bg-tutorials

How to Install an SSL Certificate on Microsoft Forefront

This guide explains how to install an SSL certificate on Microsoft Forefront Threat Management Gateway (TMG), the product most administrators mean when they say “install a certificate on Forefront.” It covers the prerequisite of getting the certificate into the Windows certificate store, and the Web Listener wizard that actually serves HTTPS for a published web application.

Product status, please read first. Microsoft Forefront TMG 2010 reached end of mainstream support on April 14, 2015 and end of extended support on April 14, 2020. Its Web Protection Services subscription (URL filtering and malware inspection) was shut down on December 31, 2015, even before the product itself went out of support. Microsoft no longer sells TMG, no longer ships fixes for it, and never released a direct in-product successor. Microsoft Forefront Unified Access Gateway (UAG) 2010 shares the same lifecycle: sales ended July 1, 2014, and extended support ended April 14, 2020. The steps below still work on an existing TMG installation, but for new deployments use a supported Microsoft service instead. See Microsoft-native successors to Forefront TMG below for the migration paths.

Generate the CSR code on Microsoft Forefront TMG

If you already generated your CSR and have your signed certificate as a .pfx file, skip ahead to Install the SSL certificate on Forefront TMG.

Forefront TMG has no built-in CSR generator. You generate the CSR on a Windows host (typically the TMG server itself, since TMG runs on Windows Server with IIS installed) and submit it to the Certificate Authority. You have two options:

  • Generate the CSR automatically with our CSR Generator. The private key is created off the server, so the CA will return files that you bundle into a .pfx before importing into Windows.
  • Generate the CSR in IIS on the TMG server by following our how to generate a CSR on IIS tutorial. The private key stays on the server, and you complete the request in IIS once the CA returns the issued certificate.

Submit the CSR to the Certificate Authority during enrollment. After validation, the CA issues the certificate, and you can move on to the installation steps below.

Install the SSL certificate on Forefront TMG

Forefront TMG itself does not have a certificate import dialog. TMG reads certificates from the Local Computer Personal store on the Windows server it runs on, so the installation has two parts: import the certificate into Windows, then attach it to a Web Listener in TMG.

Step 1: Import the certificate into the Windows certificate store

If the TMG server is the host where the CSR was generated and you have a .cer or .p7b file, complete the pending request in IIS Manager on the same server. See how to install an SSL certificate on IIS for the Complete Certificate Request step.

If the CSR was generated on a different host (for example with our CSR Generator, or on a separate IIS server), you have a .pfx file that bundles the certificate, its private key, and the chain. Import it into the TMG server with the certificates MMC snap-in:

  • Copy the .pfx file to the TMG server.
  • Press Win + R, type mmc, and press Enter.
  • Go to File > Add/Remove Snap-in, select Certificates, click Add, choose Computer account > Next > Local computer > Finish > OK.
  • Expand Certificates (Local Computer) > Personal, right-click Certificates, choose All Tasks > Import.
  • Browse to your .pfx file, enter its password, accept the default store (Personal), and finish the wizard.

The certificate must include its private key for TMG to use it. If the .pfx was exported without the key (or the certificate appears in the store without a small key icon next to it), TMG will not see it as available for a Web Listener.

Step 2: Create a Web Listener and assign the certificate in TMG

A Web Listener is the network object TMG uses to terminate HTTPS for a published web application (for example Outlook Web Access, SharePoint, or any other internal web service). Each Web Listener is bound to one or more IP addresses, a port, and a certificate.

  1. Open the Forefront TMG console: Start > All Programs > Microsoft Forefront TMG > Forefront TMG Management.
  2. In the left tree, under Microsoft Forefront Threat Management Gateway, expand Forefront TMG (your server).
  3. Click Firewall Policy. On the right side, open the Toolbox tab, expand Network Objects, and choose New > Web Listener.
  4. On the wizard’s first page, enter a Web listener name (for example OWA HTTPS Listener), then click Next.
  5. On the Client Connection Security page, select Require SSL secured connections with clients and click Next.
  6. On the Web Listener IP Addresses page, under Listen for incoming Web requests on these networks, tick the network that will receive the traffic (for an internal-only listener choose Internal; for an Internet-facing listener choose External). Click Select IP Address.
  7. Under Available IP Addresses, select the address the listener should use, click Add, then OK, then Next.
  8. On the Listener SSL Certificates page, select Use a single certificate for this Web Listener (or Assign a certificate for each IP address if you publish multiple host names on the same listener), then click Select Certificate.
  9. In the Select Certificate window, choose the certificate you imported in Step 1 and click Select. If your certificate does not appear, it is either missing from the Local Computer Personal store on this TMG node, or it was imported without its private key.
  10. Click Next. On the Authentication Settings page, choose how clients should authenticate. Pick No Authentication only if the published application handles authentication itself (otherwise select the method that matches your environment, for example HTML Form Authentication for OWA). Click Next.
  11. On the Single Sign On Settings page, configure SSO if you publish multiple applications under a shared domain, then click Next.
  12. Review the summary on the Completing the New Web Listener Wizard page and click Finish.
  13. Back in the Forefront TMG console, click Apply at the top of the center pane to commit the change to the configuration store.

The new listener is now available. Attach it to a publishing rule (Firewall Policy > Tasks > Publish Web Sites or Publish Exchange Web Client Access) so that incoming HTTPS traffic for your published site uses this listener and the certificate you assigned.

Test your SSL installation

After you apply the configuration and route a publishing rule through the new Web Listener, open the published URL over https:// from an external client and check the padlock and certificate details. For a deeper view of the chain, protocol support, and any trust issues, run a scan with our SSL Checker.

Modern browsers and clients no longer trust SSL 3.0 or TLS 1.0 / 1.1, and TMG 2010 only natively supports SSL 3.0 and TLS 1.0 on its listener unless you have applied registry tuning to enable TLS 1.1 / 1.2 at the SChannel layer. If the SSL Checker reports protocol failures, that is the reason, and it is one of the strongest signals that the TMG host has reached the end of what it can safely publish on the public Internet.

Microsoft-native successors to Forefront TMG

Microsoft never released a single product called “the TMG successor.” Instead, the jobs Forefront TMG used to handle have moved to separate Azure and Microsoft Entra services. If you are planning a migration, the modern Microsoft-native paths are:

  • Publishing internal web apps to external users (the most common TMG use case, for example OWA, SharePoint, Lync / Skype for Business front ends): use Microsoft Entra application proxy (formerly Azure AD Application Proxy). A lightweight connector inside your network publishes the app outbound; no inbound firewall holes are required, and Microsoft Entra ID handles authentication and conditional access.
  • Public-facing web apps that need a reverse proxy with WAF: use Azure Application Gateway (with WAF_v2) for regional layer-7 load balancing, or Azure Front Door for global distribution with edge caching and WAF.
  • Outbound web filtering and SaaS controls (the forward-proxy side of TMG): use Microsoft Defender for Cloud Apps for SaaS discovery and session control, and Microsoft Entra Internet Access for identity-centric Secure Web Gateway functionality.
  • Network and endpoint threat protection: the Microsoft Defender XDR family (Defender for Endpoint, Defender for Identity, Defender for Office 365) has replaced the threat-protection role of Forefront in general.

You can keep the existing TMG server publishing internal applications while you stand up the replacement, then move applications one at a time and decommission TMG once the last publishing rule has been migrated.

Frequently Asked Questions

Is Microsoft Forefront TMG still supported?

No. Microsoft Forefront TMG 2010 reached end of mainstream support on April 14, 2015 and end of extended support on April 14, 2020. The Web Protection Services subscription was shut down on December 31, 2015. Microsoft no longer ships fixes or updates for TMG, and the product is no longer sold. Existing TMG installations continue to run, but they should not be used for new deployments.

What is the Microsoft successor to Forefront TMG?

Microsoft did not release a single direct successor. The functions are now split across several Azure and Microsoft Entra services: Microsoft Entra application proxy for publishing internal web apps without inbound firewall holes, Azure Application Gateway (WAF_v2) and Azure Front Door for public-facing reverse proxy and WAF, Microsoft Defender for Cloud Apps and Microsoft Entra Internet Access for forward proxy and web filtering, and the Microsoft Defender XDR family for threat protection.

Can I install an SSL certificate directly inside Forefront TMG?

Not directly. TMG does not have its own certificate import dialog. It reads certificates from the Windows Local Computer Personal store on the server. You import the .pfx (or complete a pending CSR in IIS) on the server first, then select that certificate from the dropdown in the Web Listener wizard.

Why doesn’t my certificate appear in the Select Certificate dropdown?

The two common causes are a missing private key and the wrong store. Make sure the certificate is imported into Certificates (Local Computer) > Personal on the TMG server (not the current user store), and that the certificate icon in MMC shows the small key overlay that indicates the private key is present. If you imported a .cer or .crt file directly, it has no private key; re-import the .pfx bundle from the CSR generator, or rebuild the .pfx with the matching key.

Does this guide also apply to Forefront UAG?

Forefront Unified Access Gateway (UAG) 2010 is a related but distinct product. It shares the same end-of-life status: sales ended July 1, 2014, and extended support ended April 14, 2020. UAG uses its own portal trunk model to assign certificates rather than the TMG Web Listener wizard above, but the prerequisite is the same: the .pfx must be imported into the Windows Local Computer Personal store before UAG can select it. For new deployments use the Microsoft Entra and Azure services listed in Microsoft-native successors to Forefront TMG.

Can I renew a certificate on Forefront TMG without recreating the listener?

Yes. Import the renewed .pfx into the Local Computer Personal store, then open the existing Web Listener properties, go to Certificates, click Select Certificate, choose the new certificate, and click Apply at the top of the Forefront TMG console to commit the change. Publishing rules attached to the listener keep working without modification.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.