TMG 2010 as an AD FS 2.0 Proxy?

Back in November when testing TMG and AD FS 2.0, I messed around with TMG delegation and AD FS 2.0 with little success. A couple of months on and a bit of time away from the problem seems to have helped!

With no AD FS Proxy functionality within TMG  at present, the latter is unable to act as an in-line authentication proxy for claims-aware applications such as Sharepoint 2010; unlike UAG functionality in SP1.  TMG can, however, supplant the AD FS proxy functionality for logon purposes (in a roundabout way).  In this post I illustrate how.

It’s done by setting up two web listeners within TMG, so I’m kind of cheating.  Yes, there’s always a downside 😉

image

As per standard TMG fayre, each listener should have their own public IP address and appropriate certificates for the domain in question. In my test setup, I used the same wildcard certificate for both. Each listener should be configured thus:

  • A  listener using FBA with Active Directory should be configured. This will perform the  AD FS proxy function.
  • A listener with no authentication configured. This is used for reverse proxy of traffic to claims-aware web applications.

In addition, at least two web publishing rules are required:

image

The first is for the AD FS server(s) sts.mydomain.com, and the second for  the claims-aware web application(s) that need to be published. In this example, it’s Sharepoint 2010 Teamsites and teams.mydomain.com.

When configured correctly (oxymoron.. see the footnote at the end), TMG works in a proxy capacity  for the AD FS service. One possible use case for this that springs to mind could be for mixing authentication schemes on the web listener against the username/password on the federated logon, e.g. SecurID on the TMG instance and then delegation to the back-end AD user account. 

In short, the key to this process working is using a separate listener for the TMG “AD FS Proxy”, independent of the reverse proxy listener used for the claims-aware web applications.

Footnote

As usual, this is a test sandpit. Don’t use it in a production environment, until you’ve battered it senseless with the testing stick.  I’ve tried this with various authentication schemes so far and it works. Will continue testing… if I break it meanwhile, I’ll post an update. Enjoy!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s