Install a Microsoft TMG or UAG 2010 certificate
Preamble
To install a certificate on a TMG server, you must install it on the IIS server you used to generate your certificate request first.Follow the instructions provided on this page
Install a Microsoft IIS5 or IIS6 certificate or Install a Microsoft IIS7 certificate
Retrieve the certificate and import it and then go back to this page.
Now you should see your certificate in IIS : click on the 'Display the certificate' button to check.
If you did not follow our instructions, make sure you installed the intermediate certificate if needed.
If your TMG is not on the same machine, create a .pfx file that will allow the transfer of the private key and the certificate(s). To do so, follow these instructions:
Create a backup file of your IIS5, IIS6 or IIS7 certificate and of its private key
then go back on this page.
Installation on ISA server
1- Launch the MMC
If your IIS and ISA are on the same machine, go directly to section 3.- Click Start and select Run and tape mmc
- Click on the File menu and select Add/Remove Snap in
- Click Add, select Certificates among the list of Standalone Snap-in and click Add
- Choose Computer Account and click Next
- Choose Local Computer and click Finish
- Close the window and click OK on the upper window
2- Import the .pfx file
The .pfx file contains the certificate and its private key that you previously prepared.- Go to Personal then Certificates
- Right click, choose All tasks then Import
- A wizard opens. Select the file holding the certificate you want to import.
- Then validate the choices by default
- Make sure your certificate appears in the list and that the intermediate and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.
3- Configure TMG
- See Microsoft documentation or consult those related articles.
TBS INTERNET ADVISE AND RECOMMENDATIONS
For security matter, it is advised to:
- Enable TLS
- Disable SSLv2 and SSLv3. See Microsoft documentation for more information: http://support.microsoft.com/kb/187498
- Get a BEAST protection: consult the documentation. Here is our documentation about enabling TLSv1.1 and TLSv1.2.
- get protected from the unsecured renegociation: http://support.microsoft.com/kb/977377
- We also advise you to disable RC4 and 3DES based ciphers..
- We advise enabling HSTS (IIS configuration).
- To limit the security risks linked to Diffie-Helman configuration and to the Logjam vulnerability, we recommand to configure IIS Cipher suites. For more information consult this documentation and this Microsoft documentaiton page and the Mozilla recommendations about compatibility (be carrefull, those recommendations are not compatible with IIS, contrary to the 2 previous links).
See NARTAC, a toolthat will help you do modifications in IIS (compatible with IIS6).
There us also a powershell script to apply all those security recommandations: External link.
See as well:
- Create a backup file of your IIS5, IIS6 or IIS7 certificate and of its private key
- Install intermediate certificates or root certificates manually
- RPC over HTTPS and ISA 2006 & Wildcard
- ISA configuration with an SSL certificate holding SANs
Check your certificate installation with Co-Pibot:
On your certificate status page, click on the button "Check your certificate" to make sure your certificate has been correctly installed.Last edited on 11/02/2018 10:49:27 --- [search]