Controlling Internet Access: a Short Primer on TMG Access Rules (Part 1)
If you would like to read the first part in this article series please go to:
- Controlling Internet Access: a Short Primer on TMG Access Rules (Part 2)
- Controlling Internet Access: A Short Primer on TMG Access Rules - Part 3: TMG Firewall Web Publishing Rule Basics
- Controlling Internet Access: A short Primer on TMG Access Rules - Part 4: TMG Networks and Network Rules
The ISA firewall has been around for quite a while. Many ISA firewall admins were on board during the beta phase of ISA 2000, which was code-named “Comet” back in 2000. For the next ten years, thousands of ISA firewall admins worked with the ISA firewall and upgraded to the next version. After ISA 2000 came the ISA 2004 firewall and then two years later the ISA 2006 firewall was released. The ISA 2004 firewall was a major advance over the previous ISA 2000 firewall and put it on par with other enterprise network firewalls. The ISA 2006 release was more like an “R2” release that included major improvements to the web proxy components of the firewall.
In 2010, the next version of the ISA firewall not only found itself with major new features and capabilities, but also a new name – ISA had transmogrified to TMG – the Threat Management Gateway 2010. What I’ve found interesting following the release of the TMG firewall is that there are a lot of new TMG firewall admins who have never worked with the ISA firewall. Most of these admins are moving away from old “hardware” firewalls because the expense of keeping those firewalls isn’t worth it. Even more interestingly, they’re moving to the TMG firewall because they are much more sophisticated than firewall admins of the past and they realize that the so-called hardware firewalls, in many cases, are much less secure than the TMG firewall. This is a major change in mindset and is a testament to the efficacy of Microsoft’s Security Development Lifecycle, which completely changed how Microsoft created software and focused on baking security into every phase of software development.
The challenge for these new TMG firewall admins is learning the basics. We have over a decade of articles here on ISAserver.org and most of them dig into deep technical details and complex or off-label deployment scenarios. The reason for this is that in the past, the audience was comprised of mostly experienced ISA firewall admins who had long-time experience with the product. Now I’m getting mail from a lot of readers who are new TMG firewall admins and who don’t know the basics yet – but don’t have access to simplified examples on how the TMG firewall works.
I’ve seen this to be especially problematic from the perspective of outbound access. Many of the new TMG firewall admins have focused on inbound access control (for example, to control access to Exchange and SharePoint). But now they want to know how to control access for outbound connections. That will be the focus of this article on Access Rules.
Understanding Access Rules
Access Rules are used to control outbound access from a network that is protected by the TMG firewall. When you want to allow a computer behind the TMG firewall to access any other network (including the Internet), then you need to create an Access Rule to allow that connection. By default, there are no Access Rules to allow connections through the firewall, so by default the TMG firewall is a “network brick.” This default closed state is a more secure configuration, but it also means that if you want to allow traffic through the TMG firewall, you’ll need to understand how Access Rules work and how to create them.
Creating an Outbound Access Rule
To get you started, we’ll create a simple outbound access rule that allows all users outbound access to the Internet using all protocols. In the next article in this series, we’ll go over the details of the Access Rules and see what dependencies Access Rules have and how you manipulate those dependencies.
To get started, let’s open up the TMG firewall console and click on the Firewall Policy node in the left pane of the console, as seen in the figure below.
After we click on the Firewall Policy node in the left pane, we’ll click on the Tasks Tab in the right pane of the console. Here you will see a number of options, much of which are related to creating various firewall rules. In this example, we want to create an Access Rule to allow outbound access through the TMG firewall. We’ll click the Create Access Rule link to start the Access Rule wizard, as shown in the figure below.
On the Welcome to the New Access Rule Wizard page, enter a name in the Access Rule name text box. In general, you should come up with a system to provide meaningful names for your Access Rules so that you can scan your firewall policy and know what the rule does, and ideally know the purpose of the rule. In this example, we’ll name the rule All Open 1. In a production environment, you wouldn’t want to create such a rule because this rule is going to allow all users and computers outbound access to the internet and that probably isn’t what you want to allow in your production environment.
On the Rule Action page, you are given the choice to make this an Allow or Deny rule. Notice that the default is to create a Deny rule, which is a good idea from a security perspective. We’ll change the state from Deny to Allow before clicking Next so that this becomes an Allow rule.
On the Protocols page, choose which protocols you want this rule to apply to. In the This rule applies to drop down box, you are given three choices:
- All outbound traffic - Use this option if you want the rule to apply to all protocols.
- Selected protocols - Use this option to choose specific protocols to which you want this rule to apply. This is the option you’ll probably use most over your lifetime working with the TMG firewall.
- All outbound traffic except selected - This allows you to allow or deny all protocols except for a subset of protocols that you select on this page.
If you choose either the second or third option, you can click the Add button to choose the protocols to which you want this rule to apply. After you click the Add button, it will bring up the Add Protocols dialog box. When you click on a folder in this dialog box, the folder will open up and show you a list of protocols. The TMG firewall team has made it easy for you by separating the protocols into meaningful groups so that it will be easier for you to find the specific protocol(s) you’re interested in. Double click on the protocols you want to allow and they will appear on the Protocols page in the Protocols list.
Another option you have on this page is exposed when you click the Source Ports button. This brings up the Source Ports dialog box. Here you can control what the allowed source ports are for connections that match this rule. By default Allow traffic from any allowed source port is selected, but if you wanted to lock down the source ports, you could select the Limit access to traffic from this range of source ports and then enter values in the From and To text boxes to denote those source ports.
We won’t choose any specific source ports this time. We’ll choose the All outbound traffic option and then click Next.
The next page is the Access Rule Sources page. Here you select the location of the computers behind the TMG firewall to which you want this rule to apply. Click the Add button and you’ll see the Add Network Entities dialog box. Click the folder that contains the network element that represents the source location of the computers to which you want this rule to apply. In this example, we’ll configure this rule to apply to all computers located on the default Internal Network by clicking on the Networks folder and then double clicking on the Internal Network.
After selecting the source Network as the default Internal Network and clicking Next, you’ll see the next page, which is the Access Rule Destinations page. Here you set the destinations that you want the computers from the source location you selected earlier to be able to access through this rule. The Access Rule Destinations page works like the previous page, where you click the Add button and then in the Add Network Entities dialog box, you click the folder and then double click on the network element to which you want to allow access by using this rule. In this example, we’ll select the default External network.
The next page of the wizard is the User Sets page. On this page, you specify the users to which you want this rule to apply. By default, Access Rules are applied to all users. Now, your definition of “all users” might not be the same as what the TMG firewall defines as all users. It would be logical to assume that “all users” means the rule would apply to all accounts in your organization. Wrong! “All users” from the TMG firewall’s perspective means all anonymous users – that is to say, any unauthenticated connections. If you click the Add button, you can select other users, such as All Authenticated Users or System and Network Service. You can also create custom sets of users based on Active Directory or RADIUS accounts. We’ll talk more about these options in the next article. In this example, we’ll select the All Users option and click Next to move to the next page.
The last page of the wizard is the Completing the New Access Rule Wizard page. Review the settings on this page and then click Finish.
After the rule has been created, it isn’t enforced until you click the Apply button at the top of the middle pane of the TMG firewall console. We’ll click the Apply button now.
After you click Apply, the Configuration Change Description dialog box appears. Here you can add a description of the change you made to the firewall policy and this will appear in the change log. The change log is useful for when you need to backtrack and figure out what you or someone else might have done to firewall policy in the event that things aren’t working the way you expected.
Notice that you have the option to back up your firewall policy by clicking on the Export button at this point. This allows you to have a backup of the configuration so that you can easily get back to the point where you were before making this change. You also have the option to not show this prompt again in the future, but I don’t recommend that you select that option, since you’ll find this dialog box to be very helpful for you in the future. Now we’ll click Apply.
The Saving Configuration Changes dialog box appears and lets you know that the firewall policy settings were saved to configuration storage. Notice here that it says Existing client connections will be reevaluated according to the new configuration. Client connections not matching the newly enforced policy will be dropped. This is a new feature in the TMG firewall. With the ISA firewall, new firewall policy was applied to new connections only and not to existing ones. This is a great improvement and one of the many reasons that you should upgrade to the newest version of the ISA firewall – now named the TMG firewall.
The new rule appears in the firewall policy list, as you can see in the figure below. The position on the list depends on where you clicked when you started the wizard. However, as I’ll show you in the next article, you can move the rule up or down on the list.
In this article we went over some of the basics of Access Rules for new TMG firewall admins. Access Rules are used to control traffic moving outbound from a TMG protected network to another network. By default, there are no Access Rules and no traffic can move through the TMG firewall. An Access Rule must be in place to allow outbound traffic. Access Rules allow you to control traffic, based on a number of factors, such as the source location, destination location, the user, and the protocols that are being used. There are other options that weren’t exposed in the Access Rule wizard, and we’ll go over those options in the next article. See you then! –Deb.