Controlling Internet Access: A Short Primer on TMG Access Rules - Part 3: TMG Firewall Web Publishing Rule Basics
If you would like to read the first part in this article series please go to:
- Controlling Internet Access: A Short Primer on TMG Access Rules (Part 1)
- Controlling Internet Access: A Short Primer on TMG Access Rules (Part 2)
- Controlling Internet Access: A short Primer on TMG Access Rules - Part 4: TMG Networks and Network Rules
This week, we continue our series of articles on TMG firewall basics for all those new TMG administrators I’ve been hearing from, by covering the basic elements of web publishing. Web publishing is the term we use for reverse proxy to web sites so that external users can access web sites located behind the TMG firewall. Note that there are actually two ways you can make web sites available to external users: web publishing and server publishing. Web publishing enables the TMG firewall to act as a reverse proxy, while server publishing makes the web server available through reverse NAT. Web publishing is the preferred method, because with it, you can take advantage of pre-authentication and many other features that aren’t available with reverse NAT.
To introduce you to the web publishing process, let’s start with publishing a simple HTTP site located behind the TMG firewall. This basic site doesn’t require SSL and doesn’t require authentication. In the future, we’ll go through some more complex examples, in which you can use SSL and authentication.
To start, click on the Firewall Policy node in the left pane of the TMG firewall console, as seen in Figure 1 below.
In the right pane of the console, click the Tasks Tab. Then on the Tasks Tab, click the Publish Web Sites link that’s shown in Figure 2 below.
This will invoke the Welcome to the New Web Publishing Rule Wizard page. On this page, shown in Figure 3, you need to give the rule a name. In the Web publishing rule name text box, for this example we’ll enter the name HTTP Web Server and then click Next.
On the Select Rule Action page, as shown in Figure 4, you can configure the rule to Allow or Deny the connection. In this example, we’ll select Allow. The Deny option is used for special use cases; you more typically are going to create web publishing rules that allow connections to a web site behind the TMG firewall.
On the Publishing Type page, shown in Figure 5, you select one of three scenarios that match your web server environment. In this example, we want to publish a single web server that is located behind the TMG firewall, so we’ll select the Publishing a single Web site or load balancer option and click Next.
On the Server Connection Security page, shown in Figure 6, you must select whether or not the TMG firewall will need to use SSL to connect to the web server. In this scenario, we will not require SSL between the TMG firewall and the web server, so we’ll select the Use non-secured connections to connect the published Web server or server farm option.
Remember that for the most secure connection, you would want to use SSL.
On the Internal Publishing Details page, shown in Figure 7, you are asked to define the name of the server on the intranet. In this example, we’ll enter the Fully Qualified Domain Name (FQDN) of the server on the intranet that is hosting the web site, which is dc1.msfirewall.org. You also have the option here to enable the Use a computer name or IP address to connect to the published server checkbox and then enter another name or IP address of the server. This allows the TMG firewall to locate the server if it’s using a different name than the one you enter in the Internal site name text box. After entering this information, click Next.
On the Internal Publishing Details page, shown in Figure 8, you can enter a path to limit users to accessing a specific file or folder on the web server. In this example, however, we want to allow access to the entire site, so we’ll not enter a path. After you make your selection here, click Next.
On the Public Name Details page, shown in Figure 9, enter the name of the web site that the users will access. This is the name that the users will actually use to access the site. To do this, select the This domain name (type below) option from the Accept requests for drop down list. After selecting that option, enter the name that users will use to access the site in the Public name text box. In this example, users will use the name www.msfirewall.org to access the site, so we’ll enter that into the text box. Again, we have the option to enter a path, but we won’t do so. Click Next.
On the Select Web Listener page, shown in Figure 10, select the web listener that will be used to accept connections from external users to access the web site. In our example, there are no web listeners set up yet, so there are none to choose from in the drop-down box. To create a new HTTP web listener, click on the New button.
This brings up the Welcome to the New Web Listener Wizard page, shown in Figure 11. Here we’ll enter a name for the web listener in the Web listener name text box (we are using the name HTTP Listener) and then click Next.
On the Client Connection Security page, shown in Figure 12, you must specify whether or not you want external users to use SSL to connect to the TMG firewall. In this example, we want to publish a simple HTTP site, so we’ll select the Do not require SSL secured connection with clients and click Next.
On the Web Listener IP Addresses page, shown in Figure 13, select the network on which you want the TMG firewall to accept connections to the web site. In most cases, when you publish a web site to external users, you will select the default External Network to accept the incoming connections. If you have multiple IP addresses bound to the external interface, you can click the Select IP Addresses button and then select the specific IP address that you want to accept the connections; in most cases you’ll want to do this instead of accepting connections on all the IP addresses that might be configured on the external interface of the TMG firewall. In this example, we only have one IP address on the external interface, but we’ll select that specific IP address just in case we add more IP addresses to the external interface in the future.
On the Authentication Settings page, shown in Figure 14, select the type of authentication that will be used to connect to the TMG firewall to access the site. This type of authentication is often referred to as “pre-authentication” since the user actually authenticates with the TMG firewall before authenticating with the web server. In this example, we will not require authentication so we’ll select the No Authentication option and click Next.
On the Single Sign On Settings page, shown in Figure 15, you can configure the web listener to support single sign-on for all sites publishing through this web listener. However, in order for single sign-on to work, the user has to sign on. Since we’re not requiring authentication in this example, single sign-on is not applicable, so we’ll move on and click Next.
This brings us to the last page of web listener wizard, shown in Figure 16. Here we’ll review the settings on the Completing the New Web Listener Wizard page and click Finish.
Now we go back to the original wizard. The new web listener now appears on the Select Web Listener page that’s shown in Figure 17, and you can see some of the details of the Web Listener. There are some additional options available that you can configure on the web listener. You can access these by clicking the Edit button. We’ll take a look at those in a future article. For now, we’ll move along and click Next.
On the Authentication Delegation page, shown in Figure 18, you configure how the TMG firewall delegates credentials to the published web site. This means the user will only need to authenticate once with the TMG firewall instead of having to enter credentials to authenticate with the TMG firewall and then enter them again to authenticate to the published web server. In this example, we’re not requiring authentication so there’s no reason to delegate any credentials, thus we’ll select the No delegation, and client cannot authenticate directly option and click Next.
On the User Sets page, shown in Figure 19, select which users or groups are allowed to access the published web site. In order to enable this option, you have to require that the users authenticate so that they can be identified. Since we’re not requiring authentication in this example, we’ll use the default group, which is All Users. In the context of the TMG firewall, “all users” doesn’t mean all authenticated users; it actually means “anonymous users” – so when you allow “all users” access, you are actually allowing users who do not authenticate to access the site.
We’ll review the settings on the Completing the New Web Publishing Rule Wizard page that’s shown in Figure 20, and then click the Test Rule button.
The Test Rule button allows you to see whether the web site is reachable from the TMG firewall. As you can see in Figure 21 below, when you click the Test Rule button TMG will try to connect to the web server using an HTTP connection and it also does a PathPing to the web server. As you can see in the figure, the TMG firewall was able to connect to the web server and the PathPing was successful.
Now you can see the new rule in the list of firewall rules. To activate the rule, you must click the Apply button, as seen in Figure 22 below.
The Configuration Change Description dialog box, shown in Figure 23, appears and you can enter a comment about the change you made in firewall policy. The TMG firewall stores this information so that you can use this as a part of your change management system, to help with troubleshooting in the future. Using this dialog box, you can also export the configuration of the firewall so that you can restore the configuration to where it was before you made this change. Click Apply to save the changes.
The configuration is now saved and you can see the results in the Saving Configuration Changes dialog box shown in Figure 24. Note that it says that existing client connections will be reevaluated according to the new policy. This is new with the TMG firewall – with the ISA firewall the firewall policy only applied to new connections.
In this article, we went through the basics of web publishing with TMG. We created a web publishing rule and we created a simple HTTP web listener. At the end of rule creation, we used the test button to determine whether the web site was reachable. In the next article in this series, we’ll create an SSL web site that requires authentication. This will expose you to some of the more advanced options that are available to you when creating web publishing rules. See you then! -Deb.