TMG Web publishing for SharePoint HTTPS, No Certificate Usage On TMG

This question came up with a client this morning, which is the first time I have had to answer it but it’s a very straightforward issue.

What if one is trying to use TMG to publish a SharePoint environment for both HTTP and HTTP access, while the certificate is appropriately setup in the SharePoint server it is not desirable to have the web publishing rule bound to the certificate, i.e. certificate stuff should be handled by the SharePoint environment. So, breaking the question down even more, they wanted to publish the HTTPS SharePoint instance WITHOUT using the certificate in the TMG instance.

This obviously is not a supported route, because logically it doesn’t make a ton of sense. One can’t use a HTTP web publishing rule without having the appropriate certificate accessibly and appropriately in place, and clearly is not a TMG limitation because it is the same requirement for ISA and Proxy Server stuff.


ForeFront TMG and Active FTP Issues

While working with a client today, I was informed that they were having issues with a recently converted ISA to TMG instance, using the latest release of TMG. Particularly, the issue was that Active FTP just wasn’t plain working when used from a SharePoint financial application that is pretty heavily treaded.

Now for folks who aren’t accustomed to the difference between Active and Passive FTP, when using active mode the client machine will connect to a random unprivileged port to the FTP server’s command port, port 21. Following, the client will start listening to that port and sends the FTP commands in respect of the aforementioned port. The server will then connect back to the client’s specified data port from its local data port, which is port 20.

Now, there are some additional steps required when using ForeFront TMG in order to get Active FTP working, which in ISA 2006 was accomplished by merely unchecking the read-only checkbox on the rule and configuring Windows Firewall. In TMG the process requires additional steps, since it is also required to not only uncheck the read-only checkbox on Configure FTP, but you also have to right click the rule, go to System – > Application Filters and check the Allow active FTP access in the FTP Filter.