By default, Fastvue TMG Reporter is open and unrestricted for anonymous users to view. For a number of privacy related reasons you might need to restrict access to the site. You may also want to further restrict access to the Settings tab to prevent unauthorised users from making configuration changes to TMG Reporter. To improve security even further, it is a good idea to add SSL encryption for authentication.
TMG Reporter also generates reports and alerts that you may want to view from outside the corporate network.
In this article I will show you how to restrict access to the TMG Reporter website, and further restrict access to the Settings tab using Windows Authentication and Authorization Rules in IIS, and how to enable SSL (HTTPS) for the site.
I will also show you how to make the TMG Reporter website available outside the corporate network, using Forefront TMG's Web Publishing feature.
Restricting User Access
The simplest way of achieving this is by using IIS authorization rules. There a few prerequisites. All of the following needs to be performed on the Fastvue TMG Reporter server.
Create Groups
- Open Server Manager and browse to Configuration | Local Users and Groups
- Create a group for Fastvue Viewers
- Populate this group with the AD users and groups that need to view TMG Reporter's dashboards and reports
- Create a group for Fastvue Admins
- Populate this group with the AD users and groups that need access to the Settings Tab
Configuring IIS
All the following steps will be performed in the IIS Management Console on the Fastvue TMG Reporter server. Depending on your configuration you may need to install the 'Windows Authentication' and 'URL Authorization' Role Services for IIS in Server Manager.
Enable Authentication
Authorization rules require that users authenticate. We will therefore first enable Windows Authentication.
- Select the Fastvue TMG Reporter IIS site (in this case it is Default Web Site)
- Select Authentication
- Select and Disable Anonymous Authentication
- Select and Enable Windows Authentication
Allow Access to the Site
- Select the Fastvue TMG Reporter IIS site again
- Select Authorization Rules
- Select Add an Allow Rule
- In the specified roles or users group, add the Fastvue Viewers group created earlier
- Create another allow rule this time for the Fastvue Administrators
- Remove the Allow all users rule
Remove Access to the Settings Tab
At this point user access to the Fastvue TMG reporter site will be limited to the users specified in the groups. To restrict access to the Setting tab do the following in the IIS Management Console:
- Select and Expand the Fastvue TMG Reporter site
- Select the Settings folder under the Fastvue TMG Reporter website
- Select Authorization Rules
- The rules created earlier will be inherited here.
- Select and Remove the Fastvue Viewers rule
At this point only the Fastvue Administrators group should have access to the Settings tab. If you are testing this remember to close the browser to end the user sessions.
Securing the site with HTTPS
Any site that requires credentials to be passed should be secured using SSL encryption. This means using HTTPS and certificates. For this article we will be using an internal self-signed certificate but in practice it is better to use a certificate from your internal PKI or a third party CA such as VeriSign.
Generate a Certificate
- Open the IIS Management Console
- Select the IIS server itself (not the site)
- Select Server Certificates
- Select Create Self-Signed Certificate
- Specify a friendly name for the certificate. A good practice is to use the server's FQDN name. This will generate a certificate that matches the server's name.
Add the HTTPS Binding
- Select the Fastvue TMG Reporter IIS website (e.g. Default Web Site on the left)
- Under Actions on the right, select Bindings...
- Select Add
- Change the type to HTTPS
- In the SSL certificate box select the Self-Signed Certificate created earlier
- Click OK to finish the change
Enforce SSL
- Select the Fastvue TMG Reporter IIS website again on the left
- Select SSL Settings
- Check the Require SSL Box and then Apply on the right hand side
The Fastvue TMG Reporter site will now require HTTPS and users to be authenticated. At this point you will see a certificate warning since the self-signed certificate is not from a trusted CA on the client machine. Using either an internal PKI or a third party CA certificate would resolve this issue. The other issue you will notice is that when attempting to connect to the site using HTTP you will get:
403 – Forbidden: Access is denied Error
To neaten things up we can change the 403 error page to redirect us to HTTPS.
Customize Error Pages
- Still in the IIS Management Console, select the Fastvue TMG Reporter site on the left
- Select Error Pages
- Select and Edit 403
- Select the Respond with a 302 redirect option
- Specify https:// followed by the FQDN of your site. For example, https://fastvue01.mydomain.com. Make sure you specify the S in https://
Publish TMG Reporter to the Internet
Now that the TMG Reporter site is secured, you can make the site available outside your network using Forefront TMG's Web Publishing feature.
For this to work your certificate must be from a root certificate authority the TMG Server trusts. This means an internal PKI or third party.
Create a listener
- Export the Site certificate you created and import it to the local store on each Forefront TMG array member (See this article on Importing and Exporting certificates)
- In the TMG Management Console, select Firewall Policy
- Select the Toolbox tab on the right and ensure the Network Objects section is expanded.
- Select New | Web listener
- On the Client Connection Security page, select Do not require SSL secured connections with clients
- On the Web Listener IP Addresses page, select the Networks that you would like to make the site available to, such as VPN Clients or All Networks.
- On the Authentication Settings page, select No Authentication
- Click Next on the Single Sign On Settings page, as no changes can be made here
- Click Finish to add the Web Listener
- Double-click the newly added Web Listener as there are still some settings that need to be changed
- On the Connections tab, check both Enable HTTP..., and Enable SSL (HTTPS)... Connections
- Select the option to Redirect all traffic from HTTP to HTTPS
- On the Certificates tab, select the certificate you imported in step 1
Create a Publish Web Site Rule
- In the TMG Management Console, select Firewall Policy on the left, and select the Tasks tab on the right.
- Click Publish Web Sites to launch the New Web Publishing Rule Wizard.
- Provide an appropriate name for the rule such as TMG Reporter
- Select Allow on the Rule Actions page
- Select Publish a single web site or load balancer
- Select Use SSL to connect to the published web server…
- Specify the internal site name such as http://fastvue01.mydomain.com
- Specify the path as /* to publish all files and folders
- Select Accept request for this domain name and specify the public FQDN name for the site
- Select the Web Listener created earlier
- For Authentication Delegation select No delegation, but client may authenticate directly
- Select All Users
- Apply the changes and test.
Congratulations! Your Fastvue TMG Reporter site should now be nice and secure and available from the Internet.