07 September 2012

Installing certificates on MS Forefront 2010 with Threat Management Gateway

This post is pretty much a no-brainer but in the context of the hassles I had with this site I've decided to include it here to close the chapter (and seeing that it had two other senior engineers stumped; one a network guru and the other an Exchange guru, it seems worthwhile to note).

After running all the certificates for MS Exchange 2010 and getting the Certificate Revocation status verified, all internal access to Exchange 2010 was secured via SSL. The challenge was now getting the remote users secured.

Note this is a solution pertaining specifically to a Threat Management Gateway and you don't need to do this if you aren't using Forefront.

I had dotted all the i's and crossed all the t's but the darned thing still gave a certificate error when accessing remotely. Checking the TMG's firewall properties I verified that Outlook Anywhere, ActiveSync and Exchange Web App's Listeners for HTTPS were using the correct certificates but it still wasn't working.

Then I noticed that the certificates inside MMC snap-in were showing plain old certificates without the embedded private key; so I tried this:
  • On MS Exchange 2010 server, export the Exchange certificate WITH the private key
  • In the TMG MMC Snap-in, import the Exchange certificate WITH the private key
  • Go to the Forefront TMG dashboard, Firewall Policy...
    • Select each service (Allow Outlook Anywhere; Allow Exchange Active Sync; Allow Exchange Web App) and ...
      • Properties à Listener à Properties à Certificates à Select Certificate à Choose the new one à OK
      •   Apply changes to TMG
      • SOLVED!
  • Note: this forum post suggests you don't need the full certificate from Exchange but I haven't tried this so I can't verify it or dispute it...
    On Exchange
    open mmc -> certificates -> computer account -> local computer
       personal -> certificates -> right click on exchange -> all tasks -> export
       do not export private key
       base64 encoded x.509 (.CER)
       filename: exchange-crt.txt

    *On TMG
    open mmc -> certificates -> computer account -> local computer
       trusted root certification authorities -> certificates -> right click -> all tasks -> import
       file: exchange-crt.txt
       place in the following store: Trusted Root Certification Authorities
The original certificate has the key, not the newly imported ones. Without the key embedded, it didn't work.

No comments: