Forefront TMG 2010 Policy and Configuration Management Tips and Tricks
There are a multitude of ways to manage the policy and configuration in Forefront Threat Management Gateway (TMG) 2010. Personally, I have been installing, configuring, and managing TMG and its predecessors ISA Server and Proxy Server for more than 15 years. During that time I’ve also helped many organizations - small and large - design, implement, and maintain ISA and TMG. Needless to say I’ve seen some well managed systems, and I’ve seen my share of poorly managed ones. In this article I want to share with you some TMG policy and configuration management tips and tricks I’ve encountered in my travels that will ultimately help make your TMG firewall easier to manage and perhaps even perform better.
Forefront TMG includes many out-of-the-box protocols to use when creating firewall access rules. There are times, however, when creating a custom protocol is required. An excellent example of this would be installing a third-party management agent on the TMG firewall such as the Fastvue TMG Reporter arbiter which accepts inbound communication on TCP port 49361. When creating the new custom protocol, include the protocol and port number along with a descriptive name in the Protocol definition name field, as shown here.
When configuring access rules in Forefront TMG using computer objects, another thing I’ve found very helpful is to include the IP address in the name of the object itself. This will make things much easier when you are looking at firewall policy rules and need to determine quickly if a specific IP address is allowed by policy. For example, here I’m creating an access rule to allow the Fastvue TMG Reporter arbiter to accept communication from the TMG Reporter server in my lab with an IP address of 172.16.1.201. In the Name field I’ve included the IP address of the system along with its fully-qualified domain name.
This same principle can also be applied to Address Range and Subnet network objects, as shown here:
Access Rule Placement
When the Forefront TMG firewall has a lot of firewall policy rules, getting a newly created access rule in the right order can be challenging at times. Often TMG firewall administrators will create a rule that is intended to be included in an access policy group, only to find out that if the rule isn’t created inside the group initially, the only way to add it to the group is to ungroup, reorder the rules, and create the group again. Very frustrating! In addition, administrators sometimes inadvertently add a new access rule to a group when it shouldn’t be included. Since it is not possible to drag and drop rules in to our out of access policy groups, here again your only option is to ungroup, reorder, and regroup again. Not exactly efficient!
With a little planning and forethought it is possible to have the rule created pretty close to where we want it to be in the firewall policy. The trick here is, before creating an access rule, to highlight in the firewall policy exactly where you want the rule to be created. In this example I want an access rule to be placed first in the ordered list of rules, so I will highlight the first access rule in the list and then right-click the Firewall Policy node in the navigation tree to create a new access rule. In this example you’ll notice that behind the new access rule context menu that the first access rule has been selected and is highlighted.
Once complete, the new access rule will appear just above the rule I selected initially.
Additionally, if I wanted to add a rule to the end of the list, I would highlight the last Default Rule before creating the access rule. If I need to create a new rule and have it included in an existing access policy group I will first highlight a rule in that group prior to launching the access rule wizard.
Access Policy Groups
One of the nice new features in Forefront TMG is the ability to create access policy groups. When you use the Getting Started Wizard to define a basic web access policy, TMG creates an access policy group to allow web access to all users and, if the option was selected, blocks access to common categories.
Thankfully TMG administrators can create their own access policy groups as well. Begin by placing any existing access rules in consecutive order. It is not possible to group access rules that are not in order in the firewall policy. Next, select all of the rules to be included in the group, then right-click on the selected rules and choose Create Group.
Provide a descriptive name for the Policy group name and click OK.
Once complete, you can reorder individual rules within the group and you can reorder the entire group within the firewall policy as required. As I mentioned earlier, adding and removing rules to or from an access policy group cannot be accomplished using drag and drop. As an alternative to ungrouping, reordering, and regrouping I will simply copy the rule I wish to remove from the group and paste it outside of the group in the firewall policy. Next I delete the original rule and then rename the rule I pasted earlier.
Internal Network Properties
The Internal network properties configuration is an often overlooked area in my experience. In particular, the Forefront TMG Client tab is frequently configured improperly or has unnecessary options selected. By default, the option to Enable Forefront TMG Client support for this network is enabled. If you have not deployed the TMG firewall client, it’s a good idea to deselect this option. If you do plan to provide support for the TMG firewall client, it’s a good practice to specify the name of the TMG firewall (or the array name if you have an enterprise cluster) using a fully-qualified domain name.
Another troublesome area is the Client Computer Web Browser Configuration settings. These settings will configure the web browser of any client that has the TMG firewall client installed and enabled. By default, all of the options are selected! Most environments will require only one of these settings. If you’re planning to use WPAD, you can choose the option to Automatically detect settings and safely disable the other options. If you’re not using WPAD and still want to take advantage of advanced web proxy features TMG offers, select the option to Use automatic configuration script. My preference is to use a custom URL and provide the fully-qualified domain name.
Lastly, if you want to direct web proxy clients to a specific proxy server or array, select the option to Use a Web proxy server and enter the fully-qualified domain name of the proxy server or array.
Configuration Change Tracking
Configuration Change Tracking is a great feature that first appeared in ISA Server 2006 SP1, and is now included in Forefront TMG 2010. Configuration Change Tracking records any changes made by the administrator, either programmatically or with the management console. When making changes using the management console, by default the administrator is prompted to enter a description of the change, like this:
Often I see TMG firewall administrators ignore this box. Ok, admittedly even I ignore this box too, but I’m typically working in lab or demonstration environments so I have an excuse! However, for production environments this dialog box should not be ignored. Although the change itself, along with the administrator who made the change is recorded in the configuration change tracking log, it is often quite helpful to put some context around this change in the description box. Examples of this would be why the change was made, what prompted the change, if the change was being made during a maintenance window or during production hours, etc. Including references to any help desk ticket number or change request number is also an excellent idea.
Implementing some or all of these tips and tricks will make your day to day operation and management of your Forefront TMG firewall easier. Adding the protocol and port to custom protocols makes recognizing their function easier and more intuitive. Including the IP address in the description of computer objects can provide a quick visual indicator of the source or destination IP address allowed or denied by firewall policy. Leveraging access policy groups can reduce clutter in your TMG management console by allowing the administrator to group common access rules together. Cleaning up the Internal network properties configuration can also reduce the overall attack surface on the firewall and streamline web proxy client configuration for systems with the Forefront TMG firewall client installed. In addition, utilizing the description field of the configuration change tracking dialog box and provide important context around a particular change which can reduce any troubleshooting efforts required in the future.