Hi, We are migrating from Exchange 2007 to Exchange 2010 and so far have introduced 2010 Edge Servers and published OWA/Active Sync/Outlook Anywhere using TMG 2010 When configuring a publishing rule there is a tab called 'Web Farm' and a setting called 'Internal Site Name:" Should this be the FQDN of the CAS array and what happens if this name is not in our SAN cert ? Doing some further reading in this article: Web Server Farms in TMG I am a little confused as what the Internal Site Name is used for Any advice is gratefully received Thanks ! Specify an internal site name. When publishing a single Web server, the internal site name can be used by Forefront TMG to obtain the IP address of the published server with which to establish a connection. When you publish a server farm, Forefront TMG does not use the internal site name in this way. The internal site name specified for a server farm is used only as follows: When a browser application generates a request, it includes a Host header that identifies the host in the URL specified by the user. By default, when Forefront TMG receives the request, it changes the host name in this Host header and uses the internal site name as the host name in HTTP request messages sent to Web servers in the farm. If you choose to use the original client Host header instead of the Forefront TMG default setting, the internal site name is not used.If the Web publishing rule requires a Secure Sockets Layer (SSL) connection between the Forefront TMG computer and a member of the published server farm, you can deploy a unique certificate on each farm member, or you can install copies of a single certificate on all the farm members. You must use the internal site name specified in the Web publishing rule as the common name when creating the certificate.The internal site name may be used for link translation. Web pages returned by a published Web server may include links to internal computer names and sites that cannot be resolved by external clients. To avoid broken links, the Link Translation Filter uses mappings to translate these internal links to publicly resolvable names. For each Web publishing rule, Forefront TMG automatically maps the internal site name specified in the rule to the public name specified in the rule. For the internal site name in the server farm rule, you should specify the name that internal users will use to access the farm or the internal site name used to reference the server farm on Web pages and e-mail messages that external users may receive. If an application uses absolute links to itself, the internal site name should be the host name in those links.Even if you do not need to make a server farm available internally or account for link translation, the Forefront TMG rules engine needs to resolve the internal site name. In this case, we recommend that you set the internal site name to the Domain Name System (DNS) name of one of the servers in the farm.

The internal site name is what the TMG puts into the HTTP request's URL. Your internal CAS certificate has to have that name in it. The internal site name can be the same as the external site name if you want to use the same certificate on both. I recommend creating a web farm even if you have only one CAS if there is any chance in the future that you'll add a second one. If you don't use a web farm for the rules and later want to add another CAS, you have to recreate all your rules because you can't switch between a single server and a web farm in the rules. It's easy to add another server to the farm, much easier than recreating all the rules. If you use a server farm, the internal site name isn't looked up in DNS to find the destination, just the names of the servers in the server farm. If you define a single server that radio button and text box does the same thing. It says put the internal site name in the URL but send it to the server listed in the text box.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I'll take a shot at this and say that the Internal Site Name can be, but doesn't have to be, different from the name you'd make available in external DNS. If the name is the same, you'd need a split DNS configuration that allows internal clients to resolve the FQDN to the TMG interface for internal traffic. If you have two different names, like mail.contoso.com for external client access, and mail.internal.local for internal, then you'd need DNS to resolve the "mail.internal.local" FQDN to the internal OWA publishing interface on TMG. You should also have a certificate bound to that interface that contains the same internal name, in addition to a certificate for the external interface with the external FQDN in its list. If anyone with a Client/Server background wants to confirm or correct this please jump in.

To add to Jesse's comment, split-brain DNS is the only way to go. Even if you don't have one now, it's never too late to start the trasnition. Internal-only DNS zones are so 1970's.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Thanks for all your comments. I have indeed created a farm with two CAS servers in it. We have split DNS and the internal DNS servers currently do not resolved the internal name (email.company.com) Am I right in saying that the internal name does not have to resolve on the TMG server ? ... or should I resolve the internal name to the name of my hub/cas array ? Thanks

Something that I have to do quite often is use the TMG to resolve/redirect to a particular IP rather than a DNS name. To do this you would put the name of the site that your are publishing in the "Internal site name" field and then put the VIP (virtual IP of your load balancer) in the "Computer name of IP address" field. If your VIP isn't configured yet you could supply the IP of a CAS and then change it later on. So for example you would use the internal site name of email.company.com even if the TMG can't resolve this in DNS or resolves it to the public IP. The IP address that you provide at this stage will override DNS. Steve

I think I understand now .. but correct me if I'm wrong The internal site name can be the same as the external site name as that will be in our certificate In order to find the actual servers it will look at the web farm members ?

Your statement isn't clear, so let me restate it. Yes, they can be the same and usually are if you have split-brain DNS. The certificate you install on the TMG server must match the public names (there will probably be more than one, including autodiscover) in the rules. The certificate you install on the Exchange CAS server(s) must match the internal name in the rules. If the names are the same, you can use the same certificate on both. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."