Publish Moodle behind MS TMG

The plan was to set up Moodle internally and have it published by TMG. This would allow the speed of HTTP internally and the security of HTTPS externally. Moodle URL is by the config.php file in either a http or https modes but not both which holds Moodle back. I turned to TMG and found the link translation option can solve my problem.

Web server set up

Apache2 web service

<Directory /var/www/moodle/auth/ldap/>
<Files ntlmsso_magic.php>
NTLMAuth on
AuthType NTLM
AuthName “Moodle NTLM Authentication”
NTLMAuthHelper “/usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp”
NTLMBasicAuthoritative on
require valid-user
Order allow,deny
Allow from all
</Files>
</Directory>

TMG server set up

Web Publishing Rule for external https

  1. Authentication delegation: NTML
  2. Published server logout url: /login/logout.php
  3. Bridging: redirect requests to port 80.
  4. Users: All authenticate users.
  5. Link Translation MUST be enabled with configure
  6. replace ‘path=/; HttpOnly’ with ‘path=/; secure; HttpOnly’. This makes the Moodle cookie only work in https.
  7. replace ‘http:\/\/yourdomainname.org’ with ‘https:\/\/yourdomainname.org’. This fixes in page javascript.
  8. Create an SSL listener
    1. html form with Active Directory Authentication Validation
    2. Authentication Preferences have Validate credentials for every http request enabled.
    3. Connections only enable 443 ssl
    4. Select ssl certificate.
    5. SSO set domain.
    6. Networks, set external IP.

Web Publishing Rule for external http

  1. Authentication delegation: None
  2. Bridging: redirect requests to port 80.
  3. Users: All users.
  4. Create a web listener on port 80 with no authentication.

Web Publishing Rule for external http login

Copy the http rule and name it http login. This rule allows login redirect from http to https.

  1. Link transactions, custom, Path delete ‘/’ and replace it with ‘/login/*’ and ‘/auth/*’
  2. Action, Deny, Redirect to ‘https://yourdomainname.org/login/index.php’

The deny rule must be above the allow http in the TMG firewall policy list or it wont work.

Finished product

Guest access via http

lms-http

Login form

lms-https-login

NTLM SSO

lms-https-ntlm

Secure access

lms-https

Logout

lms-https-logout