Publishing a single Web site or load balancer over HTTP
This topic provides instructions for publishing over HTTP. For information about how to publish over an SSL secured connection, see Publishing a single Web site or load balancer over HTTPS.
To publish a single Web site or load balancer over HTTP
In the Forefront TMG Management console tree, click Firewall Policy.
In the task pane, click the Toolbox tab.
On the Toolbox tab, click Network Objects, click New, and then select Web Listener to open the New Web Listener Wizard.
Complete the New Web Listener Wizard as outlined in the following table.
Page Field or property Setting or action Welcome to the New Web Listener Wizard
Web listener name
Type a name for the Web listener. For example, type:
HTTP Web Site Listener
Client Connection Security
Select Do not require SSL secured connections with clients.
Web Listener IP Addresses
Listen for incoming Web requests on these networks
Select the External network. Click Select IP Addresses, and then select Specified IP Addresses on the Forefront TMG computer in the selected network. In the Available IP Addresses list, select the IP address for the Web site, click Add, and then click OK.
Authentication Settings
Select how clients will provide credentials to Forefront TMG
In the drop-down list, select No Authentication.
Single Sign On Settings
Enable SSO for Web sites published with this listener
Single sign-on (SSO) is available only when forms-based authentication is used. To enable SSO, click Add, and then specify a domain within which SSO will be applied.
Completing the New Web Listener Wizard
Review the settings, and then click Finish.
In the task pane, click the Tasks tab.
On the Tasks tab, click Publish Web Sites to open the New Web Publishing Rule Wizard.
Complete the New Web Publishing Rule Wizard as outlined in the following table.
Page Field or property Setting or action Welcome to the New Web Publishing Rule Wizard
Web publishing rule name
Type a name for the Web publishing rule. For example, type:
Single Web Site
Select Rule Action
Action
Select Allow.
Publishing Type
Select Publish a single Web site or load balancer.
Server Connection Security
Select Use non-secured connections to connect the published Web server or Web farm.
Internal Publishing Details (1)
Internal site name
Type the host name that Forefront TMG will use in HTTP request messages sent to the published server.
If you are publishing a single Web server and the internal site name specified in this field is not resolvable and is not the computer name or IP address of the published server, select Use a computer name or IP address to connect to the published server, and then type the resolvable computer name or IP address of the published server.
Internal Publishing Details (2)
Path (optional)
Type the path for your Web site.
Forward the original host header instead of the actual one specified in the Internal site name field on the previous page
Select this check box only if your Web site has specific features that require the original host header that Forefront TMG receives from the client.
Public Name Details
Accept requests for
Select This domain name (type below).
Public name
Type the public fully qualified domain name (FQDN) or IP address that external users will use to access the published Web site.
Select Web Listener
Web Listener
In the drop-down list, select the Web listener that you created in step 4. You can then click Edit to modify the properties of the Web listener selected.
Authentication Delegation
Select the method used by Forefront TMG to authenticate to the published Web server
Select No delegation, and client cannot authenticate directly.
User Sets
This rule applies to requests from the following user sets
Do not change the default option, All Users.
Malware Protection
Select Enable malware inspection for this rule.
Completing the New Web Publishing Rule Wizard
Review the settings, and then click Finish.
In the details pane, click Apply, and then click OK.
Notes
- The Web listener can also be configured for HTTP authentication or for forms-based authentication. However, client authentication will then be performed over HTTP without encryption. Because user credentials will be transmitted in plain text, such configurations are considered insecure and are disabled by default. To enable such a configuration, open the properties of the Web listener. On the Authentication tab, click Advanced, and then select the Allow client authentication over HTTP check box. For best security practices, use such a configuration only if you have an SSL accelerator in front of the Forefront TMG computer. For more information about Web listeners, see Web listener overview.
- Forefront TMG treats a farm of servers behind a load-balancing device as a single server. Although this option is supported for publishing a load-balanced farm, we recommend that you use the integrated load-balancing support that is provided by a server farm created in Forefront TMG rather than a load-balancing device. Forefront TMG publishing for server farms provides improved client affinity, which can be configured to operate by using a cookie, rather than depending on the client IP address. This is a distinct advantage in a situation where a device between the load-balancing device and Forefront TMG, such as a NAT device, hides the client IP address.
- You can configure the way in which credentials are passed to the published server in a Web publishing rule. For more information, see About delegation of credentials.
- Web publishing rules match incoming client requests to the appropriate Web site on the Web server.
- You can create Web publishing rules that deny traffic, to block incoming traffic that matches the rule conditions.
- Forefront TMG does not treat paths as case-sensitive. For example, if your Web server includes both foldera and folderA, and you publish a path to one of the folders, both folders will be published.
- For more information about other settings in Web publishing rules, see Overview of Web publishing concepts.