Enabling RDP management access to Forefront TMG 2010

Over the last few weeks I have been building up a new home lab system for production and semi production testing.

The system runs on my new Dell Vostro 430 machine with i780 CPU and 16GB of RAM and hosts Exchange 2010 SP1 and Lync 2010 RC amongst other things.

One of the other things is the Forefront TMG box that publishes various content to the Internet. Until recently I was managing TMG via the console viewer on HyperV, however on Friday last week a colleague helped me setup internal RDP access for remote desktop. Here’s how:

First open up Forefront TMG Management console and in the left hand pane click on Firewall Policy.

In the far right pane, click on Toolbox and drill down into Computer Sets to find Enterprise Remote Management.


Double click Enterprise Remote Management to open the set and then use the Add button to ensure that your internal subnet is listed.


Next back in the left hand pane right click Firewall Policy and create a new access rule:


You should give the rule a meaningful name like TMG RDP Management and then setup the rule to allow RDP (Terminal Services) traffic from the Internal network to the Local Host.


At this point save all the new configuration and enjoy being able to manage your TMG box via RDP from your LAN.



Outlook Web Access URL simplify – Redirect OWA

This is a very frequently discussed topic, so much so that I along with other recently asked if something could be built into a future version of Exchange to do this out of the box.

Well after asking another Exchange MVP Pat Richard pointed me to a script that he had written which does all that is needed.

Interestingly there is a little more needed than you might think!

IIS 7 and 7.5 which come with Server 2008 and Server 2008 R2 respectively both have a redirect feature which is used as part of Exchange client access to provide for legacy clients.

We can make use of it to allow for OWA redirect from the root site however that requires a bunch of SSL changes. We must turn off the requirement for SSL on the root site to allow the redirect of http://mail.domain.com to https://mail.domain.com/owa.

However doing that in the GUI for the root of the site will also uncheck the require SSL for a bunch of sub-sites (like OWA)! Not what we want at all. Clearly you can go through a manually set things how they should be but using the script Pat provides it is all done for you!

One final thing the script does is set permissions on the OAB web.config file which is created as part of the redirect process.

Oh, and finally it takes a backup before it starts! 🙂

To get the script look at Pats blog post here.

For a lot more info on the redirect subject in general including more on the Offline Address Book (OAB) problem check out Henrik’s post here:

So having done this anyone hitting the default website of the CAS server will be redirected to the correct URL.

Finally, in a future post I will investigate how this might change when publishing with ISA/TMG.