Consider the following scenario: we have a company (contoso.com) with 2 geographic distinct sites - New York and London. There are a number of sites published under web.contoso.com - most are hosted on web servers located in New York but some are hosted in London. The only difference between these sites is the path used (eg https://web.contoso.com/products, https://web.contoso.com/research etc.). There are 2 standalone TMG servers that can do reverse proxying - one in New York and one in London. web.contoso.com is added as an entry in the public DNS as to point to the public IP of the TMG in New York. The company's internal link between New York and London is an expensive one and already congested. For the company's clients, it's important that for the pages they're browsing they always get to see https://web.contoso.com/..... in their browsers (as opposed to a sligtly different name such as https://london.web.contoso.com/...).

We now want to publish the Research site which is hosted on an IIS server in London, using the name  https://web.contoso.com/research and also keeping in mind the restrictions above. In order to avoid using the internal WAN link the TMG server in London could be used for publishing. However, since web.contoso.com is pointing to the TMG server located in New York, this would mean that the client will first reach the New York TMG, then get redirected to the London TMG, at which point he'll get to the Research site. I've somehow implemented this functionality using a simple publishing rule for All Users on the New York TMG server so that requests for https://web.contoso.com/research get sent to the public IP address of the London TMG server. On the London TMG server there's another rule for https://london.web.contoso.com/research using Forms Authentication. Since the Forms Authentication actually generates a 302 Redirect, it's the client itself that will talk to the 2nd TMG server, in effect achieving the request of not using the WAN link, and even better not using the New York's TMG own Internet link. The problem is that the URL gets rewritten (client sees https://london.web.contoso.com/research from the point he's offered the Forms Based authentication). Is there a way to achieve this as well ?

It would be ok for the TMG server in New York to use its own Internet connection to send requests over to the TMG in London, as well as the whole setup works. Please let me know what you think. Would it be possible, or would it need some additional mechanism (eg geoDNS) to make it work using TMG ?

I don't think you can achieve this through TMG without the client seeing a different host name (or IP address). Remember when you send a redirect to the client you are 100% relying on the clients DNS. You could of course use an IP address in the redirect but then you are not achieving your goal of keeping something consistent in the address bar (web.contoso.com).

I never have understood why companies care about what the client sees or doesn't see in their address bar. Most people don't pay attention to that and only care about what is actually on their browser page.

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator Wednesday, January 28, 2015 8:43 AM

I don't think you can achieve this through TMG without the client seeing a different host name (or IP address). Remember when you send a redirect to the client you are 100% relying on the clients DNS. You could of course use an IP address in the redirect but then you are not achieving your goal of keeping something consistent in the address bar (web.contoso.com).

I never have understood why companies care about what the client sees or doesn't see in their address bar. Most people don't pay attention to that and only care about what is actually on their browser page.

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator Wednesday, January 28, 2015 8:43 AM
• Marked as answer by Joyce LMicrosoft contingent staff, Moderator 2 hours 9 minutes ago

I don't think you can achieve this through TMG without the client seeing a different host name (or IP address). Remember when you send a redirect to the client you are 100% relying on the clients DNS. You could of course use an IP address in the redirect but then you are not achieving your goal of keeping something consistent in the address bar (web.contoso.com).

I never have understood why companies care about what the client sees or doesn't see in their address bar. Most people don't pay attention to that and only care about what is actually on their browser page.

• Proposed as answer by Joyce LMicrosoft contingent staff, Moderator Wednesday, January 28, 2015 8:43 AM
• Marked as answer by Joyce LMicrosoft contingent staff, Moderator Monday, February 02, 2015 9:37 AM

Any update on this?

Thank you for the reply, Keith, and sorry for the delay in answering. I partially agree with the address names in the browser bar, however what makes things worse here is that the london.web.contoso.com from my example is a rather cryptic name in actual production (for which a certificate was bought as well) which would make things peculiar unless some minimal design is made against the London's TMG's forms authentication window so that the clients know to what they're authenticating to (NY TMG's forms auth window is branded, London TMG's is not).

On the other side, I could try making the London TMG simply bypass all traffic coming from the New York TMG's IP  for https://london.web.contoso.com/research and move the authentication on the New York TMG's side. Hopefully this will allow me to keep the same original address in the browser. Yet to be tested though.