- Purchase SSL certificate from your preferred supplier.
- Install certificate into Foldr following the installation guide.
- Install certificate on TMG server.
Note you must convert the private key and signed certificate using to a PKCS#12 (single file) using the following OpenSSL command:openssl pkcs12 -export -out Foldr.p12 -inkey foldrdecrypt.key -in foldr.crt -certfile CAroot.crt
This will generate a PKCS#12 file called Foldr.p12 in your working directory, and assumes the private key is called foldrdecrypt.key, the signed certificate is called foldr.crt and the CA Root for your provider is called CAroot.crt.
Ensure you install the PKCS#12 certificate using the MMC snap in > Certificates > Local Computer > Personal (rather than double clicking to import)
Install the CA root certificate in addition to the above in Trusted Root Authority Certificates, using the MMC as above.
- Create a new listener on TMG:
a) General tab – name “Foldr SSL”
b) Networks tab – External network on the external IP address you will be using.
c) Connections tab – Enable HTTP connections on port 80, Enable SSL (HTTPS) connections on port 443, ‘Do not redirect traffic from HTTP to HTTPS
d) Certificates tab – use single certificate for this Web Listener (select the SSL certificate you imported in step 3).
e) Authentication tab – No authentication
f) Forms tab – n/a
g) SSO tab – n/a - Create new Web Publishing policy:
a) General tab – name “Foldr”
b) Action tab – ‘Allow’
c) From tab – ‘Anywhere’
d) To tab – This rule applies to this published site ‘foldr.externaldomain.com’, ‘Computer name or IP address’ or applicable internal name or IP, Proxy requested to published site set to ‘Requests appear to come from the original client’.
e) Traffic tab – HTTP and HTTPS should be listed automatically (from settings in step 4c). Do not select ‘Notify HTTP users to use HTTPS instead’.
f) Listener tab – select ‘Foldr SSL’ listener created in step 3.
g) Public Name – select ‘Requests for the following web sites’ and add ‘foldr.externaldomain.com’.
h) Paths tab – leave as default (<same as internal> to /*)
i) Authentication Delegation tab – ‘No delegation, but client may authenticate directly’.
j) Application Settings tab – n/a
k) Bridging tab – select Web server, enable ‘Redirect request to HTTP port’ and set to 80, enable ‘Redirect requests to SSL port’ and set to 443. Do not select ‘Use a certificate to authenticate to the SSL Web server’.
l) Users tab – ‘All users’ (must NOT be ‘All authenticated users’).
m) Schedule tab – whatever settings you require, but usually ‘Always’
n) Link Translation – do not select ‘Apply link translation to this rule’.