Knowledge Base

If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see
Microsoft Forefront TMG: CSR Creation Instructions.

Microsoft TMG Forefront | Installing an SSL Certificate Using the DigiCert® Certificate Utility for Windows

After we validate and issue your SSL Certificate, you can use the DigiCert® Certificate Utility for Windows to install your SSL Certificate on the Forefront TMG Server. Then, you can use Forefront TMG Management to create a new Web Listener (or update an existing one) and configure it to use the new certificate.

• Forefront TMG: Using the DigiCert® Certificate Utility for Windows to Install Your SSL Certificate

• How to Set Up a New Web Listener on Your Forefront TMG Server

• How to Replace the SSL Certificate in an Existing Web Listener on Your Forefront TMG Server

Because every environment is different (for example, your settings may be configured differently), you may need to consult your Microsoft Forefront TMG documentation. For more advanced configuration, you should consult the Microsoft documentation.

Forefront TMG | Using the DigiCert® Certificate Utility for Windows to Install Your SSL Certificate

1. On the server where you created the CSR, save the SSL Certificate .cer file (i.e., your_domain_com.cer) that DigiCert sent to you.

2. Run the DigiCert® Certificate Utility for Windows.

   Double-click DigiCertUtil.

3. In DigiCert Certificate Utility for Windows©, click SSL (gold lock)and then, click Import.

   

4. In the Certificate Import window, under File Name, click Browse to browse to the .cer (i.e., your_domain_com.cer) certificate file that DigiCert sent you, select the file, click Open, and click Next.

   

5. In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.

   We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

   

6. Click Finish.

   The SSL Certificate should now be imported to the Windows keystore.

7. You can now set up your Web Listener rules in the firewall policy.

   • To create a new Web Listener on your Forefront TMG server, see
     How to Set Up a New Web Listener on Your Forefront TMG Server.

   • To replace the SSL Certificate in an existing Web Listener on your Forefront TMG server, see
     How to Replace the SSL Certificate in an Existing Web Listener on Your Forefront TMG Server.

How to Set Up a New Web Listener on Your Forefront TMG Server

1. On your server, open Forefront TMG Management.

   In the Windows Start menu, click All Programs > Microsoft Forefront TMG > Forefront TMG Management.
   

2. In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) and click Firewall Policy.
   
   

    

3. On the right side of the page, under Firewall Policy, on the Toolbox tab, expand Network Objects and click New > Web Listener.

   

4. In the New Web Listener Definition Wizard, on the Welcome to the New Web Listener Wizard page, in the Web listener name box, type a name for your web listener (i.e., RDGatewayWebListener) and click Next.

   

    

5. On the Client Connection Security page, select Require SSL secured connections with clients and click Next.

   

6. On the Web Listener IP Addresses page, under Listen for incoming Web requests on these networks, check Internal and click Select IP Address.

   

7. In the Internal Network Listener IP Selection window, select Specified IP addresses on the Forefront TMG computer in the selected Network.

   

8. Under Available IP Addresses, select your IP address, click Add, and click OK.

   

9. On the Web Listener IP Addresses page, click Next.

   

10. On the Listener SSL Certificates page, select Use a single certificate for this Web Listener and click Select Certificate.

    

11. In the Select Certificate window, under Select a certificate from the available list of certificates, select your DigiCert issued SSL Certificate, and click Select.

    

12. On the Listener SSL Certificates page, click Next.

    

13. On the Authentication Settings page, in the Select how clients will provide credentials to Forefront TMG drop-down list, select No Authentication and click Next.

    

14. On the Single Sign On Settings page, click Next.
    
    
    
    

15. On the Completing the New Web Listener Wizard page, review your settings, and if everything is accurate, click Finish.

    

16. To save your changes and update your configuration, in the Forefront TMG window, click Apply.

    

17. In the Save Configuration Changes window, make sure that the configuration updates are saved, and click OK.

    

18. You have successfully installed your SSL Certificate on the Forefront TMG Server.

Test Your Installation

If your website is publicly accessible, our DigiCert® SSL Installation Diagnostics Tool can help you diagnose common problems.

Troubleshooting

If you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors, contact support.

How to Replace the SSL Certificate in an Existing Web Listener on Your Forefront TMG Server

1. On your server, open Forefront TMG Management.

   In the Windows Start menu, click All Programs > Microsoft Forefront TMG > Forefront TMG Management.

2. In the Forefront TMG window, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server) and click Firewall Policy.

   

3. On the right side of the page, under Firewall Policy, on the Toolbox tab, expand Network Objects > Web Listeners, select the Web Listener whose certificate you want to replace with your new SSL Certificate (i.e., RDGatewayWebListener), and click Edit.

   

4. In your WebListener–Properties window, on the Certificates tab, select Use a single certificate for this Web Listener and click Select Certificate.

   

5. In the Select Certificate window, under Select a certificate from the available list of certificates, select your new DigiCert issued SSL Certificate, and click Select.

   

6. In your WebListener–Properties window, on the Certificates tab, click Apply and click OK.

   

7. To save your changes and update your configuration, in the Forefront TMG window, click Apply.

   

8. In the Save Configuration Changes window, make sure that the configuration updates are saved, and click OK.

   

9. You have successfully installed/replaced your SSL Certificate in your existing Web Listener on your Forefront TMG Server.

Test Your Installation

If the website is publicly available, our DigiCert® SSL Installation Diagnostics Tool can assist you in diagnosing common problems.

Troubleshooting

If you experience certificate errors, try repairing certificate trust errors with DigiCert® Certificate Utility for Windows. If this doesn’t resolve the errors, please contact support.