This step-by-step guide explains how to install the SSL-certificate, create a web listener, a web farm, and an Exchange publishing rule to secure Exchange 2010 with Forefront TMG.

In my last post I introduced Forefront TMG's functionality to secure Exchange 2010. Today, I will show you how to configure Exchange and Forefront to work together.

Install the SSL-Certificate ^

  1. Open the „Exchange Management Console“ and export under „Server Configuration - > Exchange Certificate“ the Exchange certificate by right clicking „Export Exchange certificate“.
  2. Name the certificate, enter a password and save it as a *.pfx file.
  3. Copy the file to your Forefront TMG server.
  4. Open a „Microsoft Management Console“ on the Forefront TMG Server by typing “mmc” in the Command Shell.
  5. Add the Certificate Snap-in by „File -> Add/Remove Snap-In“ and choose the “local Computer” in the „Computer account“ dialog.
  6. Open the certificate-tree (Local Computer) and select „Personal“.
  7. Right click on the „Personal“-folder and select „All Tasks -> Import…“
  8. Import the *.pfx file. You have to choose *.pfx as the file-type instead of the default *.cer. In the next dialogs keep the default settings.

Create a Web Listener ^

  1. Open the „Forefront TMG Management Console“. On the right column choose the tab „Toolbox -> Network Objects“. Create a „Weblistener“ by using the “New” option.
  2. Now you have to name the Listener. In the next dialog keep the default setting https.
  3. Allocate the external network to the Web Listener. If you want to use preauthentication for your internal network, too, you have to add the internal network.
  4. In the dialog „Listener SSL Certificates“ choose the certificate you copied to the Forefront Server in the previous step.
  5. Under „Authentication Settings“ choose „HTML Form Authentication“. By this choice you make sure that web-based Authentication is used for OWA and that the „Basic Authentication“ is used for Outlook Anywhere and Exchange ActiveSync. To force the user to authenticate click the „Advanced“-Button and select the option „Require all users to authenticate“.
  6. If you want to use „Single Sign On“, provide the address
  7. Close the dialog by clicking on „Next“ and „Finish“.

Create a Web Farm ^

  1. Create a new „Server Farm“ in the Forefront TMG Management Console. You can do this by choosing „Network Objects“ in the right column and open the menu „New“.
  2. Name the Server Farm „Exchange Client Access Server“ and add your Client Access Server on the next page.
  3. To configure the „Server Farm Connectivity Monitoring“ properly you must change the entry under „Send an HTTP/HTTPS GET request“ to „HTTPS://*/OWA/“.

The Exchange „Publishing Rule“ ^

  1. In the Forefront TMG Management Console open the context menu of the „Firewall Policy“. You can find the node „Firewall Policy“ in the left column. Create a new access rule by choosing „New->Exchange Web Client Access Publishing Rule“.
  2. Name the rule „Exchange Outlook Web App“.
  3. On the first page of the dialog select the Exchange version „Exchange 2010“. Choose „Outlook Web Access“ as the corresponding protocol.
  4. In the next dialog choose „Publish a server farm of load balanced Web servers“. You should select this option even if you have currently only one Client Access Server, because you can easily add another server to the rule later on.
  5. On the next page choose SSL.
  6. Under „Internal Publishing Details“ enter the URL
  7. In the next step choose the Server Farm you created before.
  8. In the selection list „Accept requests for“ you should keep the option „This domain name (type below)“. The „Public name“ is
  9. In the next dialog choose the Web Listener you created before.
  10. As the authentication method select „Basic authentication“. Make sure that the Client Access Server is supporting this authentication method. Otherwise you have to change the configuration of your Client Access Server.
  11. On the last page you can give access rights to specific users. If everybody should be able to use OWA keep the option „All Authenticated Users“. Never use the option „All Users“ because the users won’t see an authentication dialog then and therefore can’t connect.
  12. Close the wizard.

For now only OWA has been configured for secure access. If you want to secure Exchange ActiveSync and Outlook Anywhere you have to create “Publishing Rules” for them, too. You can do this by following the steps as listed above. The only difference is in step three. There you have to choose the corresponding service.

To use Autodiscover you have to add the Autodiscover URL to the Outlook Anywhere Publishing Rule.

  1. Open the „Properties“ dialogue of the rule.
  2. Under the tab „Public Name“ add via „New“ the Autodiscover URL (e.g.

Last but not least you have to change your DNS entries. They have to point to the external IP address of Forefront TMG. Be careful when changing them, though. If the FQDN of your MX-entry is the same as the FQDN of the Client Access Server you have to create a new MX-entry and A-record. Otherwise the SMTP-requests are directed to the external IP of the Forefront TMG and not to your Exchange Server.

When you access OWA now you should see the following screen:


On the first glance it looks similar to before, but perhaps you have noticed the line “Secured by Forefront Threat Management Gateway” already. After you tested everything thoroughly you should delete the old firewall rules. Now it’s time to lean back and relax, because you have severely increased the security of your Exchange installation.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account