TMG Back to Basics – Part 8: SafeSearch, URL Filtering and Certificate Revocation Options

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:


This week I thought I’d poke around the TMG firewall console to see if there were some interesting options that I hadn’t covered in my Back to Basics series. And lo, I did discover some options that I haven’t addressed, including the Safe Search, URL Filtering and Certificate Revocation options. So in this article, we’ll take a look at these options and what you can do with them.

When you open the TMG firewall console and click the Web Access Policy node in the left pane and then click the Tasks Tab in the in tasks pane, you’ll see the Web Protection Tasks as shown in Figure 1 below. The Web Protection Tasks that we’re most interested in today are:

  • Configure SafeSearch
  • Configure URL Filtering
  • Configure URL Category Overrides
  • Query for URL Category

Figure 1


First let’s click on the SafeSearch link. This brings up the General tab in the SafeSearch dialog box, which is shown in Figure 2. You’ll see that it’s s pretty simple dialog box. You have one option here: Enable SafeSearch. But what does that mean? When you enable SafeSearch, the TMG firewall will enforce strict filtering of adult content from search results delivered by supported search engines. This makes it possible for you to automatically block adult-oriented text, videos and images in the workplace. The supported search engines are those that are included in the Search Engines URL Category.

Figure 2

When SafeSearch is enabled, TMG will step in every time a user does a search on a major search engine, and modify the query string so that filtered results will be returned. The user can’t disable this in their browsers, so you maintain control over the web content that users can access, which is increasingly important to avoid lawsuits and liability.

When you enable SafeSearch, it creates a firewall rule, as you can see in Figure 3 below. In this example, the firewall rule is disabled because I disabled SafeSearch after initially enabling it. The rule doesn’t appear until you enable SafeSearch the first time. If you disable it later, the TMG firewall will not remove the rule; it will just disable it. That makes it easy for you to switch SafeSearch on and off when needed. If you enable SafeSearch again, the rule will change state from disabled to enabled.

Figure 3

But what if there are some users in your organization who need to be exempt from the filtering? Maybe they do research that gives them a legitimate reason to access adult content. Click the Users tab, which is shown in Figure 4. On this tab, you can add users who will be excluded from SafeSearch. When you click the Add button, it will bring up the Users Excluded From SafeSearch dialog box. Note that these are user groups that you configure on the TMG firewall. You can use Active Directory groups to populate these groups, but you do need to create the groups first.

Figure 4

That’s about it for SafeSearch. It’s very easy to configure it and works great! I’d demo it for you, but all you would see is a search results page that doesn’t include any adult links.

URL Filtering Options

Next, we’ll look at the URL Filtering options. Click on the Configure URL Filtering link in the right pane of the TMG console. This brings up the General tab that you can see in Figure 5. Once again, there is only one option here: Enable URL Filtering. When URL Filtering is enabled, access rules can be configured to allow or block traffic based on the URL categories you select. Note that when this feature is enabled, information about the URL being reached is sent to the Microsoft Reputation Services for categorization. The TMG firewall doesn’t download a database for this, it sends queries to the MRS database to determine to what category each URL belongs. This is done over an SSL connection and Microsoft does not keep a record of the URLs your users are accessing.

Figure 5

URL filtering gives you granular control over the types of content that users can access on the web. There are a number of predefined category sets: Liability, Bandwidth, Business, Communication, Entertainment, General Productivity, Information Technology, Lifestyles, News/Reports, Purchasing, and Security. Each category set includes subcategories; for example, those in the Liability category set include:

  • Alcohol
  • Gambling
  • Tobacco
  • Obscene/tasteless
  • Profanity
  • Violence
  • Weapons
  • Nudity
  • Pornography
  • Provocative attire
  • Mature content
  • Criminal activities
  • Dubious
  • Hacking/computer crime
  • Hate/discrimination
  • Illegal drugs
  • Illegal software
  • School cheating information

For more information about exactly what types of web sites fall under each of these subcategories, see this link

Click on the Category Query tab. Here you can test to see what category a particular URL belongs to. For example, in Figure 6 below you can see that I wanted to determine what category the URL belongs to (I have no idea what kind of site this is so I recommend that you don’t go there). After entering the URL, click the Query button. In the Query Results section you can see that this URL belongs to the Pornography category (big surprise!). 

Figure 6

If you don’t agree with Microsoft’s assessment of a particular category, you can click the Report a URL to Microsoft Reputation Service as incorrectly categorized link. This brings up a web page that allows you to enter the URL you want re-categorized, as seen in Figure 7 below. You can also go there directly by visiting this link.

Figure 7

In the URL Filtering Settings dialog box, click on the URL Category Override tab, as shown in Figure 8. Here you can add a URL to a different category than the one to which it’s automatically added by Microsoft. Click the Add button and the URL Category Override dialog box appears. Enter the URL in the Override the default URL category for this URL pattern text box and then from the Move the URL pattern to this URL Category drop down list, select the new category.

Figure 8

The License Details tab provides a space where you can enter your License agreement number. You can test the TMG firewall for four months, but then you’ll need to enter a license number to keep using the URL filtering feature. URL filtering is subscription-based and is part of TMG’s Web Security Service license, which also includes the Malware Inspection updates.

Figure 9

One more thing. If you create Deny rules, then you need to know about a new option available for the rule that allows your users to temporarily override the deny rule. Double click on the rule and click the Action tab, as shown in Figure 10. If you select Deny, you have the option to Allow user override. When you enable the users to override, you can also set a limit on how long that override lasts. When a user overrides the rule, the rule is temporarily disabled, and the Web request continues in the firewall policy evaluation. If you click the Advanced button, you can select the Display denial notification to user option and include text that the user will see when the access to a site is denied. The other option is to redirect the user to another site.

Figure 10

URL filtering is important because, by blocking access to inappropriate web sites, you not only reduce the risk of lawsuits and liability but you also increase security, because these types of sites often host malware. Further, you conserve bandwidth for legitimate network usage, and you improve productivity by denying users the opportunity to waste time on such sites. You can also use URL filtering to block advertising, and you can use URL Filtering reports to track how the organization uses the Web, determine which users visit which types of sites, and so forth.

Certificate Revocation

Finally, we’re going to move on to the Certificate Revocation options in TMG, which allow you to control how TMG handles verification that incoming client and server certificates are not revoked. If you click on the Web Access Policy node in the left pane of the console and click the Tasks Tab in the Task Pane, and scroll down to the bottom of the Tasks Tab, you’ll see the Configure Certificate Revocation link, as shown in Figure 11 below.

Figure 11

This brings up the Certificate Revocation dialog box that’s shown in Figure 12. You have three options here:

  • Verify that incoming client certificates are not revoked. This option is enabled by default. When enabled, the TMG firewall will block access from web clients whose certificates are revoked; this is typical for web publishing rules.
  • Verify that incoming server certificates are not revoked in a forward scenario. This is for outbound access. If the destination web site or web proxy in front of the TMG firewall presents a revoked certificate, the connection will fail. This is the default setting.
  • Verify that incoming server certificates are not revoked in a reverse scenario. This option, which is disabled by default, applies to web publishing scenarios where you are using SSL to SSL bridging. If the web server that you’re publishing presents a revoked certificate, then the connection request will fail when this option is enabled.

Figure 12


In this article, we took a quick look at three key features in the TMG firewall – SafeSearch, URL Filtering and Certificate Revocation. While these configuration options aren’t complex, it’s important that you know about them and understand the effects of the various settings. After all, that’s why you have a TMG firewall anyway – because it’s easy to create a secure configuration for web access control.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our Real Time Article Update newsletter.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top