One of many good features in Microsoft TMG is the ability to publish internal web based and non-web based applications on the internet for corporate users to access remotely. Users can access applications such as Outlook Web Access, SharePoint, CRM, RDP, and Citrix as they are published through the Microsoft TMG server. There are two types of publishing in the TMG:
- Web server publishing
- Server publishing or non-web server publishing
To have a stable and successful setup, it is essential to plan every deployment. Before publishing any applications, you need to take into account various aspects of the deployment. The table below shows the requirements for both kinds of publishing rules in TMG:
Description | Server Publishing (non-HTTP) | Web Publishing |
---|---|---|
Web Listener | Does not require a separate web listener | Requires a web listener |
IP address | Requires a dedicated IP address if the ports are conflicting with another rule | Multiple web publishing rules can use the same web listener |
SSL Certificate | Does not require SSL certificate on the TMG server | Needs SSL certificate with the CN as the public host name |
External Access | Public host name or the IP address can be used to assess the published server | Only public FDQN can be used to access the published web application |
Port redirection | Uses the same port as the back-end application | Web listener can listen on a different port than the actual service on the back-end server |
Protocol Definition | Protocol definition is required when using nonstandard port for an application | Port can be mentioned in the web listener; no protocol definition required |
Authentication | Authentication is handled on the back-end server | Users can be pre-authenticated on the TMG server before giving them access to the back-end server |
Authentication Delegation | Not required | Possible to configure |
Client certificate authentication | Only if the back-end application is configured to accept certificates | Can be configured on TMG as a pre-authentication mechanism |
Connection | Tunneled | User creates a session to the published application and then TMG creates another session to the back-end application. The sessions are not tunneled here |
OTP Authentication | Possible on the back application | Possible on the TMG Server |
Authentication Delegation | No authentication delegation | Web publishing rule supports authentication delegation |
Protocols Supported | A server publishing rule can only publish a single server and protocol | Only HTTP and HTTPS protocols are supported |
Path mapping | Not possible in server publishing rule | Supported in web publishing rule |
Link Translation | Non-HTTP server publishing rules are IP based so no Link translation is possible | Link translation rules are automatically created with web publishing rules |
How does non-HTTP publishing work?
As described at http://technet.microsoft.com/en-us/library/cc995257.aspx, the following communication happens between the client and the TMG server:
- Forefront TMG listens for requests on the IP address of the published server
- Client connects to the external IP address of the TMG server
- TMG server tunnels the request to the IP address of the internal server
The article highlights the key differences between the HTTP and non-HTTP publishing in Microsoft TMG, but there could be few more depending on the type of deployment. A typical deployment includes both server publishing rules and web publishing rules.