TMG Web publishing for SharePoint HTTPS, No Certificate Usage On TMG

This question came up with a client this morning, which is the first time I have had to answer it but it’s a very straightforward issue.

What if one is trying to use TMG to publish a SharePoint environment for both HTTP and HTTP access, while the certificate is appropriately setup in the SharePoint server it is not desirable to have the web publishing rule bound to the certificate, i.e. certificate stuff should be handled by the SharePoint environment. So, breaking the question down even more, they wanted to publish the HTTPS SharePoint instance WITHOUT using the certificate in the TMG instance.

This obviously is not a supported route, because logically it doesn’t make a ton of sense. One can’t use a HTTP web publishing rule without having the appropriate certificate accessibly and appropriately in place, and clearly is not a TMG limitation because it is the same requirement for ISA and Proxy Server stuff.


ForeFront TMG and Active FTP Issues

While working with a client today, I was informed that they were having issues with a recently converted ISA to TMG instance, using the latest release of TMG. Particularly, the issue was that Active FTP just wasn’t plain working when used from a SharePoint financial application that is pretty heavily treaded.

Now for folks who aren’t accustomed to the difference between Active and Passive FTP, when using active mode the client machine will connect to a random unprivileged port to the FTP server’s command port, port 21. Following, the client will start listening to that port and sends the FTP commands in respect of the aforementioned port. The server will then connect back to the client’s specified data port from its local data port, which is port 20.

Now, there are some additional steps required when using ForeFront TMG in order to get Active FTP working, which in ISA 2006 was accomplished by merely unchecking the read-only checkbox on the rule and configuring Windows Firewall. In TMG the process requires additional steps, since it is also required to not only uncheck the read-only checkbox on Configure FTP, but you also have to right click the rule, go to System – > Application Filters and check the Allow active FTP access in the FTP Filter.


IAG Custom Endpoint Application Detection – Structure

When you are writing custom endpoint detection scripts, I found the documentation regarding the use of different values very, very confusing. So here is a breakdown of em after reflecting on how UAG uses them.

Name: This represents the name of the variable, since you add the required XML file to the customupdate folder and that represents your custom variable.
ID: The results variable you are using to record the return.
Type : the TYPE of endpoint detection your adding, but it gets tricky because it can either be something specific or an expression. Like you can just check for a certain IE version or bundle up the check with other stuff into an expression.
Value: the default value you want to use to make endpoint detection fail.
Description: A description of the variable.
Section – section to display in the interface.
Flags This is kinda funny because this is actually because the product was acquired by Whale, they used the flags variable to detect things like host file inclusions.

That’s all of em.