Configuring DataNow with Forefront TMG

Version 1

    Verified Product Versions

    AppSense DataNow 3.6AppSense DataNow 3.5AppSense DataNow 3.0AppSense DataNow 2.0AppSense DataNow 4.0

    Introduction

    It's possible to leverage a reverse proxy to provide access to DataNow. This technote provide an example of how Microsoft Forefront TMG (Threat Management Gateway) can be configured to provide access to DataNow in either an SSL-Bridged or SSL-Offload configuration.

    CAUTION: whilst every effort has been taken to ensure the steps are accurate, this configuration has not been officially tested by AppSense QA and is provided on a best-effort basis only.

     

    Detail

    The first step is to configure a listener to listen on a chosen SSL port with a valid certificate that will be trusted by the connecting DataNow clients.

    - In Forefront TMG, select 'Firewall Policy' in the console tree and in the 'Task' pane, click the toolbox tab

    - Select 'Network Objects' then click New \ Web listener to launch the New Web Listener wizard.

    - In the Wizard, choose 'select Require SSL secured connections with clients.'

    - On the Web Listener IP address page, choose an appropriate IP to bind the SSL certificate to and designate the interfaces that will service inbound DataNow client traffic

    - On the Listener SSL certificate page, choose the certificate that will be installed on or trusted by the DataNow clients (the CN or SAN attribute must match the URL used by the DataNow clients to reach the proxy server)

    - Under 'Authentication Settings' choose 'No Authentication' (This is handled by DataNow)

    - Complete the wizard to finish adding the listener.

     

    The next step is to add the publishing (reverse proxy) rule.

    - In the 'tasks' pane/tab, click 'publish web sites'

    - Choose a friendly name to identify the rule, and on the 'rule action' page, choose 'allow'.

    - On the 'publishing type' page, choose 'Publish a single Web site or load balancer'

    - On the 'Server Connection Security' page, either choose 'Use SSL to connect..' for SSL-bridging, or choose 'non-secured connections' if using SSL-offload.

    Note: An SSL offload configuration offers the best performance for DataNow if unencrypted traffic between the TMG and DataNow appliance is not a concern.

    - On the internal publishing details page, type the FQDN of the DataNow appliance  and the IP address (for correct routing in a split-brain DNS or separate namespace environment)

    - On the Public Name details page, type the FQDN that the connecting clients will use to reach DataNow

    - On the authentication delegation page, select 'No delegation, but client may authenticate directly.'

    - On the 'user sets' page, apply the policy to 'all users' (since DataNow is handling the authentication layer)

    - Complete the wizard to finish.

    In order to ensure compatibility with high-bit characters from non-windows clients, right-click the newly created rule and select 'configure HTTP'

    Under 'URL Protection' deselect 'block high bit characters' and click Apply

    Apply changes to complete.

     

    Also be aware that Web Proxy caching can have a negative impact on the iOS and Mac DataNow clients, which can cause the HTTP-Accept response to be dropped which can lead to symptoms such as blank previews opening documents, and sync problems - we recommend the appliance URL is excluded from this rule.

     

    NOTE: If you are using SSL-Bridging, ensure that the certificate used by DataNow is the same as the certificate installed on the web listener