It is possible to change many error HTML messages in Forefront TMG or to create custom messages when you deny traffic in a Firewall policy rule on Forefront TMG. Forefront TMG also comes with support for forms based authentication (FBA) which displays a login page in the client web browser to enter the credentials to get access to the published resources. FBA is often used when Forefront TMG Administrators publishes an internal Exchange Server to give access to Outlook Web Access / Outlook Web App from the Internet.
Let us start with changing the FBA page for accessing Outlook Web Access (OWA). There are several ways to customize the look and feel of the FBA for OWA. If you are an experienced Web designer you can use your favorite tool to modify the FBA which comes with Forefront TMG. You can also use tools like the FBA Editor which is an easy to use tool to customize some FBA forms. Before we start modifying anything make a Backup of the directories which contains the default FBA forms.
There is a tool called FBA Editor from Kay Sellenrode which allows some basic changes to the FBA forms of Forefront TMG. You can download the FBA editor from Kay Sellenrode`s website. The tool is very handy. Simply copy the tool to the Forefront TMG Server and execute the executable. Next, select the page you want to edit. It is possible to change some settings like the Default font, custom message text and the picture of the FBA form. If you are finish click the Preview Page button and after everything has been reviewed click the Apply button.
Figure 1: FBA Editor
Customize the OWA FBA login page manually
If you do not want to use tools like the FBA editor, it is also possible to customize the FBA forms by manually editing the forms. You can find the forms in the following directories: c:\program files\Microsoft Forefront Threat Management Gateway\Templates\CookieAuthTemplate. There are two directories called Exchange and ISA. The ISA directory includes all the HTML forms that may be required for forms-based authentication in a Forefront TMG web publishing rule. The Exchange directory includes all the HTML forms that may be required for Microsoft Exchange Web client access forms-based authentication (for example OWA).
Figure 2: CookieAuthTemplate on Forefront TMG
The NLS directory (the language directory) contains language specific directories which contains a file called strings.txt which substitutes the text with a language specific text in the OWA FBA logon screen. You can change the strings with your own text but beware of the instructions in the following article. In this article you will also find the information how to use custom graphics in your OWA FBA form. Here are some high level steps how use your own graphics. The graphics are all located in the default forms directory. If you want to replace a logo, for example corplogo.gif, copy the corplogo.gif file to the Exchange HTML directory. Open the .htm file that includes the graphic you want to replace. You have to modify the URL for the graphic. For this example the modified URL is: /cookieauth.dll?GetPic?formdir=%FORMDIR%&image=corplogo.gif. After you save the file restart the Forefront TMG Firewall service for changes to take effect. If you are using Forefront TMG Enterprise with an array you have to modify the files on every Forefront TMG node.
An easier way to change the default graphics with your own graphics is to give the custom graphic the same name as the default graphic.
Customize the default message by the HTTP filter
Forefront TMG comes with a HTTP filter which allows the filtering of HTTP traffic or HTTP traffic when SSL Bridging is used in reverse proxy scenarios or when the outgoing HTTPS inspection is activated and configured on Forefront TMG. Unfortunately there is no way to customize the message of the HTTP filter.
Custom deny messages in Firewall policy rules
In ISA Server 2006 it was possible to redirect a user to a web page with information about the reasons why accessing the website is not allowed. This was done at the deny tab in the Firewall policy rule which denies the traffic. This is already possible with Forefront TMG, but Forefront TMG comes with a new functionality to specify the deny text in the Firewall policy rule properties without redirecting the user to a custom website. You can use plain text or HTML text for the custom deny message, as you can see in the following screenshot.
Figure 3: Custom deny message in a Firewall policy rule
New and changed Forefront TMG Error HTML messages
Microsoft Forefront TMG comes with a handful of new Error HTML message documents which are allowed to be customized from the Forefront TMG Administrator.
The client certificate used to establish the SSL connection with the Forefront TMG Server computer is not acceptable. The client certificate restrictions not met.
The SSL server certificate supplied by a destination server is not yet valid.
The SSL server certificate supplied by a destination server expired.
The certification authority that issued the SSL server certificate supplied by a destination server is not trusted by the local computer.
The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.
The SSL certificate supplied by a destination server cannot be used to validate the server because it is not a server certificate.
The Web site requires a client certificate, but a client certificate cannot be supplied when HTTPS inspection is applied to the request.
The SSL server certificate supplied by a destination server has been revoked by the certification authority that issued it.
Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display URL category, but no custom message, [URLCATEGORY] will be replaced with the category name)
Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display custom message but not URL category, [ADMINMESSAGE] will be replaced with the custom message)
Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display both custom message and URL category, [URLCATEGORY] will be replaced with the category name, [ADMINMESSAGE] will be replaced with the custom message).
For many HTML errors message documents there are two versions available. One file comes without an “R” in its filename; the other filename has an “R” in its filename. The filename with the “R” is displayed for clients accessing Forefront TMG from external. The other file content is displayed to clients accessing Forefront TMG from internal.
It is very easy to modify the text of the error message. The simplest way is to use an editor like Notepad.exe or if you have a HTML Editor program you can also use such program. In our example we will change the new error HTML message 12230.htm which will be displayed to a client which tries to open an SSL website when outgoing SSL inspection is used on Forefront TMG and the SSL server certificate has been revoked by the issuing certificate authority.
Figure 4: Standard error message
For this example I simply changed the contact information which users can use to get more information about the error message.
Figure 5: Modified error message
In this article I tried to show you the several ways to customize Forefront TMG error HTML messages, how to customize the Forefront TMG deny messages and how to configure the forms based authentication logon page for Outlook Web access. With this knowledge it should be easier for you to customize your own error messages to give your users a better understanding about errors they may get when they are accessing websites through Forefront TMG.