Tweaking the configuration of Forefront TMG with customized TMG XML configuration files
Before we start how to tweak the Forefront TMG configuration with modified XML export/import files I must tell you that you must use this information at your own risk, no warranty, and I recommend to always create a backup of your TMG configuration before you modify something.
Forefront TMG as its predecessor ISA Server 2006 has the capability to back up the entire Forefront TMG configuration or parts of the Forefront TMG configuration into a XML file. You can use this XML files to restore the configuration on the same or a different Forefront TMG server. The following screenshot shows an example how to export a Firewall policy rule into an XML file. For more information about the backup and restore process of Forefront TMG, read the following article.
Figure 1: Export selected Firewall policy rule
The backup and restore process backs up and restores certificate keys, which indicate to Forefront TMG which certificates to use, but it does NOT backup the certificates themselves, so you always have to create a backup of your certificates on the TMG server with the import and export functionality of the certificate MMC Snap In from Windows Server 2008/R2 and you should place the certificates on a secure location because the certificate contains the private key which is used to decrypt the encrypted network traffic.
The following screenshot shows an example of an exported Firewall policy rule, in this example the Default Firewall policy rule of Forefront TMG.
Figure 2: Edit an XML file with an XML editor
Activating and deactivating the default rule
The Default Firewall Policy rule of Forefront TMG cannot be deactivated within the Forefront TMG MMC. Under normal circumstances it should not be necessary to disable the Default Firewall Policy rule because this rule works a “catch all” rule for traffic which is not explicitly allowed or denied to the Forefront TMG System policy rules or user defined Firewall Policy rules. If you have the requirement to disable the Default Firewall Policy rule, you must export the rule and after that you must edit the rule with a text editor like Notepad.exe or better a specialized XML editor. For this article I used Notepad++ as the editor.
Figure 3: The default Firewall policy rule cannot be disabled
To deactivate or activate the system policy rule, export the Default Firewall Policy rule with the TMG MMC into a XML file and edit the XML file with a text or XML editor and change the “IsDefaultRule” entry to 0 from 1 and save the XML file, as shown in the following screenshot.
After the XML file has been modified, import the XML file into your TMG configuration and from now on it is possible to activate or deactivate the default rule with the TMG MMC:
Figure 5: The default Firewall policy rule can now be activated or deactivated
Enable or disable the rule with ADSIEDIT
It is also possible to enable or disable the Firewall policy rule with ADSIEDIT. Forefront TMG stores the configuration into a AD-LDS (Active Directory Lightweight Directory Service) instance, and it is possible to edit the TMG configuration with ADSIEDIT. You can read more about the TMG storage in the following article.
Start ADSIEDIT and connect to the TMG storage, navigate to the Firewall policy rule which you want to enable or disable and change the msFPCEnabled attribute to a value you want (true or false) as shown in the following screenshot.
Figure 6: Enable or disable rules with ADSIEDIT
Enable / Disable logging for System policy rules
As a next step I will show you how it is possible to disable logging for a System policy rule. If you try to disable logging for a System policy rule with the TMG MMC you will get a error message as shown in the following screenshot.
Figure 7: It is not possible to disable logging for this system policy rule
To overcome this limitation we must export the entire System policy rule set into a XML file.
Figure 8: Export System Policy Rules
After the System policy rule set has been exported, edit the XML file with a XML editor and locate the System policy rule which you would like to change and insert the following string into the XML file as shown in the next screenshot.
Figure 9: Disable logging for this System Policy Rule
Save the XML file and import the System policy rule set with the TMG MMC. After the XML file has been imported, logging for this System policy rule has been deactivated.
Figure 10: Logging is now disabled for this System Policy Rule.
If you try to enable logging again for this System policy rule with the Forefront TMG Management console, you will get an error that this is not possible, so you have to enable logging for this rule again with modifying the rule with an editor and after that, import the Firewall policy rule again into the TMG MMC.
I hope that you now have a better understanding about the Forefront TMG capabilities to export and import parts of the Forefront TMG configuration and how to modify some settings to tweak the Forefront TMG configuration. I also tried to give you some more information about the structure of Forefront TMG XML files to better understand the structure of these files. Before you start to tweak your TMG configuration, you should always make a backup of your configuration.
- Microsoft Forefront TMG - Backup and Restore Capabilities
- Backing up the Forefront TMG configuration
- Exporting and Importing a Forefront TMG Configuration
- Importing Hammer of God Country IP Block Network Sets into ISA Enterprise Policies
- Forefront TMG – Modifying TMG System Policy rules with TMG Export / Import functionality
- Forefront TMG - Scripting with VBScript and PowerShell
- Microsoft Forefront TMG – TMG Storage 101