How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG) Introduction Understanding Forefront Threat Management Gateway (TMG) Network Topology Understanding Forefront Threat Management Gateway authentication Overview Install the SSL Server Certificate Create a New Web Listener for the mobilecho File Server Create a New Web Site Publishing Rule for the mobilecho File Server Configure an External DNS Entry for the mobilecho File Server Using mobilecho with a TMG reverse proxy server Introduction mobilecho's ipad clients connect to the mobilecho server running inside your firewall securely via HTTPS and need to traverse your firewall via either VPN, HTTP reverse proxy or an open HTTPS port. This article provides step by step instructions that enable connections by your user running mobilecho client from outside your network using the "reverse proxy" functions of the Microsoft Forefront Threat Management Gateway (TMG) software, which is the successor to ISA Server 2006. Forefront Threat Management Gateway (TMG) is a secure web gateway that enables safe employee web use through comprehensive protection against malware, malicious web sites and vulnerabilities. Building on its predecessor, ISA Server 2006, TMG provides new URL filtering, anti-malware, and intrusion-prevention technologies to protect businesses against the latest web-based threats. These technologies are integrated with core network protection features such as firewall and VPN to create a unified, easy-to-manage gateway. The Forefront TMG solution includes two separately licensed components: Forefront TMG server that provides URL filtering, antimalware inspection, intrusion prevention, application- and network-layer firewall and HTTP/HTTPS inspection in a single solution. Forefront TMG Web Protection Service that provides the continuous updates for malware filtering and access to cloud-based URL filtering technologies aggregated from multiple Web security vendors to protect against the latest Web-based threats. Understanding Forefront Threat Management Gateway (TMG) Network Topology Forefront TMG includes four different network templates that can fit into your existing network topology. It is important to choose the most appropriate for your organization option. After installing TMG, the Getting Started Wizard will appear, where you need to make initial configuration to your TMG. The first screen of the Getting Started Wizard is Configure Network Settings, where you need to make your choice about which network template to use. The following are your options: Edge Firewall - In this topology, Forefront TMG is located at the network edge, where it serves as the organization s edge firewall, and is connected to two networks: the internal network and the external network (usually the Internet).
3-Leg Perimeter - This topology implements a perimeter (DMZ) network. Forefront TMG is connected to at least three physical networks: the internal network, one or more perimeter networks and the external network. Back/Front Firewall - In this topology, Forefront TMG is located at the network s back-end. Use this topology when another network element, such as a perimeter network or an edge security device, is located between Forefront TMG and the external network. Forefront TMG is connected to the internal network and to the network element in front of it.
Single Network Adapter - This topology enables limited Forefront TMG functionality. In this topology, Forefront TMG is connected to one network only, either the internal network or a perimeter network. Typically, you would use this configuration when Forefront TMG is located in the internal corporate network or in a perimeter network, and another firewall is located at the edge, protecting corporate resources from the Internet. INFO For more information about how to install and configure TMG, visit: http://technet.micros oft.com/en-us/library/cc441445.aspx. For TMG minimum systems requirements, visit: http://www.microsoft.com/forefront/thr eat-management-gateway/en/us/system-requirements.aspx. For pricing details, visit: http://www.microsoft.com/forefront/threat-management-gate way/en/us/pricing-licensing.aspx. Go to top Understanding Forefront Threat Management Gateway authentication TMG provides 3 general methods of authenticating users and they are: HTTP authentication: Basic authentication - The user enters a username and password, which the TMG server validates against
the specified authentication server. Digest and WDigest authentication - Has the same features as the Basic authentication, but provides a more secure way of transmitting the authentication credentials. Integrated windows authentication - Uses the NTLM, Kerberos, and Negotiate authentication mechanisms. These are more secure forms of authentication because the user name and password are hashed before being sent across the network. Forms-based authentication: Password form - Prompts the user to enter a username and a password. Passcode form - Prompts the user to enter a username and a passcode. Passcode and Password form - Prompts the user to enter a username/password combination and a username/passcode combination. Client certificate authentication When users make a request for published resources, the client certificate sent to Forefront TMG is passed to a domain controller, which determines the mapping between certificates and accounts. The certificate must be matched to a user account. Note: Client certificate authentication is not supported for authenticating outbound Web requests. INFO For more information on TMG authentication, please visit these sites: http://technet.microsoft.com/en-us/library/cc441695.aspx http://technet.microsoft.com/en-us/library/cc441713.aspx Go to top Overview INFO This document covers the case when TMG is used as an Edge Firewall. If your organization uses TMG in a different network topology please contact GroupLogic for specific instructions. If you are using Microsoft Forefront Threat Management Gateway (TMG) to dedicate and protect your internal network from Internet threats and viruses, you need to make certain configurations to your TMG server to get it working with mobilecho. To use TMG as reverse proxy and firewall for your mobilecho server you need to create two separate networks on your TMG computer: internal and external. The two TMG network adapters should be properly configured, one with a private (internal IP address) and one with a public (external IP address). The mobilecho server should be part of the internal network.
To use mobilecho with TMG you need to complete the steps described in this document: Obtain an SSL server certificate and install it to your mobilecho server and to the TMG server computer. Create a web listener in TMG. Create new web site publishing rule for the mobilecho file server, so that the clients from outside your network can connect to mobilecho. Create an external DNS record in your DNS server. The mobilecho client app supports these forms of authentication with a reverse proxy server: Go to top Pass-through authentication HTTP authentication (username & password) Certificate authentication Install the SSL Server Certificate Request and install an SSL certificate using the FQDN for each mobilecho file server you want to publish via TMG in order to prevent DNS spoofing. You need to install the root SSL certificates on the TMG computer. These certificates should match the FQDN of each published server. Follow the steps bellow to import a certificate to the TMG computer: 1. On the TMG computer, click Start, type mmc, and then press Enter or click OK. 2. Click the File menu and then click Add/Remove Snap-in or press Ctrl+M. Under Available Snap-ins, click Ce rtificates and then click Add. 3. Select Computer Account and then click Next, click Local Computer and then click Finish. 4. Click OK in the Add Or Remove Snap-ins dialog box. 5. Expand Certificates (Local Computer), then expand Personal, and then expand Certificates. 6. Right-click the Certificates node, select All Tasks, and then select Import.... 7. The Welcome To The Certificate Import Wizard page appears. Click Next. 8. On the File To Import page, type the certificate location. 9. On the Password page, type the password provided by the entity that issued this certificate. 10. On the Certificate Store page confirm that the location is Personal. 11. The Completing The Certificate Import Wizard page should appear with a summary of your selections. Review the page and click Finish. Verify that your CA is in the list of trusted root CAs: 1. On each edge server, click Start, and then click Run. In the Open box, type mmc, and then click OK. This ope ns an MMC console. 2. On the File menu, click Add/Remove Snap-in. 3. In the Add Standalone Snap-ins box, click Certificates, and then click Add. 4. In the Certificate snap-in dialog box, click Computer account, and then click Next. 5. In the Select Computer dialog box, ensure that the Local computer: (the computer this console is running on) check box is selected, and then click Finish. 6. Click OK. In the console tree, expand Certificates (Local Computer), expand Personal, and then click Certific ates. 7. In the details pane, verify that your CA is on the list of trusted CAs. Repeat this procedure on each server. Go to top
Create a New Web Listener for the mobilecho File Server 1. Open the Forefront TMG Management Console. 2. Expand Forefront TMG (Array Name or Computer Name) in the left pane and click Firewall Policy. 3. In the right pane click the Toolbox tab, click Network Objects, right-click Web Listener and select New Web Listener from the menu. 4. The Welcome to the New Web Listener Wizard page appears. Give a name to the Web Listener (e.g. mobilecho WL) and click Next. 5. On the page select and click Client Connection Security Require SSL secured connections with clients Next.
6. On the Web Listener IP Addresses page select External and click Next.
7. On the Listener SSL Certificates page select Use a single certificate for this Web Listener and click the Sele ct Certificate button. Select the appropriate certificate and click the Select button to confirm your choice.
8. Confirm that the correct certificate appears on the Listener SSL Certificates page and click Next. 9. On the Authentication Settings page choose the type of authentication you'd like the mobilecho app to use when it contacts the TMG reverse proxy server, and click Next. mobilecho supports: No Authentication - Use this option if you'd like the mobilecho client requests to pass through the TMG reverse proxy server without needing to authenticate. HTTP Authentication - Use this option if you'd like the mobilecho client app to authenticate with the TMG reverse proxy using the user's username and password. This is typically the user's Active Directory
credentials. If the mobilecho app is configured to require authentication "Once per session" or "Once per server", the user will be prompted for their credentials when they initially contact the TMG reverse proxy server. SSL Client Certificate Authentication - Use this option if you'd like the mobilecho client app to authenticate with the TMG reverse proxy with an SSL user identity certificate. This certificate must be added to the mobilecho client app before the user can authenticate with the TMG reverse proxy server. Additional instructions can be found here. 10. On the Single Sign On Settings page verify that the SSO setting is disabled and click Next.
11. Review your selections on the Completing The New Web Listener Wizard page and click Finish.
12. Click the Apply button to commit the changes. 13. In the left pane of the Forefront TMG Management Console click Monitoring, then click on the Configuration ta b in the middle pane. Keep clicking on the Refresh Now link in the right pane ( Tasks tab) until there is a green icon with the checkbox in front of the TMG computer name (array name). Go to top Create a New Web Site Publishing Rule for the mobilecho File Server INFO The steps bellow are tested when the mobilecho file server's computer is configured to use TMG as a gateway.
1. In the Forefront TMG Management Console expand Forefront TMG (Array Name or Computer Name) in the left pane. 2. Right-click Firewall Policy, select New, and click Web Site Publishing Rule. 3. The Welcome to the New Web Publishing Rule Wizard page appears. Enter a name for the Web publishing rule (e.g. mobilecho WP) and click Next. 4. On the Select Rule Action page verify that the Allow option is selected and click Next.
5. On the Publishing Type page choose the applicable option for your case and click Next.
6. On the Server Connection Security page choose the Use SSL to connect to the published Web server or server farm option and click Next.
7. On the Internal Publishing Details page type "intname.domain.com" in the Internal site name field, where dom ain is a placeholder for the domain name the server you want to publish belongs to, and intname is a name you give to this server, which should be different than the external name in order to prevent routing loop. Click Next to commit the changes. NOTE Create a DNS entry in the internal DNS server of your organization for "intname.domain.com".
8. On the Internal Publishing Details page enter "/*" in the Path (optional) field to allow access to the entire content of the mobilecho file server. Click Next.
9. On the Public Name Details page you need to specify the name that the remote clients will use to connect to the published server. Enter "mobilecho.domain.com" in the Public name field, where domain is a placeholder for the domain name of the server you want to publish. Leave the other options the way they are by default and click Next.
10. On the Select Web Listener page select the web listener that you have created for mobilecho from the drop-down menu and click Next.
11. On the Authentication Delegation page select the No delegation, but client may authenticate directly optio n from the drop-down menu and click Next.
12. On the User Sets page verify that the default All Users option is present and click Next to continue.
13. On the Completing The New Web Publishing Rule Wizard page review the summary of your selections. Click Test Rule to confirm that the publishing rule is working properly. Click Finish to complete the process.
14. Click the Apply button to commit the changes. 15. In the left pane of the Forefront TMG Management Console click Monitoring, then click on the Configuration ta b in the middle pane. Keep clicking on the Refresh Now link in the right pane ( Tasks tab) until there is a green icon with the checkbox in front of the TMG computer name (array name). Go to top Configure an External DNS Entry for the mobilecho File Server After the TMG configuration process has been completed, you need to create a DNS record in the external DNS servers in order to redirect all mobilecho connections to the external network adapter of the TMG. The DNS entry should resolve the name of your mobilecho file server (mobilecho.domain.com) to the external IP address of the TMG server. All mobilecho client requests will be sent to and managed by TMG. In this configuration scenario, TMG does not require clients to authenticate, and all users will access the mobilecho file server without any knowledge
that the response is coming from the Microsoft Forefront TMG instead. Go to top Using mobilecho with a TMG reverse proxy server You can use the mobilecho Client or the mobilecho Management Server. This feature is built-in and requires little to no configuration. In the mobilecho client app you manually add the server by doing the following: 1. 2. 3. 4. 1. 2. 3. 4. 1. 2. 3. 4. 5. 6. Press the + button located in the left corner. This button allows you to add a new server. In the Server Name or IP Address field, write the path to your server (e.g. yourserver.companyname.com/m obilecho). Fill in your credentials ( username / password ). Tap Save. For multiple clients you should use the mobilecho Management Server: Go to top Using the reverse proxy server as the management server. Open the mobilecho_manager.cfg (located C:\Program Files (x86)\group Logic\mobilEcho Server\ManagementUI\). Find this line: MANAGEMENT_SERVER_ADDRESS Use the path to the server instead of the IP address (e.g. yourserver.companyname.com/mobilecho). Save and close the file. Using the reverse proxy server as a provisioned server. Open the web interface of the management server. Go to the Servers & Folders tab. Press Add New Server. In the Server Name or IP Address field write the path to your server (e.g. yourserver.companyname.com/mo bilecho). Enter a Display name. Either restrict this server to a couple of users or leave the default setting (available to all users).