Although the use of domain joined Forefront TMG servers is my preferred deployment model, I was recently involved in a Workgroup Deployment. As this is a supported deployment method, I thought it might be useful to document some of the specifics of installing and configuring in a workgroup environment, specifically when using Enterprise Edition with a standalone array.
When using a workgroup deployment, it is likely that infrastructure services are limited and an Enterprise Management Server (EMS) will not be present. Therefore a standalone array, as opposed to an EMS-managed array, will be required to provide an array of Forefront TMG servers. Therefore for the purposes of this article (and just because I think it is interesting) the example provided includes setup of a standalone array to provide a high availability Forefront TMG solution.
To improve the quality of information provided and also to reduce the amount of time it takes to produce these blog articles, I am trying out a new technology in this blog post. This technology is called the Windows Problem Steps Recorder and was originally written as a support tool. However, it also provides a really nice way of capturing a complete walkthrough process in a relatively accurate and fast way. PLEASE provide feedback on this new method of providing walkthrough information – does it work for you? I appreciate the MHT file download size is quite large, but it does allow for offline use which is quite a nice bonus!
Anyhow, back to the article. In order to prepare the environment for workgroup deployment we need to consider the following preparatory steps:
- Configure each Forefront TMG server with a fully qualified domain name (FQDN)
- Create user accounts
- Import server certificates
- Import root CA certificates
Lab Environment Overview
The example lab environment I am using consists of the following Forefront TMG Servers:
- TMG03
- TMG04
Both servers have been configured with three network interfaces (more on that later) and are running Forefront TMG Enterprise Edition on Windows Server 2008 R2 operating systems. The servers are actually hosted on a Windows Server 2008 R2 Hyper-V parent, not that this makes any difference to the examples.
An overview of the Forefront TMG related lab environment is shown below:
Configure FQDNs
As the Forefront TMG servers are not domain joined, they are unlikely to be configured with a DNS suffix. Hence they will have a simple hostname as opposed to a fully qualified domain name (FQDN). So, the first step is to configure each server with an appropriate DNS suffix to define the FQDN.
First for TMG03:
Next for TMG04:
Create User Accounts
The next step involves creating mirror user accounts on each Forefront TMG server.
First for TMG03:
Next for TMG04:
Import Server Certificates
Firstly we import a unique Workgroup Server Certificate into TMG03. In my lab, this certificate was created using an internal Windows CA using the Web Server certificate template. An overview of this process is provided here. However, any CA than can create a valid certificate with a Server Authentication (1.3.6.1.5.5.7.3.1) key usage type (sometimes call an OID) should be fine.
For TMG03 only:
Import CA Server Certificates
To ensure that the imported server certificate is trusted by both TMG03 and TMG04, we need import the CA server certificate into the Trusted Roots Certificate Authority certificates store on both servers. For our example lab environment, this is called MSEDGE Root CA.
First for TMG03:
Next for TMG04:
For next time…
With the environment prepared, we can now think about creating the standalone array and joining workgroup array members.
| Please Note: If you want to download all walkthroughs provided above in a single file you can use the Download as .zip link from here. However, be aware that this is a 14MB download! |
See you next time…
import a unique Workgroup Server Certificate into TMG03. In my lab, this certificate was created using an internal Windows CA using the Web Server certificate template. An overview of this process is provided here. However, any CA than can create a valid certificate with a Server Authentication (1.3.6.1.5.5.7.3.1) key usage type (sometimes call an OID) should be fine.
ReplyDeletePlz could u just explain me how i can do that
with Windows Problem Steps Recorder
thanks in advance
Hi,
ReplyDeleteFollow this article to generate the certificates for each array member from within IIS:
http://technet.microsoft.com/nl-nl/library/cc731014(WS.10).aspx
Once created, export the certificates as PFX files and import them into each TMG array members.
Sorry, I can't use PSR for every request :(
Cheers
JJ
Hi,
ReplyDeletethanks James For your quick replay
i found this article
http://technet.microsoft.com/en-us/library/ee658141.aspx
do i have to do this for tmg03 and tmg04
or tmg03 only
thanks in advance
Ahmed
As per the article, just TMG03 as this is the array manager.
ReplyDeleteHi Jason,
ReplyDeleteI just wanted to point out one thing regarding certificates. I have recently stumbled on a problem if certificate has Enhanced Key Usage of Server Authentication and Client Authentication and both are enabled in "Intended Purposes" property for the certificate. The TMG Control service will not start at server reboot if that is the case. This could happen if the certificate is created from Computer template in Microsoft CA service as I have done. I have detailed the error here:
http://solutiondumps.blogspot.com/2011/01/forefront-tmg-enterprise-standalone.html
I just hope it will save someone some time as we have troubleshooted the issue for couple of days :)
Nice article though!
Dinko
Hi Dinko,
ReplyDeleteExcellent, thanks for the link!
I don't do too many standalone installs, and didn't experience this particular problem in my test lab, but I think this was probably pre-SP1.
I have used the same fix quite a few times for slow FBA authentication, as you mention...
Cheers
JJ
this lab example use two server so we can not use one server ?
ReplyDeleteYes you can use a single server, but you lose all server fault tolerance and load balancing (obviously).
DeleteWell done however if your network requires an intermeidate certificate you will need to import the intermediate certificate into the proper location.
ReplyDeleteFor me I imported the certificate into the Intermediate Certificate Authorities Directory. Jason you did an excellent job with this post however please provide some guidance when an intermeidate cert is required.
Thanks, good point!
Delete