One of many good features in Microsoft TMG is the ability to publish internal web based and non-web based applications on the internet for corporate users to access remotely. Users can access applications such as Outlook Web Access, SharePoint, CRM, RDP, and Citrix as they are published through the Microsoft TMG server. There are two types of publishing in the TMG:

  • Web server publishing
  • Server publishing or non-web server publishing

To have a stable and successful setup, it is essential to plan every deployment. Before publishing any applications, you need to take into account various aspects of the deployment. The table below shows the requirements for both kinds of publishing rules in TMG:

Description Server Publishing (non-HTTP) Web Publishing
Web Listener Does not require a separate web listener Requires a web listener
IP address Requires a dedicated IP address if the ports are conflicting with another rule Multiple web publishing rules can use the same web listener
SSL Certificate Does not require SSL certificate on the TMG server Needs SSL certificate with the CN as the public host name
External Access Public host name or the IP address can be used to assess the published server Only public FDQN can be used to access the published web application
Port redirection Uses the same port as the back-end application Web listener can listen on a different port than the actual service on the back-end server
Protocol Definition Protocol definition is required when using nonstandard port for an application Port can be mentioned in the web listener; no protocol definition required
Authentication Authentication is handled on the back-end server Users can be pre-authenticated on the TMG server before giving them access to the back-end server
Authentication Delegation Not required Possible to configure
Client certificate authentication Only if the back-end application is configured to accept certificates Can be configured on TMG as a pre-authentication mechanism
Connection Tunneled User creates a session to the published application and then TMG creates another session to the back-end application. The sessions are not tunneled here
OTP Authentication Possible on the back application Possible on the TMG Server
Authentication Delegation No authentication delegation Web publishing rule supports authentication delegation
Protocols Supported A server publishing rule can only publish a single server and protocol Only HTTP and HTTPS protocols are supported
Path mapping Not possible in server publishing rule Supported in web publishing rule
Link Translation Non-HTTP server publishing rules are IP based so no Link translation is possible Link translation rules are automatically created with web publishing rules

How does non-HTTP publishing work?

As described at http://technet.microsoft.com/en-us/library/cc995257.aspx, the following communication happens between the client and the TMG server:

  • Forefront TMG listens for requests on the IP address of the published server
  • Client connects to the external IP address of the TMG server
  • TMG server tunnels the request to the IP address of the internal server

The article highlights the key differences between the HTTP and non-HTTP publishing in Microsoft TMG, but there could be few more depending on the type of deployment. A typical deployment includes both server publishing rules and web publishing rules.

Category: