Before your enterprise email server can securely pass email to the user’s device, you need to configure your email server to perform the following tasks.

  • Recognize the user’s device
  • Trust the end-user is the authorized user of the device.

This is accomplished by authenticating that user and their device with a certificate. Regardless of the enterprise email server being used, the methodology of certificate authentication is basically the same.

If you understand the methodology, have the technical expertise, and have a strong understanding of the hardware and software required, then it is much easier to configure a certificate and ensures the user has a seamless experience receiving their email.

The following sections discuss two different implementation approaches.

  • TMG to EAS
  • TMG to SEG to EAS.

The first section describes the approach for both configurations and the next two sections describe the approach for the configuration involving Secure Email Gateway. In all sections, steps are referenced, which correlate to the steps that provide detailed information.

Certs_TMG_SEG_KERB_02

Configure Either TMG to EAS or TMG to SEG to EAS Server

This implementation includes steps 1 and 2, which are required for configuring either TMG to EAS or TMG to SEG to EAS servers. After you complete these steps, you need to advance to either Configuring TMG to EAS Server or Configuring TMG to SEG to EAS Server.

Step 1: Create a Web Listener on the TMG

First, regardless of the configuration, the web listener is always created on the TMG so the first step is to create a web listener on the TMG in order for it to pre-authenticate the connection and incoming requests from clients, and then allow those devices to securely access the user’s email by:

  • Creating a Name for the Web Listener
  • Setting Up Secure Socket Layer (SSL)
  • Setting Up an External IP Address for the Web Listener
  • Associating a Certificate to the Web Listener
  • Selecting SSL for Client Certificate Authentication
  • Completing the Wizard

Step 2: Create a Web Publishing Rule on TMG to Publish Traffic to EAS or SEG

Next, regardless of the configuration, the web publishing rule is always created on the TMG. Depending on the configuration, the TMG points to either the EAS or SEG server. If your configuration is a TMG to EAS, you need to create a web publishing rule on the TMG server to publish Exchange Client Access traffic directly to an EAS server, whereas if your configuration is TMG to SEG to EAS, you must use the SEG server as the published website instead of the EAS server. You can create a web publishing rule for either configuration by:

  • Creating a Name for the Web Publishing Rule. You can use more than one web publishing rule for each web listener.

  • Selecting the Version of Exchange Server
  • Publishing the Rule to a Single Web Site or Load Balancer
  • Selecting SSL to Connect to a Published Web Server
  • Configuring the Internal Domain Name for the EAS or SEG Server
  • Configuring the Public Name Domain for the Published Site
  • Associating the Publishing Rule to the Web Listener

    A web publishing rule is associated with the web listener you created in Create a Web Listener on the TMG. When applying a web publishing rule, you need to specify the web listener to be used along with it in the TMG.

  • Selecting Kerberos Constrained Delegation and Service Principal Name
  • Applying the Publishing Rule to All Authenticated Users
  • Saving the Configurations for the Exchange Publishing Rule
  • Advance to either Configuring TMG to EAS Server or Configuring TMG to SEG to EAS Server

Configure TMG to EAS Server

This implementation is only for TMG to EAS configurations. It includes steps 3a through 6a for configuring a TMG to EAS server.

Step 3a: Enable Delegation from Active Directory when using a TMG

After creating the listener and rule, you need to enable delegation from AD. In order for the TMG to impersonate a device user when authenticating on an EAS server, the TMG server must be given the appropriate permissions in the Active Directory (AD) server by doing the following:

  • Configuring AD to enable the TMG for delegation
  • Enabling the TMG to delegate HTTP EAS traffic to the EAS server

Step 4a: Create a Service Principal Name (SPN) for the EAS Server

Now that delegation is enabled, you need to create a Service Principal Name (SPN) for the EAS server, if needed. This can sometimes depend on the customer configuration and server (i.e. if an internal web address is referenced in the Authentication Delegation page), but by default with a single server, you only need to specify the server name with the http service. Use one of the following two methods to add an SPN. Both of the following methods require a domain account that has access to write to the Active Directory: from the command line or from ADSIedit.

Step 5a: Configure Service Account Delegation Rights on TMG

After creating an SPN, you first need to configure delegation rights on the TMG server and then give permissions to the service account that is attached to the TMG Application Pool by doing the following:

  • Configuring local security policy for TMG to act as part of the Operating System
  • Configuring local security policy for TMG to impersonate a client after authentication

Step 6a: Configure IIS for Certificate Authentication with TMG

The last step is to authenticate the user’s device that is assigned to a particular certificate by configuring Internet Information Services (IIS) on the EAS server to accept that certificate by doing the following:

  • Enabling Active Directory client certificate authentication in IIS
  • Enabling client certificate mapping authentication
  • Requiring SSL for authentication
  • Adjusting uploadReadAheadSize memory size

Configure TMG to SEG to EAS Server

This implementation includes steps 3a through 6a in Configuring TMG to EAS Server with the addition of the following steps (3b through 6b) that are related to adding a SEG between the TMG and EAS servers.

Step 3b: Enable Delegation from Active Directory when using a SEG

After creating the listener and rule, you need to enable delegation from AD. In order for the TMG and SEG to impersonate a device user when authenticating on an EAS server, first you must give the appropriate permissions in the Active Directory (AD) server from the TMG to SEG servers, and then give the same permissions from the SEG to EAS servers by doing the following:

  • Configuring AD to enable the TMG for delegation
  • Enabling the TMG to delegate HTTP EAS traffic to the SEG server
  • Configuring AD to enable the SEG for delegation
  • Enabling the SEG to delegate HTTP EAS traffic to the EAS server

Step 4b: Create a Service Principal Name (SPN) for the SEG

Now that delegation is enabled, you need to first create a Service Principal Name (SPN) for the EAS server, and then create an SPN on the SEG. Use one of the following two methods to add an SPN for the EAS server and then do it again for the SEG. Both of the following methods require a domain account that has access to write to the Active Directory:

  • From the command line
  • From ADSIedit

Step 5b: Configure Service Account Delegation Rights on SEG

After creating an SPN, you first need to configure delegation rights on the TMG server and then give permissions to the service account that is attached to the TMG Application Pool. Once that is done, you need to follow the same procedure and configure delegation rights on the SEG and then give permissions to the service account that is attached to the SEG Application Pool. You can perform all these steps by doing the following:

  • Configuring local security policy for TMG to act as part of the Operating System
  • Configuring local security policy for TMG to impersonate a client after authentication
  • Verifying the identity of the SEG
  • Configuring local security policy for SEG to Act as Part of the Operating System
  • Configuring local security policy for SEG to Impersonate a Client after Authentication

Step 6b: Configure IIS for Certificate Authentication with SEG

The last step is to authenticate the user’s device that is assigned to a particular certificate by configuring Internet Information Services (IIS) on the SEG server to accept that certificate by doing the following:

  • Enabling Active Directory Client Certificate Authentication in IIS
  • Enabling Client Certificate Mapping Authentication
  • Requiring SSL for Authentication
  • Adjusting uploadReadAheadSize Memory Size