If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see
Microsoft Forefront TMG: CSR Creation Instructions.

Microsoft TMG Forefront: Installing a SSL Certificate Using the ¶ºÒõ¹Ý® Certificate Utility for Windows

After we validate and issue your SSL Certificate, you can use the ¶ºÒõ¹Ý® Certificate Utility for Windows to install your SSL Certificate to the Forefront TMG Server. Then, you can use Forefront TMG Management to create a new Web Listener (or update an existing one) and configure it to use the new certificate.

Because every environment is different (for example your settings may be configured differently), you may need to consult your Microsoft Forefront TMG documentation. For more advanced configuration, you should consult the Microsoft documentation.

Forefront TMG: Using the ¶ºÒõ¹Ý® Certificate Utility for Windows to Install Your SSL Certificate

  1. On the server where you created the CSR, save the SSL Certificate .cer file (i.e. your_domain_com.cer) that ¶ºÒõ¹Ý sent to you.

  2. Run the ¶ºÒõ¹Ý® Certificate Utility for Windows.

    Double-click ¶ºÒõ¹ÝUtil.

  3. In ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock)and then, click Import.

    ¶ºÒõ¹Ý Certificate Utility Import Certificate

  4. In the Certificate Import window, under File Name, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that ¶ºÒõ¹Ý sent you, select the file, click Open, and then, click Next.

    ¶ºÒõ¹Ý Certificate Utility Certificate Location

  5. In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.

    We recommend that you add ¶ºÒõ¹Ý and the expiration date to the end of your friendly name, for example: yoursite-¶ºÒõ¹Ý-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

    ¶ºÒõ¹Ý Certificate Utility Certificate Location

  6. Click Finish.

    The SSL Certificate should now be imported to the Windows keystore.

  7. You can now set up your Web Listener rules in the firewall policy.

How to Set Up a New Web Listener on Your Forefront TMG Server

  1. On your server, open Forefront TMG Management.

    In the Windows Start menu, click All Programs > Microsoft Forefront TMG > Forefront TMG Management.

  2. In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) and then, click Firewall Policy.

    Forefront TMG Management console

  3. On the right side of the page, under Firewall Policy, on the Toolbox tab, expand Network Objects and then, click New > Web Listener.

    Forefront TMG Management console

  4. In the New Web Listener Definition Wizard, on the Welcome to the New Web Listener Wizard page, in the Web listener name box, type a name for your web listener (i.e. RDGatewayWebListener) and then, click Next.

    New Web Listener Definition Wizard: Welcome to the New Web Listener Wizard page

  5. On the Client Connection Security page, select Require SSL secured connections with clients and then, click Next.

    New Web Listener Definition Wizard: Client Connection Security page

  6. On the Web Listener IP Addresses page, under Listen for incoming Web requests on these networks, check Internal and then, click Select IP Address.

    New Web Listener Definition Wizard: Web Listener IP Addresses page

  7. In the Internal Network Listener IP Selection window, select Specified IP addresses on the Forefront TMG computer in the selected Network.

    New Web Listener Definition Wizard: Internal Network Listener IP Selection window

  8. Under Available IP Addresses, select your IP address, click Add, and then, click OK.

    New Web Listener Definition Wizard: Internal Network Listener IP Selection window

  9. On the Web Listener IP Addresses page, click Next.

    New Web Listener Definition Wizard: Web Listener IP Addresses page

  10. On the Listener SSL Certificates page, select Use a single certificate for this Web Listener and then, click Select Certificate.

    New Web Listener Definition Wizard: Listener SSL Certificates page

  11. In the Select Certificate window, under Select a certificate from the available list of certificates, select your ¶ºÒõ¹Ý issued SSL Certificate, and then, click Select.

    New Web Listener Definition Wizard: Select Certificate window

  12. On the Listener SSL Certificates page, click Next.

    New Web Listener Definition Wizard: Listener SSL Certificates page

  13. On the Authentication Settings page, in the Select how clients will provide credentials to Forefront TMG drop-down list select No Authentication and then, click Next.

    New Web Listener Definition Wizard: Authentication Settings page

  14. On the Single Sign On Settings page, click Next.

    New Web Listener Definition Wizard: Single Sign On Settings page

  15. On the Completing the New Web Listener Wizard page, review your settings, and if everything is accurate, click Finish.

    New Web Listener Definition Wizard: Completing the New Web Listener Wizard page

  16. To save your changes and update your configuration, in the Forefront TMG window, click Apply.

    Forefront TMG Management console

  17. In the Save Configuration Changes window, make sure that the configuration updates are saved, and then, click OK.

    Forefront TMG Management console: Save Configuration Changes window

  18. You have successfully installed your SSL Certificate to the Forefront TMG Server.

Test Your Installation

If your website is publicly accessible, our ¶ºÒõ¹Ý® SSL Installation Diagnostics Tool can help you diagnose common problems.

Troubleshooting

If you run into certificate errors, try repairing your certificate trust errors using ¶ºÒõ¹Ý® Certificate Utility for Windows. If this does not fix the errors contact support.

How to Replace the SSL Certificate in an Existing Web Listener on Your Forefront TMG Server

  1. On your server, open Forefront TMG Management.

    In the Windows Start menu, click All Programs > Microsoft Forefront TMG > Forefront TMG Management.

  2. In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) and then, click Firewall Policy.

    Forefront TMG Management console

  3. On the right side of the page, under Firewall Policy, on the Toolbox tab, expand Network Objects > Web Listeners, select the Web Listener whose certificate you want to replace with your new SSL Certificate (i.e. RDGatewayWebListener), and then, click Edit.

    Forefront TMG Management console

  4. In your WebListenerProperties window, on the Certificates tab, select Use a single certificate for this Web Listener and then, click Select Certificate.

    WebListener–Properties window

  5. In the Select Certificate window, under Select a certificate from the available list of certificates, select your new ¶ºÒõ¹Ý issued SSL Certificate, and then, click Select.

    Select Certificate window

  6. In your WebListenerProperties window, on the Certificates tab, click Apply and then, click OK.

    WebListener–Properties window

  7. To save your changes and update your configuration, in the Forefront TMG window, click Apply.

    Forefront TMG Management console

  8. In the Save Configuration Changes window, make sure that the configuration updates are saved, and then, click OK.

    Forefront TMG Management console: Save Configuration Changes window

  9. You have successfully installed/replaced your SSL Certificate in your existing Web Listener on your Forefront TMG Server.

Test Your Installation

If the website is publicly available, our ¶ºÒõ¹Ý® SSL Installation Diagnostics Tool can assist you in diagnosing common problems.

Troubleshooting

If you experience certificate errors, try repairing certificate trust errors with ¶ºÒõ¹Ý® Certificate Utility for Windows. If this doesn¡¯t resolve the errors, please contact support.


How to install your SSL Digital Certificate.