable and then install the cert on both servers.

            I've had to do something similar in the past for OWA publishing on an ISA array. Both servers need to have the same certificate and a matching private key for it to work correctly.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment

            Working...
            X