This topic is designed to help you plan the certification infrastructure for your Forefront TMG deployment. Forefront TMG uses Windows Server 2008 Active Directory Certificate Services (AD CS) to issue and manage certificates to be used in the following scenarios:

For more information about AD CS, see Active Directory Certificate Services (

The following table summarizes the use of certificates in Forefront TMG.

Scenario Certificate Type Issued by

Web publishing: authenticating the Forefront TMG computer to the external user.

Server certificate

Public certification authority (CA)

Web publishing: authenticating the backend Web server to the Forefront TMG computer.

Server certificate

Public CA or Local CA

VPN: L2TP/IPsec or IPsec tunnel.

IPsec certificate

Local CA (recommended)

HTTPS inspection.

CA certificate

Local CA or a self-signed certificate

Workgroup environment: server authentication and data encryption.

Server certificate

Local CA

Related Topics