Regardless of the configuration, the web publishing rule is always created on the Threat Management Gateway (TMG). Depending on your configuration, the TMG points to either the EAS or SEG server.
- If your configuration is a TMG to EAS, you need to create a web publishing rule on the TMG server to publish Exchange Client Access traffic directly to an EAS server.
- If your configuration is TMG to SEG to EAS, you must use the SEG server as the published website instead of the EAS server.
A web publishing rule is associated with the web listener
If you are adding a SEG to an existing TMG to EAS configuration, make sure the web publishing rule is no longer configured to publish Exchange Client Access traffic to the EAS server before configuring it to publish to the SEG server.
First, you must create a name for the Web publishing rule.
- In the Forefront TMG Management console tree, expand the Server node and then select Firewall Policy.
- On the task pane, select Tasks tab, and then select Publish Exchange Web Client Access.
- In the New Exchange Publishing Rule Wizard window, enter the Exchange Publishing rule name with an appropriate description to identify the website being published.
Next, you must select the version of the Exchange server.
- On the Select Services page, select the Exchange version drop-down menu and select the version of the Exchange server being used.
- Check the Exchange ActiveSync client checkbox.
Next, you must publish the rule to a single Web site or load balancer.
- On the Publishing Type page, select Publish a single Web site or load balancer.
If there are multiple EAS servers, you have the option of selecting the second option which allows the TMG to act as a load balancer.
Next, you must select SSL to connect to a published Web server.
- On the Server Connection Security page, select Use SSL to connect to the published Web server or server farm.
Next, you must configure the internal domain name for the EAS or SEG server.
- On the Internal Publishing Details page, enter the internal domain name in the Internal site name field.
If this configuration is being used to setup an EAS server, put the EAS server name in the field. If this is to setup an AirWatch SEG, put the SEG server information in the field.
Next, you must configure the public name domain for the published site.
- On the Public Name Details page, select the Accept requests for drop-down arrow and select This domain name (type below) option.
Enter the public domain name of the EAS or SEG server in the Public Name.
The public DNS record information used for this website is that being published.
Next, you must associate the publishing rule to the Web listener.
- On the Select the Web listener page, select the Web Listener drop-down arrow and select the name of the web listener you created in the previous step.
Next, you must select Kerberos Constrained Delegation and enter the Service Principal Name.
- On the Authentication Delegation page, select the drop-down arrow and select Kerberos constrained delegation.
- Enter the Service Principal Name in the field. Enter the same name as the name that will be used in the next step.
The Kerberos constrained delegation option is selected for authentication. The Service Principal Name section can vary depending on customer configuration, but by default with a single server, you can just specify the server name with the http service. If the TMG is to be used as a load balancer across multiple servers, then the SPN value here should be set to http//*.
Next, you must apply the publishing rule to all authenticated users.
- On the User Sets page, select All Authenticated Users.
Note: This is selected to make sure only users with the appropriate credentials are allowed to access.
Next, you must save the configuration for the Exchange publishing rule.
Click Finish to complete the Exchange Publishing Rule wizard.
A prompt appears to inform you that you may have to configure the SPNs for the services. If you are using the server name as the SPN in the previous step, there is no further configuration necessary. If you are referencing an internal URL then you need to add the SPN and associate it with the server account in Active Directory.