If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see
Microsoft Forefront TMG: CSR Creation Instructions.
Microsoft TMG Forefront: Installing a SSL Certificate Using the ¶ºÒõ¹Ý® Certificate Utility for Windows
After we validate and issue your SSL Certificate, you can use the ¶ºÒõ¹Ý® Certificate Utility for Windows to install your SSL Certificate to the Forefront TMG Server. Then, you can use Forefront TMG Management to create a new Web Listener (or update an existing one) and configure it to use the new certificate.
-
Forefront TMG: Using the ¶ºÒõ¹Ý® Certificate Utility for Windows to Install Your SSL Certificate
-
How to Set Up a New Web Listener on Your Forefront TMG Server
-
How to Replace the SSL Certificate in an Existing Web Listener on Your Forefront TMG Server
Because every environment is different (for example your settings may be configured differently), you may need to consult your Microsoft Forefront TMG documentation. For more advanced configuration, you should consult the Microsoft documentation.
Forefront TMG: Using the ¶ºÒõ¹Ý® Certificate Utility for Windows to Install Your SSL Certificate
-
On the server where you created the CSR, save the SSL Certificate .cer file (i.e. your_domain_com.cer) that ¶ºÒõ¹Ý sent to you.
-
Run the ¶ºÒõ¹Ý® Certificate Utility for Windows.
Double-click ¶ºÒõ¹ÝUtil.
-
In ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock)and then, click Import.
-
In the Certificate Import window, under File Name, click Browse to browse to the .cer (i.e. your_domain_com.cer) certificate file that ¶ºÒõ¹Ý sent you, select the file, click Open, and then, click Next.
-
In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add ¶ºÒõ¹Ý and the expiration date to the end of your friendly name, for example: yoursite-¶ºÒõ¹Ý-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
Click Finish.
The SSL Certificate should now be imported to the Windows keystore.
-
You can now set up your Web Listener rules in the firewall policy.
-
To create a new Web Listener on your Forefront TMG server, see
How to Set Up a New Web Listener on Your Forefront TMG Server. -
To replace the SSL Certificate in an existing Web Listener on your Forefront TMG server, see
How to Replace the SSL Certificate in an Existing Web Listener on Your Forefront TMG Server.
-
How to Set Up a New Web Listener on Your Forefront TMG Server
-
On your server, open Forefront TMG Management.
In the Windows Start menu, click All Programs > Microsoft Forefront TMG > Forefront TMG Management.
-
In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) and then, click Firewall Policy.
-
On the right side of the page, under Firewall Policy, on the Toolbox tab, expand Network Objects and then, click New > Web Listener.
-
In the New Web Listener Definition Wizard, on the Welcome to the New Web Listener Wizard page, in the Web listener name box, type a name for your web listener (i.e. RDGatewayWebListener) and then, click Next.
-
On the Client Connection Security page, select Require SSL secured connections with clients and then, click Next.
-
On the Web Listener IP Addresses page, under Listen for incoming Web requests on these networks, check Internal and then, click Select IP Address.
-
In the Internal Network Listener IP Selection window, select Specified IP addresses on the Forefront TMG computer in the selected Network.
-
Under Available IP Addresses, select your IP address, click Add, and then, click OK.
-
On the Web Listener IP Addresses page, click Next.
-
On the Listener SSL Certificates page, select Use a single certificate for this Web Listener and then, click Select Certificate.
-
In the Select Certificate window, under Select a certificate from the available list of certificates, select your ¶ºÒõ¹Ý issued SSL Certificate, and then, click Select.
-
On the Listener SSL Certificates page, click Next.
-
On the Authentication Settings page, in the Select how clients will provide credentials to Forefront TMG drop-down list select No Authentication and then, click Next.
-
On the Single Sign On Settings page, click Next.
-
On the Completing the New Web Listener Wizard page, review your settings, and if everything is accurate, click Finish.
-
To save your changes and update your configuration, in the Forefront TMG window, click Apply.
-
In the Save Configuration Changes window, make sure that the configuration updates are saved, and then, click OK.
-
You have successfully installed your SSL Certificate to the Forefront TMG Server.
Test Your Installation
If your website is publicly accessible, our ¶ºÒõ¹Ý® SSL Installation Diagnostics Tool can help you diagnose common problems.
Troubleshooting
If you run into certificate errors, try repairing your certificate trust errors using ¶ºÒõ¹Ý® Certificate Utility for Windows. If this does not fix the errors contact support.
How to Replace the SSL Certificate in an Existing Web Listener on Your Forefront TMG Server
-
On your server, open Forefront TMG Management.
In the Windows Start menu, click All Programs > Microsoft Forefront TMG > Forefront TMG Management.
-
In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) and then, click Firewall Policy.
-
On the right side of the page, under Firewall Policy, on the Toolbox tab, expand Network Objects > Web Listeners, select the Web Listener whose certificate you want to replace with your new SSL Certificate (i.e. RDGatewayWebListener), and then, click Edit.
-
In your WebListener–Properties window, on the Certificates tab, select Use a single certificate for this Web Listener and then, click Select Certificate.
-
In the Select Certificate window, under Select a certificate from the available list of certificates, select your new ¶ºÒõ¹Ý issued SSL Certificate, and then, click Select.
-
In your WebListener–Properties window, on the Certificates tab, click Apply and then, click OK.
-
To save your changes and update your configuration, in the Forefront TMG window, click Apply.
-
In the Save Configuration Changes window, make sure that the configuration updates are saved, and then, click OK.
-
You have successfully installed/replaced your SSL Certificate in your existing Web Listener on your Forefront TMG Server.
Test Your Installation
If the website is publicly available, our ¶ºÒõ¹Ý® SSL Installation Diagnostics Tool can assist you in diagnosing common problems.
Troubleshooting
If you experience certificate errors, try repairing certificate trust errors with ¶ºÒõ¹Ý® Certificate Utility for Windows. If this doesn¡¯t resolve the errors, please contact support.
How to install your SSL Digital Certificate.