Enabling RDP management access to Forefront TMG 2010

Over the last few weeks I have been building up a new home lab system for production and semi production testing.

The system runs on my new Dell Vostro 430 machine with i780 CPU and 16GB of RAM and hosts Exchange 2010 SP1 and Lync 2010 RC amongst other things.

One of the other things is the Forefront TMG box that publishes various content to the Internet. Until recently I was managing TMG via the console viewer on HyperV, however on Friday last week a colleague helped me setup internal RDP access for remote desktop. Here’s how:

First open up Forefront TMG Management console and in the left hand pane click on Firewall Policy.

In the far right pane, click on Toolbox and drill down into Computer Sets to find Enterprise Remote Management.


Double click Enterprise Remote Management to open the set and then use the Add button to ensure that your internal subnet is listed.


Next back in the left hand pane right click Firewall Policy and create a new access rule:


You should give the rule a meaningful name like TMG RDP Management and then setup the rule to allow RDP (Terminal Services) traffic from the Internal network to the Local Host.


At this point save all the new configuration and enjoy being able to manage your TMG box via RDP from your LAN.



Digicert being most impressive!


I’ve blogged about Digicert before, but over the last few days I’ve had yet another change to use them and been seriously impressed!

I was setting up an OCS 2007 R2 lab and got to the section where I needed to setup Forefront TMG to proxy connections to the OCS Web Components on my Standard Edition front end.

I created the cert request using the certificate wizard in the OCS administrative tools as it is the easiest way I know to mark the private key as exportable.

Having done that I submitted the request to Digicert and, because it was a domain I have already validated, the certificate was issued within five minutes.

I installed the certificate on the Front End, exported it, and installed it on the Forefront TMG box.

Then for testing I accessed the relevant website externally. Things looked like they worked but on one device I got a trust error. It was late, and I didn’t have time to investigate so I left it.

The next day I received an email from Digicert as below:

We just ran an installation check on the DigiCert SSL certificate that you installed on proxy.domain.co.uk and it appears that the server needs to be configured for maximum compatibility. You will need to install the Intermediate certificates to the server in order to ensure compatibility with legacy browsers and mobile devices.

On Windows platforms, the easiest way to do this is to use our certificate utility. Just visit http://www.digicert.com/util and download the Certificate Management Tool. After running it on the server, click the Repair button. Some servers require restarting the services or restarting the whole server after making this change.

You can verify that the problem is fixed at http://www.digicert.com/help/index.htm?host=proxy.domain.co.uk

If you have any problems correcting this issue, please contact our helpful support team and we will be happy to help.

Now I knew about the utility and have blogged about it before, but to be told this is the problem proactively was brilliant!

I ran the utility, it installed the intermediate CAs properly and all is well!

Thanks Digicert

Note: As an Exchange MVP, DigiCert has provided me certificates to use in test labs, without which I may not have had the opportunity to try their service.