Regardless of the configuration (TMG to EAS or TMG to SEG to EAS), the first step is to create a web listener on the Threat Management Gateway (TMG).

In order for devices to securely access mail through the TMG, the TMG must have a web listener created to accept incoming communications from devices. It also enables TMG to pre-authenticate the connection and incoming requests from the clients.

First, you must create a name for the Web Listener.

  1. In the Forefront TMG Management console tree, select Firewall Policy.
  2. On the task pane, select the Toolbox tab and then select Network Objects >New.
  3. Select the Web Listener option.
  4. In the New Web Listener Definition Wizard window, enter the Web listener name with an appropriate description.
  5. Click Next.

    Next, you must set up Secure Socket Layer (SSL)

  6. On the Client Connection Security page, select Require SSL secured connections with clients.
  7. Click Next.

    Next, you must set up an external IP address for the Web listener.

  8. On the Web Listener IP Addresses page, select the External network checkbox. Or if you have multiple IP addresses associated with this network, select one of those IP addresses.
  9. Click Next.

    The selection can be changed based on a client’s specific configuration; but generally, you have to select the External network.

  10. Click the Select IP Addresses button and then select Specified IP Addresses on the Forefront TMG computer in the selected network.

  11. Below Available IP Addresses, select the IP address for the website.

  12. Click Add.

  13. Click OK.

  14. Click Next.

    Next, you must associate a certificate to the Web listener.

  15. On the Listener SSL Certificate page, select Select Certificate.

  16. Select the respective certificate and select Select. The selected certificate is used with this listener and is the URL that the TMG is routing.

    Click Next.

    Next, you must select the SSL for client certificate authentication.

  17. On the Authentication Settings page, select SSL Client Certificate Authentication from the drop-down menu.
  18. Click Next.

    Next, you must complete the wizard.

  19. On the Single Sign on Settings page, an error message appears stating SSO is not available for the currently selected client authentication method. SSO is only available for HTML Form Authentication.
  20. Ignore the message and select Next.
  21. Click Finish.

Next, you must Create a Web Publishing Rule on TMG to Publish Traffic to EAS or SEG.