Monday, 17 May 2010

Workgroup Deployment with Forefront TMG Enterprise Edition – Part 1: Preparing the Environment

Although the use of domain joined Forefront TMG servers is my preferred deployment model, I was recently involved in a Workgroup Deployment. As this is a supported deployment method, I thought it might be useful to document some of the specifics of installing and configuring in a workgroup environment, specifically when using Enterprise Edition with a standalone array.

When using a workgroup deployment, it is likely that infrastructure services are limited and an Enterprise Management Server (EMS) will not be present. Therefore a standalone array, as opposed to an EMS-managed array, will be required to provide an array of Forefront TMG servers. Therefore for the purposes of this article (and just because I think it is interesting) the example provided includes setup of a standalone array to provide a high availability Forefront TMG solution.

To improve the quality of information provided and also to reduce the amount of time it takes to produce these blog articles, I am trying out a new technology in this blog post. This technology is called the Windows Problem Steps Recorder and was originally written as a support tool. However, it also provides a really nice way of capturing a complete walkthrough process in a relatively accurate and fast way. PLEASE provide feedback on this new method of providing walkthrough information – does it work for you? I appreciate the MHT file download size is quite large, but it does allow for offline use which is quite a nice bonus!

Anyhow, back to the article. In order to prepare the environment for workgroup deployment we need to consider the following preparatory steps:

  • Configure each Forefront TMG server with a fully qualified domain name (FQDN)
  • Create user accounts
  • Import server certificates
  • Import root CA certificates

Lab Environment Overview

The example lab environment I am using consists of the following Forefront TMG Servers:

  • TMG03
  • TMG04

Both servers have been configured with three network interfaces (more on that later) and are running Forefront TMG Enterprise Edition on Windows Server 2008 R2 operating systems. The servers are actually hosted on a Windows Server 2008 R2 Hyper-V parent, not that this makes any difference to the examples.

An overview of the Forefront TMG related lab environment is shown below:

image


Configure FQDNs

As the Forefront TMG servers are not domain joined, they are unlikely to be configured with a DNS suffix. Hence they will have a simple hostname as opposed to a fully qualified domain name (FQDN). So, the first step is to configure each server with an appropriate DNS suffix to define the FQDN.

First for TMG03:

Next for TMG04:


Create User Accounts

The next step involves creating mirror user accounts on each Forefront TMG server.

First for TMG03:

Next for TMG04:


Import Server Certificates

Firstly we import a unique Workgroup Server Certificate into TMG03. In my lab, this certificate was created using an internal Windows CA using the Web Server certificate template. An overview of this process is provided here. However, any CA than can create a valid certificate with a Server Authentication (1.3.6.1.5.5.7.3.1) key usage type (sometimes call an OID) should be fine.

For TMG03 only:


Import CA Server Certificates

To ensure that the imported server certificate is trusted by both TMG03 and TMG04, we need import the CA server certificate into the Trusted Roots Certificate Authority certificates store on both servers. For our example lab environment, this is called MSEDGE Root CA.

First for TMG03:

Next for TMG04:


For next time…

With the environment prepared, we can now think about creating the standalone array and joining workgroup array members.

Please Note: If you want to download all walkthroughs provided above in a single file you can use the Download as .zip link from here. However, be aware that this is a 14MB download!

See you next time…

11 comments:

  1. import a unique Workgroup Server Certificate into TMG03. In my lab, this certificate was created using an internal Windows CA using the Web Server certificate template. An overview of this process is provided here. However, any CA than can create a valid certificate with a Server Authentication (1.3.6.1.5.5.7.3.1) key usage type (sometimes call an OID) should be fine.


    Plz could u just explain me how i can do that

    with Windows Problem Steps Recorder

    thanks in advance

    ReplyDelete
  2. Hi,

    Follow this article to generate the certificates for each array member from within IIS:

    http://technet.microsoft.com/nl-nl/library/cc731014(WS.10).aspx

    Once created, export the certificates as PFX files and import them into each TMG array members.

    Sorry, I can't use PSR for every request :(

    Cheers

    JJ

    ReplyDelete
  3. Hi,

    thanks James For your quick replay

    i found this article

    http://technet.microsoft.com/en-us/library/ee658141.aspx

    do i have to do this for tmg03 and tmg04

    or tmg03 only

    thanks in advance

    Ahmed

    ReplyDelete
  4. As per the article, just TMG03 as this is the array manager.

    ReplyDelete
  5. Hi Jason,

    I just wanted to point out one thing regarding certificates. I have recently stumbled on a problem if certificate has Enhanced Key Usage of Server Authentication and Client Authentication and both are enabled in "Intended Purposes" property for the certificate. The TMG Control service will not start at server reboot if that is the case. This could happen if the certificate is created from Computer template in Microsoft CA service as I have done. I have detailed the error here:

    http://solutiondumps.blogspot.com/2011/01/forefront-tmg-enterprise-standalone.html

    I just hope it will save someone some time as we have troubleshooted the issue for couple of days :)

    Nice article though!

    Dinko

    ReplyDelete
  6. Hi Dinko,

    Excellent, thanks for the link!

    I don't do too many standalone installs, and didn't experience this particular problem in my test lab, but I think this was probably pre-SP1.

    I have used the same fix quite a few times for slow FBA authentication, as you mention...

    Cheers

    JJ

    ReplyDelete
  7. this lab example use two server so we can not use one server ?

    ReplyDelete
    Replies
    1. Yes you can use a single server, but you lose all server fault tolerance and load balancing (obviously).

      Delete
  8. Well done however if your network requires an intermeidate certificate you will need to import the intermediate certificate into the proper location.
    For me I imported the certificate into the Intermediate Certificate Authorities Directory. Jason you did an excellent job with this post however please provide some guidance when an intermeidate cert is required.

    ReplyDelete
  9. Hello Jason,

    I found this article really interesting and Informative but I could not open \ Download any of the Walkthrough files given in this article. Have they been removed? I would be really nice if you could provide them to me again.

    Regards
    Lalit

    ReplyDelete