TMG vs the AD FS 2.0 proxy

TMG 2010 can be used as a basic proxy for AD FS 2.0.  Requests made to AD FS 2.0 are sent to your internal AD FS server and the responses are sent back to the client.  The AD FS 2.0 proxy offers certain benefits over TMG.  If you are looking to add Office 365 in the future, the AD FS 2.0 proxy offers additional flexibility with endpoints and you can setup a Client Access Policy.

If you already have TMG setup as your EDGE Firewall, you can have TMG point to your AD FS 2.0 proxy to have this functionality.

Basic setup of TMG 2010

-Windows Server 2008 SP2 or higher -2GB RAM
-2 NICs (one external, one internal)

Installing TMG 2010

 

*Before installing TMG you should configure the internal & external IP addresses

Run Windows Update
Run Preparation Tool
Run Installation Wizard

Set: internal NIC & Network

 

Getting Started Wizard will load after the initial installation is complete

Configure Network Settings

Network Template

-Choose: Edge Firewall

LAN Settings

-Choose: Internal NIC

Internet Settings

-Choose: External NIC

Configure System Settings

Host Identification If you have not named your server or joined it to the domain, you have the option to configure it here.

-Configure: Computer Name, Domain, DNS Suffix

Define Deployment Options

 

Windows Updates Choose: Disabled
NIS Choose: Disable NIS
Web Protection Choose: Disable Web Protection
Customer Feedback Choose: None
Web Access Wizard Optional

 

-Set this if you want to configure TMG as a proxy for the Internet

Configure Firewall Policy

 

Publish the AD FS 2.0 server as a web site
Go to: Firewall Policy -> Publish Web Sites

Web Publishing Rule Name

-Use a name that makes sense (Ex: Federation)

Rule Action

-Choose: Allow

Publishing Type

-Choose: Publish a single Web site or load balancer

Server Connection Security

-Choose: Use SSL

Internal Site Name

-Use your internal server name or DNS name (Ex: adfs.adatum.com)

-It is important to not prefix this with https://

-Enter the same for the computer name or IP Address

Path

-Enter: /*

-The wildcard indicates that all folders and files after the URL are valid and will be processed by TMG 2010

Accept requests for

-Choose: This domain name (type below)

Public name:

-Same as the internal site name (Ex: adfs.adatum.com)

-It is important to not prefix this with https://

Web Listener

-Create new listener

Create new listener

-Name: Any name you want, ex: Federation Listener

-Security: Require SSL

-IP Addresses: External

-Certificate: You need a certificate that will validate.

-Authentication: No Authentication*

-Delegation: No delegation, but client may authenticate directly*

-User Sets: All Users

* This will setup the listener and site for pass through authentication. TMG will let all users through, and they can authenticate directly on the server. If you choose “No delegation, and client cannot authenticate directly”, authentication requests from the server will be dropped.

Disable “Verify normalization”

-Right click policy, Configure HTTP, Uncheck “Verify normalization”

Disable “Link Translation”

-Right click policy, Properties, Link Translation Tab, Uncheck “Apply link translation to this rule”

Verify settings

Apply settings

-Service must restart for settings to apply

Configure name resolution in DNS or a host file

 

-Your test machine should have an IP address that would map as external

-The URL for your AD FS 2.0 server (Ex: https://adfs.adatum.com/ ) should point to the TMG server’s external IP address

Validating Your Configuration

Test Rule Button

-From the rule properties, you can click “Test Rule” which performs basic tests

Test from an external client

 

-Try accessing the IIS splash page (Ex: https://adfs.adatum.com )
-If that loads, try hitting the IDP-initiated sign-on page and logging in

Troubleshooting

-Try rebooting TMG server after initial configuration

-Ensure name resolution points to the TMG server’s external IP address

-Ensure you have a valid certificate associated with your listener

-Ensure Link Translation is disabled

-Ensure Authentication Delegation is set correctly. For pass through authentication, it should be set to: No Delegation, but clients may authenticate directly.

-Ensure Path is set correctly Ex: /*

Alternate Configurations

Listener Authentication

-Instead of pass through authentication, you can perform authentication at the listener.

-From the Listener Properties, pick the type of authentication you want to use. Ex: HTML Form Authentication

-On the Users tab of the rule properties, change the user set from “All Users” to “All Authenticated Users”

-You can choose to pass that authentication to your site by configuring Authentication Delegation on the rule. Ex: Negotiate (Kerberos/NTLM)

SSO

-If you have multiple sites on the same listener (ex: AD FS 2.0 & the ClaimApp), and you configured HTML forms authentication on the listener, you may want to consider enabling SSO. Without this, the user would be prompted for authentication by a TMG form for each site they visit.

 

-SSO is configured on the Listener Properties

 

-Check “Enable Single Sign On”

 

-Add the domains that SSO is enabled for Ex: .adatum.com