Dec 23 2012

Publishing Multiple HTTP Web Sites with TMG 2010

It’s piece-of-cake to publish a single HTTP website with TMG 2010, but what do you do when you have multiple web sites in your organization and you want all of them to be visible to the world. Is not a difficult process, but there are a lot of steps involved. 

For this lab I have two web servers running IIS 7.5 (that’s Windows 2008 R2), a Domain Controller, and a TMG 2010 server. All servers are joined to the Windows domain vkernel.local. I wanted to put the web servers configurations in a sentence, but then I realized that is going to be a long one, so I created the bellow table:

NameSites/Port Number
Web Server 1Server-Web1www.vkernel.net – 80
www.vkernel.org – 80
www.vkernel.eu – 8080
Web Server 2Server-Web2www.vkernel.info – 81

If you want, you can have multiples IP addresses on those IIS servers, and bind every site to a separate IP address. For this demonstration however, I have only a single IP on every IIS server. One important thing before we move forward, make sure your site headers are properly configured.

Now that your web servers/sites are functional let’s publish them so they be accessible for the outside world. Open the TMG console, right-click Firewall Policy and select New > Web Site Publishing Rule.

Give the rule a name and continue the wizard. I will just type Site here because the wizard will complete the site name after we finish publishing and it will be in the form Site www.vkernel.org.

The rule action is to allow the traffic, so go with the default selection here.

Since we want to publish more than one site select the last option Publish multiple web sites. You can go with the first option too, but you will have to launch the wizard again for every site you want to make it available to the outside world.

Click the Add button and type the name (specified in the site headers in IIS) of every site you want to publish. Do NOT check the box Forefront TMG will use SSL to connect to this web site (recommended), because we don’t use SSL between the TMG server and the IIS servers.


Leave this box empty, because we are publishing sites with different domain names.

Select the default HTTP Web Listener from the list and click Next.

Choose No delegation, but clients can authenticate directly; this is if you want clients to get authenticated by the IIS servers, not the TMG server.

We want all user to be able to access the websites, so leave All Users here and click Next.

At the last page of the wizard if you click the Test Rule button, some of the websites will fail the test. This is because TMG is trying to connect by default using port 80 to those websites, but they are working on port 81 and respectively 8080. We will change that in a moment. Click Finish to close the wizard.


As I told you, the wizard completes the rule(s) names, so it’s not just Site as we named it at the beginning. Don’t apply the changes yet, because we need to modify two of the rules, so the traffic is redirected on different ports, than 80.

We need to modify the rule www.vkernel.eu and www.vkernel.info. Right-click one of them and choose Properties. Go to the Bridging tab and modify the port on the Redirect requests to HTTP port box. Make the change on the other rule too. When you’re done submit the changes by clicking the Apply button.


Let’s open a browser from an external client and see how it works.


On the TMG server logs, we can see the traffic is allowed and redirected to the internal web servers.

If, for some reason you get the error message “ERROR Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)“, is because the publishing wizard put a dot (.) at the of the public web site name in the rule.

To get rid of the error, and make the site functional, right-click the TMG rule and choose Properties. Go to the Public Name tab, select the web site from the list, and click the Edit button. Remove the dot (.) at the end of the website and click OK. Apply the changes, and do another test from the external client; it should work now.


Want content like this delivered right to your

email inbox?


Skip to comment form

  1. mohamed

    thx for this very useful tutorial but I have a problem
    I have a web site on IIS and another on Apache
    I open the site on apache from a link in IIS site
    IIS site works fine
    the site on apache is published with url as follow:
    . ( I mean it uses direst real IP )
    I tried to publish it on TMG 2010 beside the site on IIS but it gives me “Bad Request” page
    i.e. apache uses also port 80

    1. Adrian Costea

      You need to use/publish the FQDN of the site that is running on Apache not the IP address. This way all traffic using that FQDN will be sent to the Apache web server. If you are not using SSL is easy. Let me know how it works.

  2. saad


    TMG server is on IP

    Web Server 1 ab.com
    Web Server 1 abc.com

    i have published websites using publish multiple websites. but how can i tell tmg that website ab.com is on IP and abc.com

    when i published single website tmg asked “Use a computer name or IP address to connect to the published server” but in multiple websites publishing it is not asking for ip address of server which is hosting website.

    1. Adrian Costea

      Right-click the rule and choose Properties. Go to the To tab and here you can find a Browse button. If you click it you can specify the computer name, or just type its IP address in the box. Let me know how it works because I kinda rushed the article :-).

Leave a Reply

Your email address will not be published. Required fields are marked *