Monday, December 30, 2013

Joining TMG Server to Standalone Array in Workgroup Environment

Howdy,
We already did a small setup where, we showed how to Join Threat Management Gateway Server to Standalone Array in Domain Environment. And, here is the link to it

http://tech.shashankaharitsa.in/2013/12/joining-tmg-server-to-standalone-array_30.html

Now, we will Join the Threat Management Gateway Server to Standalone Array in Workgroup Environment.Before proceeding further, i will assume below things are already taken care:

1. Two Threat Management Gateway Servers Installed.
2. There is  Certificate Authority, where you can obtain web server certificate with private Key
3.You have DNS Infrastructure where both Threat Management Servers can resolve to each other.
4. You have downloaded a cert tool to bind the certificate from here  http://www.microsoft.com/download/en/details.aspx?id=11183 and you have installed certool under
“C:\Program Files\Microsoft Forefront Threat Manaqement Gateway”

Here are my Servers and their names:

1. Threat Management Gateway Server 1 has the name MVMWGTMG01.wineng.in [ Note, wineng.in is a Suffix that we have added] and this will be Array Manager

2. Threat Management Gateway Server 2 has the name MVMWGTMG02.wineng.in [ Note, wineng.in is a Suffix that we have added]

3. Certificate Authority server is MVMCERT01.wineng.in

Requesting certificate from Certificate Authority

Login to the Threat Management Gateway Server 1 that is MVMWGTMG01.wineng.in and open Internet Explorer. Type in the address of Web Enrollment Certificate Authority servers address and request the certificate with FQDN of MVMEGTMG01.wineng.in for Web server template for which Private Key export is enabled. This is because, if you have windows 2008 Server Certificate Authority you cannot export Private key with Web server template by default. This is off the topic for now and i will try to cover this in my next articles.


Click on Request a Certificate in the above page and you will see the next page where you will click on Advanced Certificate request.

In the Next page, Click on Create and Submit a request to this CA

Select the valid Web server template, in my case i have custom template for Web server with Private Key export option. and type in a valid name and friendly names. In my case, mvmwgtmg01.wineng.in that is name i required certificate for.

Make sure, you have mark Key as Exportable options enabled as below on the same page. Note, as said earlier, the default web server template from Windows 2008 CA will have this option greyed out.


Click on Submit button on the bottom of the page and you will see the response from CA with Certificate as shown below,

Click on Install this certificate and it will be now saved. To retrieve the certificate, go to the Internet Explorer options and go to the Content and click on Certificates to view the saved certificate.

 




Export the certificate along with Private Key and place it under”C:\Program Files\Microsoft Forefront Threat Management Gateway” with name certificate.pfx

Binding certificate to ISASTGCTRL Service

Now, lets bind the certificate which we requested to ISASTGCTRL Service on the soon to be array manager server, in our case it is MVMWGTMG01.WINENG.IN
Login to the soon to be array manager server with correct rights.
go to Command Prompt and execute the command as below

C:\Program Files\Microsoft Forefront Threat Management Gateway>ISACertTooLexe /st certificate.pfx /pswd 123 /keepcerts and you should see the output as below if things are correct.


To confirm the correct binding, go to the MMC Certificate snap in for Service ISASTGCTRL and look for personal store and it should have the certificate that we tried to bind above as below


Joining Work group TMG Server to Array

Now that you have things set in place for Array Manager, lets see what should we do on the Member server
In my case the Soon to be array member is mvmwgtmg02.wineng.in , first thing we will need to do is to make the Certificate authority trust from which we requested Web Auth certificate for soon to be Array manager server. So, you will need to add the CA “Wineng Certificate Authority” to trust certificate authority.
Once you put the certificate authority to trusted certification authority, open the Threat Management Gateway console on Soon to be array member server [ malwgtmg02.wineng.in]
Click on Join to array as below

In the Array Join Wizard, select “Join a standalone array managed by a designated array member (array manager)” and click next

In the next window, type in the name of array manager [ with FQDN] and give the administrative account info if need be and click next

Next, you will be asked to add the Root certification authority, in our case, we have already added it so, we will select option 2 and click Next.

Click on Finish to complete array joining wizard.



As soon as you click on Finish, you will see the Array join progress notification as below and eventually it completes


 




So that completes joining the server to array. Now, lets confirm it by opening the Forefront Threat Management Gateway console on our newly added Array Member
First thing you will notice is that it will connect to MVMWGTMG01.WINENG.IN which is our Array Manager and if you click on the System on the Left Pane in the console, you will see the information as below where, it clearly tells you which is Array Manager and Array Member



So, that is about Adding an Array Member to Standalone Array in the Work group scenario.

No comments:

Post a Comment