Forefront TMG and Secure Sockets Layers
With Forefront TMG you can use Secure Sockets Layer (SSL) security features for authentication in Web publishing rules and for outgoing Web requests. When a client request is sent to a server over a secure (SSL) channel, all messages sent between the client and the server are encrypted by the sender using the client's public key and decrypted by the recipient using the server's private key, and digital certificates are used for authentication.
When a client sends a request using the HTTPS protocol (HTTP over SSL) for an object from a Web server published by Forefront TMG, SSL certificates are used in serveral ways:
- The Forefront TMG computer publishing the Web server authenticates itself to the client by sending a server certificate to the client.
- The Forefront TMG sends a request to the client for the client to authenticate itself using an SSL certificate. In this case, the client must present an appropriate client certificate to the Forefront TMG computer.
- When HTTPS-to-HTTPS bridging is enabled in the Web publishing rule, SSL connections are required both between the client on the Internet and the Forefront TMG computer and between the Forefront TMG computer and the Web server. In this case, the Web server must authenticate itself to the Forefront TMG computer by presenting a server certificate, and the Forefront TMG computer must authenticate itself to the Web server by presenting a client certificate.
When a Web chaining rule that forwards outgoing Web requests to an upstream server over an SSL connection is configured for a Forefront TMG computer, the upstream server presents a server certificate to the Forefront TMG computer, and the Forefront TMG computer may be required by the upstream server to present a client certificate for authentication.
SSL certificates are issued by a certification authority (CA). Each SSL certificate contains encrypted identifying information about the certificate's owner and about the CA that issued the certificate. A computer (client or server) trusts an SSL certificate only when it has the root certificate of the CA that issued the certificate in the appropriate Trusted Root Certification Authorities store.
A server certificate is always required to prove that the name of the server is identical to the name of the host requested by the client before an SSL session is established. When a client sends an SSL request to a Web server through a Forefront TMG computer, the server responding to the request must authenticate itself to the client by providing its server certificate. If the Forefront TMG computer is configured to terminate SSL connections to external Web servers, the Forefront TMG will have to authenticate itself to the client. You must configure and specify a server-side certificate on the Forefront TMG computer to use for authenticating the Forefront TMG computer to the client.
The server certificate must be installed on the Forefront TMG computer in the Personal store for the local computer. The certificate name must be identical to the name of the published Web server (for incoming Web requests) or to the name of the Forefront TMG computer (for outgoing Web requests).
If SSL certificate authentication is required by a Web publishing rule, Forefront TMG requests a client certificate from the client before allowing the request.
The Forefront TMG computer receives the request and sends a server certificate to the client. The Forefront TMG computer thereby identifies itself as the SSL Web server. The client receives the certificate, and verifies that the certificate indeed belongs to the Forefront TMG computer.
The client then resends its request to the Forefront TMG computer. However, the Forefront TMG computer requires a certificate from the client that must have been previously issued. The Forefront TMG computer verifies that the certificate indeed belongs to a client that is allowed access.
When HTTP-to-HTTPS or HTTPS-to-HTTPS bridging is enabled in a Web publishing rule, the Forefront TMG computer must present a client certificate to the Web server. The SSL client certificate attached to a Web publishing rule is specified in the WebPublishingProperties.SSLClientCertificate property of the FPCPolicyRule object representing the rule.
When requests are forwarded as SSL requests by a Web chaining rule, the upstream server may require authentication of the Forefront TMG computer using a client certificate. The SSL client certificate attached to a Web chaining rule is specified in the SSLClientCertificate property of the FPCRoutingRule object representing the rule.
The client certificate presented by a Forefront TMG computer must be present in the Personal store for the Microsoft Firewall service (the fwsrv\Personal store).
Build date: 7/12/2010