Configuring SafeSearch Enforcement in Forefront Threat Management Gateway (TMG)
SafeSearch enforcement is an enhancement to the URL filtering capabilities in Forefront TMG 2010. Introduced in Update 1 for Forefront TMG 2010 SP1, SafeSearch enforcement allows TMG administrators to administratively enforce the blocking of adult text, images, and videos from search results returned by popular search engines. Although enabling SafeSearch enforcement can provide an additional layer of protection for your internal clients, the feature does have some limitations and shortcomings that should be taken into consideration prior to enabling it.
How SafeSearch Works
Once enabled, SafeSearch enforcement in Forefront TMG will append a special operator to the query string submitted by web browsing clients to popular search engines. This operator instructs the search engine to perform strict filtering of the query results returned by the search engine to the client. Because this instruction comes from the TMG firewall itself, it overrides any settings made by the user in their web browser. For example, if a client submits a request to the Bing search engine using the query “xxx”, the requested URL would looks like this:
However, with SafeSearch enforcement enabled, the TMG firewall appends the appropriate operator to the query string to ensure that explicit content is not included in the search results:
Enabling SafeSearch Enforcement
SafeSearch enforcement is an extension to the native URL filtering feature in Forefront TMG 2010. Make sure that you have enabled URL filtering prior to configuring SafeSearch enforcement.
To enable SafeSearch enforcement, open the Forefront TMG 2010 management console and select the Web Access Policy node in the navigation tree. In the Tasks pane click Configure SafeSearch.
On the General tab select the option to Enable SafeSearch.
Optionally you can exclude individual users or groups from SafeSearch by selecting the Users tab and adding users or groups. Remember that excluding users and/or groups will require that the client be authenticated, which of course will block all web access for SecureNAT clients.
Once complete, the SafeSearch configuration wizard adds a firewall rule that applies to all users (and excludes some users, if configured) to the Search Engines category. This rule cannot be configured by double-clicking the rule or right-clicking the rule and choosing Properties like most rules can. To edit this rule, use the Configure SafeSearch link in the Tasks pane as outlined earlier.
As you can see the SafeSearch enforcement rule applies only to requests initiated from the Internal network. You will also note that there is no way to change this default behavior in the GUI. If you would like to enable SafeSearch enforcement for networks other than the Internal network, you’ll have to execute the script below. In this example I am enabling SafeSearch enforcement for a network named DMZ. You can replace this network name with a name that is applicable in your scenario.
Dim FPC, Array, Rule
Set FPC = CreateObject("FPC.Root")
Set Array = FPC.GetContainingArray
Set Rule = Array.ArrayPolicy.PolicyRules.Item("SafeSearch")
Rule.SourceSelectionIPs.Networks.Add "DMZ", 0
Enabling Additional Search Engines
By default, Forefront TMG will only apply SafeSearch enforcement to the most popular Internet search engines – Bing, Google, and Yahoo. If you wish to leverage SafeSearch enforcement for another search engine, you can do so by making changes to the SafeSearchConfiguration.xml file that is located in the default Forefront TMG installation folder C:\Program Files\Microsoft Forefront Threat Management Gateway. Be sure to make a copy of the original file before making any changes. Keep in mind that many secondary search engines are in fact leveraging one of the major search engines to produce their results. For example, Altavista uses Yahoo so no changes would be required. To add support for another search engine it will be necessary to do some research to determine what SafeSearch query string operators are required for SafeSearch enforcement. Sadly there is surprisingly little information and apparent support for gateway-enforced SafeSearch with many of the secondary search engines. If it is your desire to always apply SafeSearch enforcement, you may have to resort to some reverse-engineering by observing HTTP requests with a protocol analyzer or browser plug-in like HTTPwatch while submitting queries using different settings configured on the client. If that proves to be unsuccessful, another option involves creating a rule that will deny access to other search engines and redirect them to one of the more popular ones that does provide this support.
SafeSearch Limitations and Workarounds
SafeSearch is a simple and effective way to prevent users on your network from accessing explicit adult content via popular search engines. However, SafeSearch enforcement has some limitations that must be taken in to consideration before implementing the feature. For example, the access rule is configured to allow unauthenticated access to many search engines including Bing, Google, and Yahoo. This level of access is quite broad and enables anonymous users to access quite a bit of content, which might not be desirable in some environments. It is possible to change the rule to apply to all authenticated users, or perhaps a specific domain security group, but the change must be made using a script and it is unsupported. For more information about enforcing authentication for SafeSearch, click here. Another workaround involves creating a deny rule for the Search Engines category that applies to all users but exempts All Authenticated Users, and then placing that rule just ahead of the SafeSearch access rule created by the wizard, as shown here:
In addition, SafeSearch enforcement will only enable strict enforcement and in some organizations this might be too restrictive. There is no option to enable moderate search filtering, unfortunately. Also, unless HTTPS inspection has been enabled, any search queries made using SSL encryption will not be subject to SafeSearch enforcement.
Enabling SafeSearch enforcement in Forefront TMG 2010 can provide a “quick win” for security administrators looking to better enforce their acceptable use policy and preventing users from stumbling inadvertently upon explicit content. Although the SafeSearch enforcement features does have some drawbacks, it does have the ability to provide an additional layer of protection for your internal clients. However, given its limitations it is important not to rely on this feature completely as it should be just one part of a comprehensive, overall defense-in-depth plan.