It’s piece-of-cake to publish a single HTTP website with TMG 2010, but what do you do when you have multiple web sites in your organization and you want all of them to be visible to the world. Is not a difficult process, but there are a lot of steps involved.
For this lab I have two web servers running IIS 7.5 (that’s Windows 2008 R2), a Domain Controller, and a TMG 2010 server. All servers are joined to the Windows domain vkernel.local. I wanted to put the web servers configurations in a sentence, but then I realized that is going to be a long one, so I created the bellow table:
|Web Server 1||Server-Web1||www.vkernel.net – 80
www.vkernel.org – 80
www.vkernel.eu – 8080
|Web Server 2||Server-Web2||www.vkernel.info – 81|
If you want, you can have multiples IP addresses on those IIS servers, and bind every site to a separate IP address. For this demonstration however, I have only a single IP on every IIS server. One important thing before we move forward, make sure your site headers are properly configured.
Now that your web servers/sites are functional let’s publish them so they be accessible for the outside world. Open the TMG console, right-click Firewall Policy and select New > Web Site Publishing Rule.
Give the rule a name and continue the wizard. I will just type Site here because the wizard will complete the site name after we finish publishing and it will be in the form Site www.vkernel.org.
The rule action is to allow the traffic, so go with the default selection here.
Since we want to publish more than one site select the last option Publish multiple web sites. You can go with the first option too, but you will have to launch the wizard again for every site you want to make it available to the outside world.
Click the Add button and type the name (specified in the site headers in IIS) of every site you want to publish. Do NOT check the box Forefront TMG will use SSL to connect to this web site (recommended), because we don’t use SSL between the TMG server and the IIS servers.
Leave this box empty, because we are publishing sites with different domain names.
Select the default HTTP Web Listener from the list and click Next.
Choose No delegation, but clients can authenticate directly; this is if you want clients to get authenticated by the IIS servers, not the TMG server.
We want all user to be able to access the websites, so leave All Users here and click Next.
At the last page of the wizard if you click the Test Rule button, some of the websites will fail the test. This is because TMG is trying to connect by default using port 80 to those websites, but they are working on port 81 and respectively 8080. We will change that in a moment. Click Finish to close the wizard.
As I told you, the wizard completes the rule(s) names, so it’s not just Site as we named it at the beginning. Don’t apply the changes yet, because we need to modify two of the rules, so the traffic is redirected on different ports, than 80.
We need to modify the rule www.vkernel.eu and www.vkernel.info. Right-click one of them and choose Properties. Go to the Bridging tab and modify the port on the Redirect requests to HTTP port box. Make the change on the other rule too. When you’re done submit the changes by clicking the Apply button.
Let’s open a browser from an external client and see how it works.
On the TMG server logs, we can see the traffic is allowed and redirected to the internal web servers.
If, for some reason you get the error message “ERROR Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)“, is because the publishing wizard put a dot (.) at the of the public web site name in the rule.
To get rid of the error, and make the site functional, right-click the TMG rule and choose Properties. Go to the Public Name tab, select the web site from the list, and click the Edit button. Remove the dot (.) at the end of the website and click OK. Apply the changes, and do another test from the external client; it should work now.
Want content like this delivered right to your