Microsoft Forefront TMG Server – SSL Guide

Microsoft Forefront TMG Server system does not include an easy GUI method to create a CSR.

The following guide includes typical recommendations for you to successfully enroll and implement an SSL certificate pfx file needed for your AD LDAP.

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012. Forefront uses Pfx files for its keypair management so typically IIS is used for key generation.

The typical procedure is as follows.

1. Generate the CSR for your SSL certificate from one of the following methods.
   • If you have a server system that has Windows Internet Information Services Manager IIS.
     • CSR generation instructions for IIS 7 – 7.5 systems.
     • CSR generation instructions for IIS 8 -8.5 systems.
   • Generate the CSR using Portecle Keypair creation and manipulation tool.
2. After the SSL certificate has been issued you will have to install it and its intermediate Back on the system or application you used to generate the CSR.
   • Install your SSL certificate  back into the Windows Internet Information Services Manager IIS.
     • Install your SSL certificate back into your IIS 7 -7.5 system (Performing Steps 1-2).
     • Install your SSL certficate back into your IIS 8 – 8.5 system (Performing Steps 1-2.).
   • Install your SSL certificate using Portecle Keypair creation and manipulation tool.
   • Note: If your SSL certificate was created and installed on a different system that houses your TMG server you will need to Export and move the SSL Certificate with its private key as a .pfx off that system or application where your SSL certificate was installed, and import it to the system that houses your TMG system.
     • Exporting your SSL certificate :
       1. Export the SSL certificate with its private key as a .pfx file from the IIS system you used
       2. Export the SSL certificate from Portecle.
     • Import your SSL certificate into your TMG system:
       • Import SSL Certiifcate into MMC.
3. After the Install or Import/Export (if required) you will perform one of the tasks below…
   • Replace an existing SSL certificate to an existing web listener on your Forefront TMG server
   • Set up a new web listener on your Forefront TMG server and assign your SSL certificate to it.

How to Replace your Existing Web Listener with your new SSL certificate:

1. Open Forefront TMG Management.
2. Click Start.
3. Click All Programs.
4. Click Microsoft Forefront TMG and then click Forefront TMG Management.
   Note: If you are unable to find this program then you are probably on the wrong system. You must find the correct system that has this application.
5. In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) .
6. Click Firewall Policy.
   
7. Under Firewall Policy, on the Toolbox tab, expand Network Objects > Web Listeners, select the Web Listener whose certificate you want to replace with your new SSL Certificate , and then click Edit.
   
8. In your Properties window, on the Certificates tab, select Use a single certificate for this Web Listener, and then, click Select Certificate.
   
9. In the Select Certificate window, under Select a certificate from the available list of certificates, select your New SSL Certificate, and then, click Select.
   
10. Back in the Properties window, on the Certificates tab, click Apply and then, click OK.
    
11. To save your changes and update your configuration, in the Forefront TMG window, click Apply
    
    
12. In the Save Configuration Changes window, click OK.
13. You have successfully installed/replaced your SSL Certificate in your existing Web Listener on your Forefront TMG Server.

How to Set Up a New Web Listener on Your Forefront TMG Server:

1. Open Forefront TMG Management.
2. Click Start
3. Click All Programs
4. Click Microsoft Forefront TMG and then click Forefront TMG Management.
   Note: If you are unable to find this program then you are probably on the wrong system. you must find the correct system that has this application running.
5. In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) .
6. Click Firewall Policy.
   
7. On the right side of the page, under Firewall Policy, on the Toolbox tab, expand Network Objects and then, click New > Web Listener.
   
8. On the New Web Listener Definition Wizard window, in the Web listener name box, specify  a name for your web listener (example: RDGatewayWebListener) and then, click Next.
   
9. On the Client Connection Security page, select Require SSL secured connections with clients
10. Click Next.
    
11. On the Web Listener IP Addresses page, under Listen for incoming Web requests on these networks, check Internal
12. Click Select IP Address.
    
13. In the Internal Network Listener IP Selection window, select Specified IP addresses on the Forefront TMG computer in the selected Network.
14. Under Available IP Addresses select the address you which to use,  and click Add.
    
    
15. After adding the IP address click OK.
16. Back in the New Web Listener IP Addresses page, click Next.
    
17. On the Listener SSL Certificates page, select Use a single certificate for this Web Listener and then, click Select Certificate.
    
18. In the Select Certificate window, under Select a certificate from the available list of certificates, select your new SSL certificate that you imported/installed on this system.
19. Click Select.
    
20. Back in the New Web Listener Definition Wizard, click Next.
    
21. On the Authentication Settings page, in the Select how clients will provide credentials to Forefront TMG drop-down list select No Authentication.
22. Click Next.
    
23. On the Single Sign On Settings page, click Next.
    
24. After reviewing the configurations on the Completing the new Web Listener Wizard Page, Click Finish.
    
    
25. Lastly back in the Forefront TMG window click Apply.
    
26. You have just installed and configured your SSL Certificate to your ForeFront TMG system.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or an organization that supports it.

Microsoft Support

For more information refer to Microsoft.