Comprehensive Overview of Web and Server Publishing Rules in TMG 2010 (Part 5)

If you would like to read the other parts in this article series please go to:


In this series on web and server publishing, we first talked about the concepts of web publishing and then we went through the configuration interface to explain how to create and modify web publishing rules. In this, part 5, we’ll continue our discussion by going over more of the modification options that are available in a Web Publishing Rule after you’ve created it.

Traffic tab

When you click on the Traffic tab, you’ll see which protocols are being used to connect to this web listener. If you’re really watching closely, you might have noticed that I changed the Web Publishing Rule a bit from the one that we created in part 2. I did this so that you can see some of the SSL related options. Here you’ll see that this rule applies to traffic of the following protocols and those protocols are HTTP and HTTPS. Notice that when both the HTTP and HTTPS protocols are allowed, you have the option to inform the users to use HTTPS instead of HTTP. You do this by enabling the Notify HTTP users to use HTTPS instead.

There is another option you can see on this page, which is the Require SSL Client Certificate. This option isn’t shown as available right now because there are certain settings that you have to enable on the Web Listener (to configure it for forms-based authentication) for this to become available.

When you click the Filtering button, it will bring up the Configure HTTP policy for rule dialog box and this will enable you to configure which type of connections (that is to say, the connection characteristics) that you will allow and not allow to the Web Listener, based on such parameters as HTTP Methods, HTTP Extensions, HTTP Headers and custom signatures. We won’t be going through those option in this article series, but will address them in a future article.

Figure 1

Bridging tab

On the Bridging tab, you will find a number of interesting and useful options. Notice that there are two main option buttons here, labeled Web server and FTP server. Why do we have these two categories? What bridging pertains to is how the TMG firewall forwards the connection after it receives it from the external client. It doesn’t matter which protocol the external client used to connect (and which protocol the external user can use is controlled by the Web Listener). Thus your choices are to forward the connection to a web server (using HTTP or HTTPS) or to an FTP server (using the FTP protocol).

When you select the Web server option here, you will then be able to choose to forward the connections to an HTTP and/or SSL port. When you select one or both of these options, you can use the default values, or if you wish you can change the values from the defaults to custom values.

Now take note of the Use a certificate to authenticate to the SSL Web server option. When you enable this, you can then use the Select button to choose a certificate that can be used to authenticate to the published web server. The published web server would also need to be configured to require a client certificate. If the web server is configured to require a client certificate, this option will enable you to configure the firewall to provide that certificate when the web server asks for it. Note that you will need to obtain a client certificate separately and it will need to be installed in the TMG firewall’s web proxy service account.

If you want to publish an FTP server, you can select the FTP server option. In this case, the external user will be using either HTTP or HTTPS to connect to the Web Listener and then the TMG firewall will forward the connection as an FTP connection to the FTP server. This is a nice option for you if you want to publish files to external users and provide a secure connection over the Internet. In that case, you would configure the Web Listener to require an SSL connection. Then the process goes like this:

  1. The external users will establish an SSL connection to the TMG firewall.
  2. Next, the TMG firewall will forward the connection as an FTP request.
  3. The FTP server will respond to the TMG firewall and return the content to the firewall using the FTP protocol.
  4. Finally, the firewall will forward the information to the external client over the SSL connection.

Figure 2

Users tab

Now let’s move on to the Users tab, where you can select which users will be allowed to connect to the published web site when accessing it through this rule. The default setting is All Users, but you can easily remove that by clicking on All Users and clicking Remove.

Figure 3

If you want to allow a custom group of users, you need to click the Add button. This brings up the Add Users dialog box. Note that you can’t directly select users from Active Directory or from the local users and groups configured on the TMG firewall, as you might have expected to be able to do. Instead, you are going to need to create a User Set on the TMG firewall and then populate that User Set with the users or groups that you want to include in the User Set. After you create the User Set, you can configure the Web Publishing Rule to only allow those users in the Set to use this Web Publishing Rule to access the published web site.

Note that on the bottom of this dialog box, there is an Exceptions section. You can use this if you have a User Set that contains some users whom you don’t want to allow to access the published web site. For example, you might use the All Users User Set in the This rule applies to requests from the following user sets section, but then create an exception for a User Set that contains contractors or temporary employees. This would be easier than creating a User Set with all of the regular employees to whom you want to allow access.

Figure 4

Listener tab

This bring us to the Listener tab. On this tab, you can see the details of the Web Listener that’s used by the Web Publishing Rule. There are no default Web Listeners, so you will always have to create one. You have the option of making a Web Listener at the time you create the Web Publishing Rule, or you can make the Web Listener before you run the Web Publishing Rule Wizard. You can see some of the settings on this tab in the screenshot below.  

Figure 5

Click on the Properties button here and you will see the Properties dialog box for the Web Listener. The General tab isn’t very interesting so I’m not showing that here. The only thing you can do on that tab is change the name of the rule.

On the Networks tab, however, we run into some more interesting options. On this tab, you can designate which TMG Firewall Networks will be able to accept initiated connections to the Web Listener. That is to say, the Web Listener will accept connections from the Networks you choose here. You can see in this example that the Web Listener is configured to accept connections from the default External Network, and on a specific IP address on the NIC that is connected to the default External Network.

Note that you can configure the Web Listener to listen from connections coming from other networks too. For example, if the web server is on a DMZ network, you might want to allow users on the default Internal Network access to the web server. In this case, you would configure the Web Listener to listen for connections coming from the Internal Network.

Figure 6

You can select a Network and then click the Address button to define which IP addresses will be used to accept connections for this Web Listener. You have three options here:

  • All IP addresses on the Forefront TMG computer that are in the selected network
  • Default IP addresses for network adapters on this network. If Network Load Balancing is enabled for this network, the default virtual IP address will be used.
  • Specified IP addresses on the Forefront TMG computer in the selected network.

The first option enables the Web Listener to use all the IP addresses that are assigned to the NIC connected to the selected Network. The second option enables connections to a single IP address, which is the default IP address. The default IP address used by TMG is assigned a bit differently the way it was assigned by the former ISA firewalls. For an explanation of how the default IP address is assigned on the TMG firewall, please see this link.

The third option enables you to select the specific address or addresses on which you want the Web Listener to accept connections. Just select the address in the Available IP Addresses section and then click Add to move it to the Selected IP Addresses section, as seen in the figure below.

Figure 7


In this series on the web and server publishing feature on the TMG 2010 firewall, we’ve covered the basic concepts behind the web publishing capability and then we went on to create a Web Publishing Rule, and go over the details of the Web Publishing Rule after it was created. In this article, Part 5 in the series, we looked at the modifications you can make using several of the tabs in the Web Publishing Rule Properties dialog box and then we started to dig into the properties of the Web Listener, which is the software component that defines the types of connections that the TMG firewall will allow before accepting them for forwarding to the published Web site. In the next article, Part 6, we will finish up with the Web Listener and then we’ll go into some issues that are related to SSL publishing and certificates. See you then! –Deb.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top