Configuring TMG as an AD FS 2.0 Proxy

Configuring TMG as an AD FS 2.0 Proxy

TMG vs the AD FS 2.0 proxy

TMG 2010 can be used as a basic proxy for AD FS 2.0.  Requests made to AD FS 2.0 are sent to your internal AD FS server and the responses are sent back to the client.  The AD FS 2.0 proxy offers certain benefits over TMG.  If you are looking to add Office 365 in the future, the AD FS 2.0 proxy offers additional flexibility with endpoints and you can setup a Client Access Policy.

If you already have TMG setup as your EDGE Firewall, you can have TMG point to your AD FS 2.0 proxy to have this functionality.

Basic setup of TMG 2010

-Windows Server 2008 SP2 or higher -2GB RAM
-2 NICs (one external, one internal)

Installing TMG 2010



*Before installing TMG you should configure the internal & external IP addresses

Run Windows Update
Run Preparation Tool
Run Installation Wizard

Set: internal NIC & Network
Getting Started Wizard will load after the initial installation is complete
Configure Network Settings



Network Template

-Choose: Edge Firewall
LAN Settings
-Choose: Internal NIC
Internet Settings
-Choose: External NIC
Configure System Settings



Host Identification If you have not named your server or joined it to the domain, you have the option to configure it here.

-Configure: Computer Name, Domain, DNS Suffix
Define Deployment Options


Windows Updates Choose: Disabled
NIS Choose: Disable NIS
Web Protection Choose: Disable Web Protection
Customer Feedback Choose: None
Web Access Wizard Optional


-Set this if you want to configure TMG as a proxy for the Internet
Configure Firewall Policy


Publish the AD FS 2.0 server as a web site
Go to: Firewall Policy -> Publish Web Sites

Web Publishing Rule Name

-Use a name that makes sense (Ex: Federation)
Rule Action
-Choose: Allow
Publishing Type
-Choose: Publish a single Web site or load balancer
Server Connection Security
-Choose: Use SSL
Internal Site Name
-Use your internal server name or DNS name (Ex:
-It is important to not prefix this with https://
-Enter the same for the computer name or IP Address
-Enter: /*
-The wildcard indicates that all folders and files after the URL are valid and will be processed by TMG 2010
Accept requests for
-Choose: This domain name (type below)
Public name:
-Same as the internal site name (Ex:
-It is important to not prefix this with https://
Web Listener
-Create new listener
Create new listener
-Name: Any name you want, ex: Federation Listener
-Security: Require SSL
-IP Addresses: External
-Certificate: You need a certificate that will validate.
-Authentication: No Authentication*
-Delegation: No delegation, but client may authenticate directly*
-User Sets: All Users

* This will setup the listener and site for pass through authentication. TMG will let all users through, and they can authenticate directly on the server. If you choose “No delegation, and client cannot authenticate directly”, authentication requests from the server will be dropped.

Configure Policy

Disable “Verify normalization”

-Right click policy, Configure HTTP, Uncheck “Verify normalization”
Disable “Link Translation”
-Right click policy, Properties, Link Translation Tab, Uncheck “Apply link translation to this rule”
Verify settings

Apply settings
-Service must restart for settings to apply
Configure name resolution in DNS or a host file


-Your test machine should have an IP address that would map as external
-The URL for your AD FS 2.0 server (Ex: ) should point to the TMG server’s external IP address

Validating Your Configuration


Test Rule Button

-From the rule properties, you can click “Test Rule” which performs basic tests
Test from an external client


-Try accessing the IIS splash page (Ex: )
-If that loads, try hitting the IDP-initiated sign-on page and logging in



-Try rebooting TMG server after initial configuration
-Ensure name resolution points to the TMG server’s external IP address
-Ensure you have a valid certificate associated with your listener
-Ensure Link Translation is disabled
-Ensure Authentication Delegation is set correctly. For pass through authentication, it should be set to: No Delegation, but clients may authenticate directly.
-Ensure Path is set correctly Ex: /*

Alternate Configurations

Listener Authentication

-Instead of pass through authentication, you can perform authentication at the listener.
-From the Listener Properties, pick the type of authentication you want to use. Ex: HTML Form Authentication
-On the Users tab of the rule properties, change the user set from “All Users” to “All Authenticated Users”
-You can choose to pass that authentication to your site by configuring Authentication Delegation on the rule. Ex: Negotiate (Kerberos/NTLM)

-If you have multiple sites on the same listener (ex: AD FS 2.0 & the ClaimApp), and you configured HTML forms authentication on the listener, you may want to consider enabling SSO. Without this, the user would be prompted for authentication by a TMG form for each site they visit.
-SSO is configured on the Listener Properties
-Check “Enable Single Sign On”
-Add the domains that SSO is enabled for Ex:
Leave a Comment
  • Please add 2 and 4 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
  • Richard Mueller edited Revision 12. Comment: Removed duplicate <a name> tag in HTML

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Please check the images. On this page, I just get the red X?

  • Only a red X for me as well.  Please update so the flow of this article is clearer.

  • The HTML says the images are http://bemis/Library/images/2684097.jpg thru 2684106.jpg, which is no longer valid (we we lack permissions to read).

  • Richard Mueller edited Revision 12. Comment: Removed duplicate <a name> tag in HTML

Page 1 of 1 (4 items)