In a previous article on ISAserver.org, we went over how to install the TMG firewall using the default Edge Firewall configuration. You might recall that during the setup process, there was the option to run the Web Access Policy wizard. At that time, we decided to defer the option to configure Web access policy, since the wizard is somewhat complex and we really weren’t interested in getting into that level of complexity at the time. Now that we have more time, let’s take a closer look at the Web Access Policy Wizard and find out what it can do for you.
The philosophy behind the TMG firewall is a bit different than that behind the previous versions of the ISA firewall. While the ISA firewall was designed to be many things to many people, the TMG firewall is designed primarily to be a Web protection Unified Threat Management (UTM) type of device. What this means in practice is that the TMG firewall was designed to be used for outbound access control. For remote access, such as Web publishing and VPN connectivity, the Microsoft preferred option is the Unified Access Gateway (UAG) 2010. Yes, I know that the TMG firewall still does some remote access tasks better than UAG does at this time, but this is the direction in which things seem to be going – so if you get with the program now, you’ll be in better shape down the line and won’t end up with a dead-end remote access solution for your firm.
That being said, we can use TMG to create a Web access policy that will control which computers and users can access the Internet and which Internet sites they can access. You can block specific sites for everyone or for specified groups, and you can control the times at which specific sites can be accessed. You can also mandate scanning for malware content and configure filtering of HTTP commands and data. So let’s set it up.
To start the Web Access Policy Wizard, click the Forefront TMG node in the left pane of the console and click the Launch Getting Started Wizard link in the right pane of the console, as seen in Figure 1 below.
The Getting Started Wizard page appears, and it shows that we’ve already run the wizard, as evidenced by the fact that there are checkmarks next to each of the three steps in Figure 2. However, you can run it again; if you put a checkmark in the Run the Web Access Wizard checkbox, the Web Access Wizard appears when you click the Close button.
After you click the Close button, the Welcome to the Web Access Policy Wizard appears, as shown in Figure 3. Click Next.
On the Web Access Policy Rules page, you have two options:
- Yes, create a rule blocking the minimum recommended URL categories. This option will configure an Access Rule that blocks a number of pre-defined URL categories. Out of the box, the TMG firewall comes with a number of URL categories that you can use to allow or deny access to sites based on their category classification. Microsoft updates these URL categories on a regular basis throughout the day and TMG can be configured to automatically update these categories for you.
- No, do no create the rule for me. If you select this option, the TMG firewall will not automatically create the blocking rule for sites that you likely want to block.
In this example, we’ll select the Yes, create a rule blocking the minimum recommended URL categories option, as shown in Figure 4, and click Next.
On the Blocked Web Destinations page, shown in Figure 5, you can see that there is a list of URL categories that are automatically selected for you. If you want to add more categories to this list, you can click the Add button and then click on the URL Categories folder. In the figure, you can see a partial list of the URL categories from which you can choose. After you select the categories you want to block, click Next.
On the Blocked Web Destinations Exceptions page, shown in Figure 6, you can define a group of users who will not be blocked by this rule. You might want to create such a group for administrators, CxO level employees, and others for whom you don’t want to risk blocking anything that could interfere with their web experience. There is no default group for this, so you will need to create one. Click the Add button to get started, as shown in Figure 6.
To create the group, you must create a new User Set. The Welcome to the New User Set Wizard page, shown in Figure 7, opens when you click New. In the User set name text box, enter a name for the User Set. In this example we’ll name the User Set Go Anywhere, then click Next.
On the Users page of the New User Set Wizard, shown in Figure 8, click the Add button. Here you will see four options:
- Windows users and groups – You can use this option to select users that are contained in the Active Directory for the domain or forest in which the TMG firewall exists.
- LDAP – You can use this option to obtain users via LDAP queries to LDAP servers that you’ve already defined on the TMG firewall. Keep in mind that the LDAP users must be from an Active Directory domain controller – the TMG firewall will not query other LDAP directories.
- RADIUS – You can use this option to obtain users via RADIUS. Note that when you use RADIUS, you cannot include groups, so users will need to be added individually.
- SecurID – You can use this option to obtain users via SecurID authentication repositories.
In this example, the TMG firewall is a member of an Active Directory domain, so I will select the Windows users and groups option.
This brings up the Select Users or Groups dialog box that’s shown in Figure 9. Make sure that you have Entire Directory listed in the From this location section if you want to select from the Active Directory. Enter the name of the user or group in the Enter the object names to select text box and click Check Names. Then when the name is verified, click OK.
The name of the user or group is now included on the Users page, as you can see in Figure 10. Click Next.
Click Finish on the Completing the New User Set Wizard page, shown in Figure 11. This completes the configuration of the User Set.
The new User Set now appears in the Add Exceptions dialog box. Double click the new User Set (Go Anywhere in this example) and then click Close in the Add Exceptions dialog box, as shown in Figure 12.
On the Blocked Web Destinations Exceptions page, shown in Figure 13, you can now see the name of the User Set that will not be blocked by the deny access rule that was created by the Web Access Policy Wizard. Click Next.
On the Malware Inspection Settings page, shown in Figure 14, you have two options:
- No, do not inspect Web content requested from the Internet. When you select this option, the TMG firewall will not inspect the connections for malware using this rule. Of course, you could create other rules and apply malware inspection to those rules, but if you select this option, anti-malware inspection will not be affixed to this rule.
- Yes, inspect Web content requested from the Internet. When you select this option, the content will be inspected for malware. Note that only content that’s processed by the web proxy filter will be inspected. Non-web content will not be inspected for malware (for example, NNTP connections will not be inspected for malware).
- Block encrypted archives…Such files may contain encrypted viruses capable of bypassing antivirus signatures. This option enables the TMG firewall to block encrypted archives, since the firewall won’t be able to check inside of these encrypted archives. If you want to take a chance and hope that there aren’t any viruses in the archives, you can uncheck this option.
Click Next after making your selections.
On the HTTPS Inspection Settings page, shown in Figure 15, you have a number of options:
- Allow users to establish HTTPS connections to Web sites. When you select this option, the Access Rule created by the wizard will allow outbound HTTPS connections.
- Inspect HTTPS traffic and validate HTTPS site certificates. When you select this option, the TMG firewall will open up the SSL connection between the client and server by terminating the client connection on the internal interface of the TMG firewall. The TMG firewall does this by impersonating the destination Web server. In addition, when you select this option, the TMG firewall will validate the Web site certificate presented by the destination Web server. If the TMG firewall can’t validate the certificate, then the connection will be terminated.
- Do not inspect HTTPS traffic, but validate the HTTPS site certificate.Block HTTPS traffic if the certificate is not valid. This is pretty straightforward. When you select this option, the TMG firewall will not inspect the SSL traffic, but it will validate the Web site certificate presented by the destination Web server. If validation fails, the connection will be dropped.
- Do not inspect HTTPS traffic and do not validate HTTPS site certificates.Allow all HTTPS traffic. Choose this option if you want the TMG firewall to be as unsecure as the typical hardware firewall. When you select this option, malware and connectivity to anonymous proxies is easy and enables intruders and users to bypass network security policy by hiding inside an SSL tunnel.
- Do not allow users to establish HTTPS connections. This option blocks all outbound SSL connections. This is a very secure option, but it’s often impractical to implement in a production environment.
In this example, we’ll select the Allow users to establish HTTPS connections to Web sites and Inspect HTTPS traffic and validate HTTPS site certificates options. Click Next.
On the HTTPS Inspection Preferences page, shown in Figure 16, once again you have a number of options:
- No, do not notify users of HTTPS inspection. Select this option if you don’t want your users to know when their SSL connections are being inspected.
- Yes, notify users.To receive inspection notifications, users must have Forefront TMGClient installed and enabled on their computers. When you select this option, the users will see a balloon next to the TMG client icon in the system tray when they connect to an SSL site.
- Use a certificate automatically generated by Forefront TMG. Use this option if you want the TMG firewall to automatically create the certificate that will be used to impersonate the destination SSL web servers. The TMG firewall can also automatically deploy this certificate to the Active Directory so that clients will trust this certificate.
- Use a custom certificate. Use this option if you don’t want the TMG firewall to create the SSL impersonation certificate and instead want to use a certificate that you’ve generated from your own PKI.
In this example, we’ll select the Yes, notify users… and Use a certificate automatically generated by Forefront TMG options, as shown in Figure 16. Click Next.
On the Certificate Deployment Preferences page, shown in Figure 17, you have only two options:
- Automatically deploy the certificate using Active Directory (recommended). Use this option when you want the TMG firewall to deploy the certificate to the Active Directory for you. When you choose this option, you will need to enter a domain admin account name and password so that the wizard will have access to the Active Directory for certificate deployment.
- I will manually export and deploy the certificate. Use this option if you don’t want the TMG firewall to deploy the certificate for you (not recommended).
On the Web Cache Configuration page, shown in Figure 18, you can configure how much disk space you want to dedicate to the Web cache. In general, I like to allocate 5-10MB of disk space per user, but you might find less or more works best for you. By default, no disk space is dedicated to the cache, as you can see in the figure below. If you want to turn on Web caching, click the Cache Drives button.
In the Define Cache Drives dialog box, shown in Figure 19, enter the number of MBs of space you want to dedicate to the web cache. Enter the value in the Maximum cache size (MB) text box and then click the Set button. Notice that the dialog box provides you with information about how much disk space is available on each disk where you can define a cache file. Note that the drive must be formatted as NTFS, and that the maximum cache file size is 64 GB (however, in general you should keep the cache file size smaller than 40 GB). Click OK.
After you define the cache drive and the amount of space you want to dedicate to the cache, make sure there is a checkmark in the Enable the default Web caching rule checkbox, shown in Figure 20. This will enable the default cache rule to be applied. For details of the default cache rule, check out the cache rules section in the Cache Settings dialog box, which you can find by clicking the Web Access Policy node in the left pane of the console and then clicking the Configure Web Caching link in the right pane of the console.
Click Finish on the Completing the Web Access Policy Wizard page, as shown in Figure 21.
Don’t forget to click Apply, as shown in Figure 22, to save the changes to the firewall policy!
The Firewall Service will need to be restarted before all the changes can take effect. Make sure to select the Save the changes and restart the services option in the Forefront TMG Warning dialog box, as shown in Figure 23, and then click OK to commit the changes to the firewall configuration.
In this article, we got to know the Web Access Policy Wizard. The wizard configures many components of Web access policy. It first created a rule to block a collection of sites that most organizations are likely to want to block. Then it configured a group, the members of which can go to whatever sites they like. Next, outbound SSL inspection was configured and the impersonation certificate was deployed. Finally, we configure the cache file size and the default cache rule. The Web Access Policy Wizard makes it easy to configure multiple components of the TMG firewall by enabling the configuration to be done from a single location. You can change any of the settings later if you need to, by returning to the Web Access Policy node in the left pane of the console and then clicking the appropriate link in the right pane.