Bit of a nightmare this- especially when having to fight the gateway firewall too.
If you have FFTMG in a single-NIC configuration, any published site seems to try and hold on to the machine’s primary IP address. This might be because I’m doing something wrong, but anyway if you try to publish on a second IP before the first is used FFTMG seems to go wrong and starts complaining about Branchcache ‘n’ stuff. So use the first IP first. Assuming you want Outlook WebApp to be secure, it’s also best to have all your public domain names and certificates first (trying to mess about with bare ‘net-facing ip address and self-signed certificates is a nightmare. GlobalSign – http://www.globalsign.co.uk/free-trial/free-ssl-certificate/ – do free trials which are perfect for testing, and buying the full one from them is easy too).
So, to set up FFTMG 2010:
- Create an object on the gateway firewall with a relevant DMZ IP address, then NAT it to a ‘net-facing IP address;
- Run through the “Publish Exchange Web Client Access” wizard; half way through it will ask you to create a listener. This is where you choose the DMZ IP address to “listen” on (or just accept the default of everything) and any certificates. The listener also has authentication options, which gets really confusing as both the rule and Exchange have their own authenticaiton options too.
- This should work. But- in my experience- it rarely does, at which point you’ll need to start looking at both the TMG and gateway firewall logs simultaneously to see where your Outlook Web Access requests are vanishing. A 3G mobile is really handy for this sort of testing as it’s guaranteed to be using a “proper” extrenal IP address (testing with any form of LAN client can make matters more confusing because of having to try and sort out the mess of it getting to the internet via a proxy, then back in to your DMZ…. it’s just messy).