Publishing ADFS 2.0 using Threat Management Gateway 2010

Another option for publishing ADFS 2.0 to the internet is to use TMG 2010 as a proxy. This method will replace an ADFS 2.0 Proxy server.

ADFS Proxy services are used for external users to authenticate with their domain credentials and are essential for user access to Office 365 while not having access to the local domain controller.

The process below guides you through setting up TMG 2010 to publish/proxy ADFS traffic from the internet to the local ADFS 2.0 server. This assumes that you have your internal ADFS infrastructure setup and connected to Office 365 already.

  1. Open TMG Management Console

     

  2. Expand Forefront TMG

     

  3. Right Click Firewall Policy

     

  4. Click New

     

  5. Click Web Site Publishing Rule…


     

  6. Add a descriptive name for your rule

     

  7. Click Next

     

  8. Select Allow, on Actions to take when rule conditions are met

     

  9. Click Next

     

  10. Select Publish a single Web site or load balancer

    This option will work for a single ADFS server and an ADFS Farm that is load balanced

     

  11. Click Next

     

  12. Select User SSL to connect to the published Web server or server farm

     

  13. Click Next

     

  14. Enter your internal ADFS Server Farm name.


     

  15. Click Next

     

  16. Enter the path for ADFS

    /adfs/*

     

  17. Check Forward the original host header instead…


     

  18. Click Next

     

  19. Enter your publicly resolvable name for the ADFS site.


     

  20. Click Next

     

  21. Select Web Listener, click New…

     

  22. Add a descriptive name for your web listener


     

  23. Click Next

     

  24. Select Require SSL secured connections with clients


     

  25. Click Next

     

  26. Select your External Network, or Select the IP address on which you want to listen for the ADFS traffic.


     

  27. Click Next

     

  28. Click Select Certificate


     

  29. Select the public certificate

    This is the same certificate that we used on the internal ADFS servers. I exported the certificate and imported it onto the TMG server

     

  30. Click Select


     

  31. Click Next

     

  32. Select HTML Form Authentication

     

  33. Select Windows (Active Directory) to validate client credentials


     

  34. Click Next

     

  35. Uncheck Enable SSO for Web sites published with this Web listener


     

  36. Click Next

     

  37. Click Finish

     

  38. Now that the Web listener is setup, Click Next

     

  39. Select NTLM authentication


     

  40. Click Next

     

  41. Remove All Authenticated Users

     

  42. Add All Users


     

  43. Click Next

     

  44. Click Finish

     

Now that the Rule and Web Listener are setup, we need to make some modifications.

  1. Right click the ADFS rule and select Configure HTTP

     

  2. Uncheck Verify normalization

     

  3. Uncheck Block high bit characters


     

  4. Click OK

     

  5. One handy option that we can use with TMG is password changes and password expiry notifications. To enable this we need to edit the web listener

     

  6. Right click the ADFS rule and select properties

     

  7. Click the Listener tab

     

  8. Click Properties

     

  9. Click Forms Tab

     

  10. Check Allow users to change their passwords

     

  11. Check Remind users that their passwords will expire…


     

  12. Click OK

     

  13. Click OK

     

  14. Apply the changes to TMG and allow some time for the configuration to update


 

Test the logon process

  1.  

  2. Enter your credentials

     

  3. Click sign in at….


     

  4. Enter the UPN account name and password


     

  5. Click Log On

 

This is how the users will see a password change notification

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

One thought on “Publishing ADFS 2.0 using Threat Management Gateway 2010

  1. Pingback: Use TMG 2010 as ADFS Web Application Proxy Windows Server 2012 R2 | Fazar

Leave a Reply