Recently we’ve encountered a number of cases where customers wanted to use TMG to require strong authentication for some parts of a published web site (e.g. Outlook Web Access, OWA) but not for others (e.g. Exchange Active Sync, EAS).
This post will describe how to configure TMG for similar scenarios.
The TMG authentication process, as described here, has three phases:
The first two phases are configured on the TMG Web listener while the third is configured on the specific publishing rules.
This fact can be used to use the same Web listener for different publishing rules with different authentication requirements.
In the following example we will show how to publish two different internal Web sites on the same IP address and port (i.e. the same Web listener). One site will require authentication and the other will not. The technique used in this example can also be used for different paths instead of different sites.
The “trick” is that only for some rules the Web listener will require authentication. This means that even though authentication is configured on the Web listener, it will not require users to authenticate if they are using a path or site associated with an “All users” rule (as “All users”, including non-authenticated users, are allowed). Here is an example of the Web listener configuration:
Next we configure a Web publishing rule for the sites or paths that do not require authentication. We use the Web listener defined above and set the rule’s “Users” tab to apply to “All Users”:
Then we configure a Web publishing rule for the sites or paths that require authentication. We use the same Web listener as in the above rule, but here we set the rule’s “Users” tab to apply to “All Authenticated Users”:
We end up with two rules on the same listener (and the same IP address/port), one requiring authentication while the other doesn’t:
If a request matches the first, “No auth” rule, it will be allowed through without being prompted for authentication. However, if the request is matched to the second, “Auth” rule, it will be prompted for authentication and will only be allowed through if the authentication succeeds.
Roman Golubchyck, Senior Development Engineer.
Ori Yosefi, Senior Program Manager.
Hi Roman, I guess I am going to regret asking this but as the rules are executed top-down, won't the All Users rule match the traffic profile everytime and therefore effectively make the following rule redundant in the sense that it would never be reached?
Rule matching will compare public name on rule vs. hostname in url. If the names are different on your rules, you won't encounter the problem, you mentioned