Publishing ADFS 2.0 using Threat Management Gateway 2010

Another option for publishing ADFS 2.0 to the internet is to use TMG 2010 as a proxy. This method will replace an ADFS 2.0 Proxy server.

ADFS Proxy services are used for external users to authenticate with their domain credentials and are essential for user access to Office 365 while not having access to the local domain controller.

The process below guides you through setting up TMG 2010 to publish/proxy ADFS traffic from the internet to the local ADFS 2.0 server. This assumes that you have your internal ADFS infrastructure setup and connected to Office 365 already.

  1. Open TMG Management Console


  2. Expand Forefront TMG


  3. Right Click Firewall Policy


  4. Click New


  5. Click Web Site Publishing Rule…


  6. Add a descriptive name for your rule


  7. Click Next


  8. Select Allow, on Actions to take when rule conditions are met


  9. Click Next


  10. Select Publish a single Web site or load balancer

    This option will work for a single ADFS server and an ADFS Farm that is load balanced


  11. Click Next


  12. Select User SSL to connect to the published Web server or server farm


  13. Click Next


  14. Enter your internal ADFS Server Farm name.


  15. Click Next


  16. Enter the path for ADFS



  17. Check Forward the original host header instead…


  18. Click Next


  19. Enter your publicly resolvable name for the ADFS site.


  20. Click Next


  21. Select Web Listener, click New…


  22. Add a descriptive name for your web listener


  23. Click Next


  24. Select Require SSL secured connections with clients


  25. Click Next


  26. Select your External Network, or Select the IP address on which you want to listen for the ADFS traffic.


  27. Click Next


  28. Click Select Certificate


  29. Select the public certificate

    This is the same certificate that we used on the internal ADFS servers. I exported the certificate and imported it onto the TMG server


  30. Click Select


  31. Click Next


  32. Select HTML Form Authentication


  33. Select Windows (Active Directory) to validate client credentials


  34. Click Next


  35. Uncheck Enable SSO for Web sites published with this Web listener


  36. Click Next


  37. Click Finish


  38. Now that the Web listener is setup, Click Next


  39. Select NTLM authentication


  40. Click Next


  41. Remove All Authenticated Users


  42. Add All Users


  43. Click Next


  44. Click Finish


Now that the Rule and Web Listener are setup, we need to make some modifications.

  1. Right click the ADFS rule and select Configure HTTP


  2. Uncheck Verify normalization


  3. Uncheck Block high bit characters


  4. Click OK


  5. One handy option that we can use with TMG is password changes and password expiry notifications. To enable this we need to edit the web listener


  6. Right click the ADFS rule and select properties


  7. Click the Listener tab


  8. Click Properties


  9. Click Forms Tab


  10. Check Allow users to change their passwords


  11. Check Remind users that their passwords will expire…


  12. Click OK


  13. Click OK


  14. Apply the changes to TMG and allow some time for the configuration to update


Test the logon process


  2. Enter your credentials


  3. Click sign in at….


  4. Enter the UPN account name and password


  5. Click Log On


This is how the users will see a password change notification

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

One thought on “Publishing ADFS 2.0 using Threat Management Gateway 2010

  1. Pingback: Use TMG 2010 as ADFS Web Application Proxy Windows Server 2012 R2 | Fazar

Leave a Reply