設定適用於混合式環境的 Forefront TMGConfigure Forefront TMG for a hybrid environment

摘要:了解如何設定 Forefront TMG 2010 成為 SharePoint 混合式環境的反向 proxy 裝置。Summary: Learn how to configure Forefront TMG 2010 as a reverse proxy device in a SharePoint hybrid environment.

本文將告訴您如何設定 Forefront Threat Management Gateway (TMG) 2010年用於設定作為混合式 SharePoint Server 環境的反向 proxy。This article tells you how to set up Forefront Threat Management Gateway (TMG) 2010 for use as a reverse proxy for a hybrid SharePoint Server environment.

如需 Forefront Threat Management Gateway (TMG) 2010年的完整資訊,請參閱 < Forefront Threat Management Gateway (TMG) 2010年For complete information about Forefront Threat Management Gateway (TMG) 2010, see Forefront Threat Management Gateway (TMG) 2010.

開始之前Before you begin

開始前,有幾點必須注意:Before you begin, there are a few things you need to know:

  • TMG 必須至少一個網路介面卡連線至網際網路和設定為在 TMG 外部網路及至少一個網路介面卡連線至內部網路和設定為內部部署在邊緣設定在 TMG 網路。TMG has to be deployed in an edge configuration, with at least one network adapter connected to the Internet and configured for the external network in TMG and at least one network adapter connected to the intranet network and configured for the internal network in TMG.

  • TMG 伺服器必須是網域成員在 Active Directory 網域的樹系包含在 Active Directory Federation Services (AD FS) 2.0 伺服器。TMG 伺服器必須加入至使用 SSL 的用戶端憑證驗證以用來驗證輸入的連線的 SharePoint Online 此網域。The TMG server has to be a domain member in the Active Directory domain forest that contains your Active Directory Federation Services (AD FS) 2.0 server. The TMG server has to be joined to this domain to use SSL client certificate authentication, which is used for authenticating inbound connections from SharePoint Online.

    [!安全性附註] edge 部署的一般最佳作法,您通常是安裝 Forefront TMG 在不同的樹系中 (而不是在公司網路內部樹系中),具有單向信任公司的樹系。不過,您可以設定僅針對使用者的用戶端憑證驗證中之 TMG 伺服器已加入的網域,因此此作法是不能後面的混合式環境。> 如需 TMG 網路拓撲考量的詳細資訊,請參閱 <工作群組與網域考量 As a general best practice for edge deployments, you normally install Forefront TMG in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest. However, you can configure client certificate authentication only for users in the domain to which the TMG server is joined, so this practice cannot be followed for hybrid environments. > For more information on TMG network topology considerations, see Workgroup and domain considerations.

  • 部署 TMG 2010 用於以背對背設定 SharePoint Server 混合式環境理論上可行,但並未經過測試和可能無法運作。Deploying TMG 2010 for use in a SharePoint Server hybrid environment in a back-to-back configuration is theoretically possible but has not been tested and may not work.

  • TMG 2010 包含診斷記錄及即時記錄介面。記錄扮演重要角色中疑難排解的連線能力與 SharePoint Server 與 SharePoint Online 之間的驗證問題。用來識別導致連線失敗的元件可以是面對,且 TMG 記錄您應尋找線索的第一個位置。疑難排解時,可能涉及比較從 TMG 記錄、 SharePoint Server ULS 記錄檔、 Windows Server 事件記錄檔、 記錄事件和多部伺服器上的網際網路資訊服務 (IIS) 記錄檔。TMG 2010 includes both diagnostic logging and a real-time logging interface. Logging plays an important role in troubleshooting issues with connectivity and authentication between SharePoint Server and SharePoint Online. Identifying the component that is causing a connection failure can be challenging, and TMG logs are the first place you should look for clues. Troubleshooting can involve comparing log events from TMG logs, SharePoint Server ULS logs, Windows Server event logs, and Internet Information Services (IIS) logs on multiple servers.

如需如何設定及使用記錄 TMG 2010 之中的詳細資訊,請參閱 <使用診斷記錄For more information on how to configure and use logging in TMG 2010, see Using diagnostic logging.

如需一般 TMG 2010 疑難排解的詳細資訊,請參閱 < Forefront TMG 疑難排解For more information on general TMG 2010 troubleshooting, see Forefront TMG Troubleshooting.

如需有關疑難排解技巧和工具的 SharePoint Server 混合式環境的詳細資訊,請參閱疑難排解混合式環境For more information on troubleshooting techniques and tools for SharePoint Server hybrid environments, see Troubleshooting hybrid environments.

安裝 TMG 2010Install TMG 2010

如果您尚未安裝 TMG 2010 並為您的網路進行設定,請按照本小節所述安裝 TMG 2010 並準備 TMG 系統。If you have not already installed TMG 2010 and configured it for your network, use this section to install TMG 2010 and prepare the TMG system.

安裝 TMG 2010Install TMG 2010

  1. 如果未安裝,安裝 Forefront TMG 2010。如需安裝 TMG 2010 的詳細資訊,請參閱 < Forefront TMG 部署Install Forefront TMG 2010 if it is not already installed. For more information on installing TMG 2010, see Forefront TMG Deployment.

  2. 安裝所有可用的 service pack 及 TMG 2010 的更新。如需詳細資訊,請參閱安裝 Forefront TMG Service PackInstall all the available service packs and updates for TMG 2010. For more information, see Installing Forefront TMG Service Packs.

  3. 將 TMG 伺服器電腦加入內部部署 Active Directory 網域 (如果尚未成為網域成員)。Join the TMG server computer to the on-premises Active Directory domain if it is not already a domain member.

    如需有關在網域環境中部署 TMG 2010 的詳細資訊,請參閱 <工作群組與網域考量For more information on deploying TMG 2010 in a domain environment, see Workgroup and domain considerations.

匯入安全通道 SSL 憑證Import the Secure Channel SSL certificate

您必須將安全通道 SSL 憑證匯入至本機電腦帳戶的個人存放區,以及 Microsoft Forefront TMG Firewall 服務帳戶 (fwsvc) 的個人存放區。You must import the Secure Channel SSL certificate into both the Personal store of the local computer account and the Personal store of the Microsoft Forefront TMG Firewall service account (fwsvc).

編輯圖示 安全通道 SSL 憑證的位置會記錄在第 1 列(安全通道 SSL 憑證位置和檔案名稱) 的表 4b: 安全通道 SSL 憑證The location of the Secure Channel SSL certificate is recorded in Row 1 (Secure Channel SSL Certificate location and Filename) of Table 4b: Secure Channel SSL Certificate.
如果憑證含有私密金鑰,您必須提供憑證密碼,會記錄在列 4 (安全通道 SSL 憑證密碼) 的表 4b: 安全通道 SSL 憑證If the certificate contains a private key, you will need to provide the certificate password, which is recorded in Row 4 (Secure Channel SSL Certificate password) of Table 4b: Secure Channel SSL Certificate.

匯入憑證Import the certificate

  1. 將憑證檔案從工作表中所指定的位置複製至本機硬碟上的資料夾。Copy the certificate file from the location specified in the worksheet to a folder on the local hard disk.

  2. 在反向 proxy 伺服器上,開啟 MMC,並將本機電腦帳戶和本機fwsrv 服務帳戶憑證管理嵌入式管理單元。On the reverse proxy server, open MMC and add the Certificate Management snap-in for both the local computer account and the local fwsrv service account.

    注意

    安裝 TMG 2010 後,fwsrv 服務的易記名稱是Microsoft Forefront TMG Firewall服務。After TMG 2010 has been installed, the friendly name of the fwsrv service is the Microsoft Forefront TMG Firewall service.

  3. 安全通道 SSL 憑證匯入的電腦帳戶的個人憑證存放區。Import the Secure Channel SSL certificate to the Personal certificate store of the computer account.

  4. 安全通道 SSL 憑證匯入fwsrv服務帳戶的個人憑證存放區。Import the Secure Channel SSL certificate to the Personal certificate store of the fwsrv service account.

如需如何匯入 SSL 憑證的詳細資訊,請參閱匯入憑證For more information about how to import an SSL certificate, see Import a Certificate.

設定 TMG 2010Configure TMG 2010

此區段中,您設定網頁接聽程式] 和 [發行規則將會收到來自 SharePoint Online 的輸入的要求並將它們轉送至 SharePoint 伺服器陣列的主要 web 應用程式。網頁接聽程式及發行規則共同運作來定義連線規則和來預先驗證並將要求轉送。您設定來驗證輸入的連線使用安全通道憑證安裝在最後一個程序中的網頁接聽程式。In this section, you configure a web listener and a publishing rule that will receive inbound requests from SharePoint Online and relay them to the primary web application of your SharePoint Server farm. The web listener and publishing rule work together to define the connection rules and to pre-authenticate and relay the requests. You configure the web listener to authenticate inbound connections using the Secure Channel certificate you installed in the last procedure.

如需在 TMG 設定發佈規則的詳細資訊,請參閱設定網頁發佈For more information on configuring publishing rules in TMG, see Configuring Web publishing.

如需 TMG 2010 之中 SSL 橋詳細資訊,請參閱關於 SSL 橋接及發佈For more information on SSL bridging in TMG 2010, see About SSL bridging and publishing.

使用下列程序建立發佈規則及 Web 接聽程式。Use the following procedure to create the publishing rule and web listener.

建立發佈規則及 web 接聽程式Create the publishing rule and web listener

  1. 在 Forefront TMG Management Console 的左側的導覽窗格中,以滑鼠右鍵按一下 [防火牆原則] 中,並再按一下 [新增]In the Forefront TMG Management Console, in the left navigation pane, right-click Firewall Policy, and then click New.

  2. 選取 [ SharePoint 網站發行規則]。Select SharePoint Site Publishing Rule.

  3. 新增 SharePoint 發佈規則精靈] 的 [名稱] 文字方塊中輸入發行規則 (例如,「 混合式發佈規則 」) 的名稱。按一下 [下一步]。In the New SharePoint Publishing Rule Wizard, in the Name text box, type the name of the publishing rule (for example, "Hybrid Publishing Rule"). Click Next.

  4. 選取 [發行單一網站或負載平衡器] 和 [下一步Select Publish a single Web site or load balancer, and then click Next.

  5. 若要使用HTTP進行 TMG 與 SharePoint 伺服器陣列之間的連線,請選取 [使用非安全連線連接發佈的網頁伺服器或伺服器陣列,並再按 [下一步To use HTTP for the connection between TMG and your SharePoint Server farm, select Use non-secured connection to connect the published Web server or server farm, and then click Next.

    若要使用HTTPS進行 TMG 與 SharePoint 伺服器陣列之間的連線,請選取 [使用 SSL 連接發佈的網頁伺服器或伺服器陣列,並再按 [下一步To use HTTPS for the connection between TMG and your SharePoint Server farm, select Use SSL to connect the published Web server or server farm, and then click Next.

    注意

    如果使用 SSL,請確定在主要 Web 應用程式安裝有效的憑證。If you use SSL, ensure that you have a valid certificate installed on the primary web application.

  6. 在 [內部發行詳細資料] 對話方塊的 [內部網站名稱] 文字方塊中輸入橋接 URL 、 內部 DNS 名稱,然後按 [下一步。這是 TMG 伺服器用以將要求轉送至主要 web 應用程式的 URL。In the Internal Publishing Details dialog box, in the Internal site name text box, type the internal DNS name of the bridging URL , and then click Next. This is the URL that the TMG server will use to relay requests to the primary web application.

    注意

    請勿輸入通訊協定 (http:// 或 https://)。Do not type the protocol (http:// or https://).

編輯圖示 橋接 URL 會記錄在 SharePoint 混合式工作表的下列其中一個位置中:The Bridging URL is recorded in one the following locations in the SharePoint Hybrid worksheet:
如果主要 web 應用程式已設定主機命名型網站集合,請使用此值在第 1 列(主要 web 應用程式 URL) 的表格 5a: 主要 web 應用程式 (主機命名型網站集合)If your primary web application is configured with a host-named site collection , use the value in Row 1 (Primary web application URL) of Table 5a: Primary web application (host-named site collection).
如果主要 web 應用程式會設定路徑型網站集合,請使用第 1 列(主要 web 應用程式 URL) 中的值表 5b: 主要 web 應用程式 (沒有 AAM 的路徑型網站集合)If your primary web application is configured with a path-based site collection , use the value in Row 1 (Primary web application URL) of Table 5b: Primary web application (path-based site collection without AAM).
如果主要 web 應用程式已設定AAM 路徑型網站集合,請使用列 5 (主要 web 應用程式 URL) 的值表 5c: 主要 web 應用程式 (具有 AAM 路徑型網站集合)If your primary web application is configured with a path-based site collection with AAM , use the value in Row 5 (Primary web application URL) of Table 5c: Primary web application (path-based site collection with AAM).
  1. 使用電腦名稱或 IP 位址來連線至已發佈的伺服器] 方塊中選擇性地輸入 IP 位址] 或 [完整的網域名稱 (FQDN) 的主要 web 應用程式或網路負載平衡器,並再按 [下一步In the Use a computer name or IP address to connect to the published server box, optionally type the IP address or the fully qualified domain name (FQDN) of the primary web application or network load balancer, and then click Next.

    注意

    如果 TMG 能夠使用上一步中提供的主機名稱解析主要 Web 應用程式,則不需要執行此步驟。If TMG can resolve the primary web application using the host name you provided in the previous step, you do not have to perform this step.

  2. 在 [公用名稱詳細資料] 對話方塊中,接受預設設定 [為右列接受要求] 功能表上。在 [公用名稱] 文字方塊中輸入主機名稱的外部 URL (例如"sharepoint.adventureworks.com"),並再按 [下一步。這是在 SharePoint Online 要用來在 SharePoint 伺服器陣列具有連線的外部 URL 的主機名稱。In the Public Name Details dialog box, accept the default setting on the Accept requests for menu. In the Public name text box, type the host name of your External URL (for example, "sharepoint.adventureworks.com"), and then click Next. This is the host name in the external URL that SharePoint Online will use to connect with your SharePoint Server farm.

    注意

    請勿輸入通訊協定 (http:// 或 https://)。Do not type the protocol (http:// or https://).

編輯圖示 外部 URL 會記錄在第 3 列(外部 URL) 的表格 3: 公用網域資訊SharePoint 混合式工作表中。The External URL is recorded in Row 3 (External URL) of Table 3: Public Domain Info in the SharePoint Hybrid worksheet.
  1. 在 [選取網頁接聽程式] 對話方塊中,選取 [新增]。In the Select a Web Listener dialog box, select New.

  2. 新網頁接聽程式精靈] 對話方塊的 [網頁接聽程式名稱] 文字方塊中輸入 web 接聽程式的名稱,然後按 [下一步In the New Web Listener Wizard dialog box, in the Web listener name text box, type a name for the web listener, and then click Next.

  3. 在用戶端連線安全性] 對話方塊中,選取 [需要 SSL 安全連線與用戶端,並再按 [下一步In the Client Connection Security dialog box, select Require SSL secured connections with clients, and then click Next.

  4. 在 [網頁接聽程式 IP 位址] 對話方塊中,選取 [外部<所有 IP 都位址>,然後按一下 [下一步In the Web Listener IP Addresses dialog box, select External <All IP addresses>, and then click Next.

    如果您想要限制只接聽特定的外部 IP 位址的接聽程式,按一下 [選取 IP 位址] 按鈕,然後選取 [[外部網路接聽程式 IP 選取項目] 對話方塊中的 [在 Forefront TMG 的指定 IP 位址在所選網路中的電腦。按一下 [新增] 來指定 IP 位址,並再按一下 [確定]If you want to restrict the listener to listen only on a specific external IP address, click the Select IP Addresses button, and then in the External Network Listener IP Selection dialog box, select Specified IP addresses on the Forefront TMG computer in the selected network. Click Add to specify an IP address, and then click OK.

  5. 在 [接聽程式 SSL 憑證] 對話方塊中,選取 [使用單一憑證這個網頁接聽程式] 並按一下 [選取憑證] 按鈕。在 [選取憑證] 對話方塊中,選取您匯入至 TMG 電腦的安全通道 SSL 憑證、 按一下 [選取] 並再按 [下一步In the Listener SSL Certificates dialog box, select Use a single certificate for this Web Listener, and click the Select Certificate button. In the Select Certificate dialog box, select the Secure Channel SSL certificate you imported to the TMG computer, click Select, and then click Next.

  6. 在 [驗證設定] 對話方塊中,選取 [ SSL 的用戶端憑證驗證] 並再按 [下一步。此設定會強制使用安全通道憑證的輸入連線的用戶端憑證認證。In the Authentication Settings dialog box, select SSL Client Certificate Authentication, and then click Next. This setting enforces client certificate credentials for inbound connections using the Secure Channel certificate.

  7. 按一下 [下一步略過 Forefront TMG 單一登入設定]。Click Next to bypass Forefront TMG single sign-on settings.

  8. 檢閱 [新的接聽程式摘要] 頁面上,並按一下 [完成]。這會傳回新建立的 web 接聽程式自動選取的發佈規則精靈]。Review the New Listener summary page, and click Finish. This returns you to the Publishing Rule Wizard in which your newly created web listener is automatically selected.

  9. 在 [選取網頁接聽程式] 對話方塊的 [網頁接聽程式] 下拉式清單功能表中請確定正確的 web 接聽程式已選取,然後按 [下一步In the Select Web Listener dialog box, in the Web Listener drop-down menu, make sure the correct web listener is selected, and click Next.

  10. 在 [驗證委派] 對話方塊中,從下拉式功能表中,選取 [沒有委派,但用戶端可以直接驗證] 和 [下一步In the Authentication Delegation dialog box, select No delegation, but client may authenticate directly from the drop-down menu, and then click Next.

  11. 在 [備用存取對應設定] 對話方塊中選取 [ SharePoint 伺服器上已設定 SharePoint AAM,並再按 [下一步In the Alternate Access Mapping Configuration dialog box, select SharePoint AAM is already configured on the SharePoint server, and then click Next.

  12. 在 [使用者設定] 對話方塊中,選取所有經過驗證的使用者項目,然後按一下 [移除。然後按一下 [新增] 及 [新增使用者] 對話方塊中,選取 [所有使用者,和 [新增。按一下 [關閉] 以關閉 [新增使用者] 對話方塊中,並再按 [下一步In the User Sets dialog box, select the All Authenticated Users entry, and click Remove. Then click Add, and in the Add Users dialog box, select All Users, and then click Add. Click Close to close the Add Users dialog box, and then click Next.

  13. 完成新增 SharePoint 發佈規則精靈] 對話方塊中,確認您的設定] 和 [完成時間In the Completing the New SharePoint Publishing Rule Wizard dialog box, confirm your settings, and then click Finish.

有幾個設定必須立即驗證,或者在您剛才建立的發佈規則中變更。There are several settings that you must now verify or change in the publishing rule you just created.

完成發佈規則設定Finalize the publishing rule configuration

  1. 在 Forefront TMG 管理主控台的左的功能窗格中,選取 [防火牆原則] 及 [防火牆原則規則] 清單中以滑鼠右鍵按一下您剛建立的發佈規則,按一下 [設定 HTTPIn the Forefront TMG Management Console, in the left navigation pane, select Firewall Policy, and in the Firewall Policy Rules list, right-click the publishing rule you just created, and click Configure HTTP.

  2. 設定 HTTP 原則規則] 對話方塊的 [一般] 索引標籤的 [ URL 保護下確認確認正規化封鎖高位元字元未核取,然後按一下 [確定]In the Configure HTTP policy for rule dialog box, on the General tab, under URL Protection, confirm that both Verify normalization and Block high bit characters are unchecked, and then click OK.

  3. 以滑鼠右鍵按一下您剛才建立發佈規則,並按一下 [內容]。Right-click the publishing rule you just created again, and click Properties.

  4. <規則名稱>屬性對話方塊中的,在 [] 索引標籤上取消核取 [轉寄原始主機標頭,而不是實際的其中一個] 方塊中。在 [ Proxy 要求至已發佈的網站,確定已選取 [要求似乎來自原始用戶端In the <rule name> Properties dialog box, on the To tab, uncheck the Forward the original host header instead of the actual one box. Under Proxy requests to published site, ensure that Requests appear to come from the original client is selected.

  5. [連結轉譯] 索引標籤中,確定已正確設定 [套用連結轉譯到這個規則] 核取方塊:On the Link Translation tab, ensure that the Apply link translation to this rule check box is set correctly:

    • 如果主要 web 應用程式的內部 URL 與外部 URL 相同,請取消勾選 [套用連結轉譯到這個規則] 核取方塊。If the internal URL of your primary web application and the external URL are identical, uncheck the Apply link translation to this rule check box.

    • 如果主要 web 應用程式的內部 URL 與外部 URL 不同,請勾選 [套用連結轉譯到這個規則] 核取方塊。If the internal URL of your primary web application and the external URL are different, check the Apply link translation to this rule check box.

  6. 在 [橋接] 索引標籤的 [網頁伺服器上,確認正確要求重新導向<HTTP 連接埠或 SSL 連接埠>] 核取方塊並的 [文字] 方塊中的連接埠會對應至連接埠內部網站會設定為使用此連接器。On the Bridging tab, under Web server, ensure that the correct Redirect requests to <HTTP port or SSL port> check box is checked and that the port in the text box corresponds to the port your internal site is configured to use.

  7. 按一下[確定]以儲存發佈規則的變更。Click OK to save your changes to the publishing rule.

  8. 在 Forefront TMG Management Console 的頂端列上,按一下 [套用] 將變更套用至 TMG。可能需要一或兩分鐘 TMG 處理您的變更。In the Forefront TMG Management Console, on the top bar, click Apply to apply your changes to TMG. It might take one or two minutes for TMG to process your changes.

  9. 若要驗證您的設定,以滑鼠右鍵按一下 [防火牆原則規則] 清單中,從新發行規則並按一下 [內容]。To validate your configuration, right-click the new publishing rule from the Firewall Policy Rules list, and click Properties.

  10. <規則名稱>屬性對話方塊] 方塊中,按一下 [測試規則] 按鈕。TMG 執行一系列的測試以檢查連線至 SharePoint 網站與清單中顯示的測試結果。按一下 [測試和其結果的說明每個設定測試。修正任何錯誤,會出現。In the <rule name> Properties dialog box, click the Test Rule button. TMG runs a series of tests to check for connectivity to the SharePoint site and displays the results of the tests in a list. Click each configuration test for a description of the test and its results. Fix any errors that appear.

另請參閱See also

概念Concepts

SharePoint Server 的混合Hybrid for SharePoint Server

設定 SharePoint Server 混合式的反向 proxy 裝置Configure a reverse proxy device for SharePoint Server hybrid

其他資源Other Resources

設定網頁發佈Configuring Web publishing

Forefront Threat Management Gateway (TMG) 2010Forefront Threat Management Gateway (TMG) 2010