This topic is designed to help you plan the certification infrastructure for your Forefront TMG deployment. Forefront TMG uses Windows Server 2008 Active Directory Certificate Services (AD CS) to issue and manage certificates to be used in the following scenarios:
- Publishing a Web server over an HTTPS
connection. For details, see About publishing Web
servers.
- Configuring a site-to-site VPN connection
with L2TP/IPsec or IPsec tunneling. For details, see Planning for virtual
private networks.
- Inspecting HTTPS traffic. For details, see
Planning for
HTTPS inspection.
- When Forefront TMG Enterprise is deployed in
a workgroup environment. For details, see Workgroup and domain
considerations.
For more information about AD CS, see Active Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=158022).
The following table summarizes the use of certificates in Forefront TMG.
| Scenario | Certificate Type | Issued by |
|---|---|---|
|
Web publishing: authenticating the Forefront TMG computer to the external user. |
Server certificate |
Public certification authority (CA) |
|
Web publishing: authenticating the backend Web server to the Forefront TMG computer. |
Server certificate |
Public CA or Local CA |
|
VPN: L2TP/IPsec or IPsec tunnel. |
IPsec certificate |
Local CA (recommended) |
|
HTTPS inspection. |
CA certificate |
Local CA or a self-signed certificate |
|
Workgroup environment: server authentication and data encryption. |
Server certificate |
Local CA |