Configuring Web Proxy Chaining with Forefront Threat Management Gateway (TMG) 2010 (Part 1)

If you would like to read the next part in this article series please go to Configuring Web Proxy Chaining with Forefront Threat Management Gateway (TMG) 2010 (Part 2).

Introduction

Web proxy chaining can be an effective way to distribute web proxy traffic in your organization for the purposes of reducing bandwidth consumption on slower WAN links, reducing resource utilization on main office proxy servers, or delegating administrative control to remote site administrators. Web proxy chaining is a configuration where one proxy server (referred to as the downstream proxy server) is configured to forward requests to another proxy server (referred to as the upstream proxy server) instead of retrieving content directly from the Internet. The downstream proxy server may or may not have a direct connection to the Internet. In this first installment of a two-part series, we’ll look at a typical deployment scenario and I’ll demonstrate how to configure web proxy chaining in Forefront Threat Management Gateway (TMG) 2010.

Web Proxy Chaining Defined

Before we continue, it is important to make the clear distinction that web proxy chaining applies only to traffic handled by the web proxy filter; meaning traffic generated specifically by web proxy clients. Web proxy chaining has no effect on TMG Firewall Client or SecureNET traffic. To take advantage of web proxy chaining capabilities provided by TMG, it will be necessary to configure your clients to explicitly use the proxy server, either by manually entering the proxy server, using one of the automatic configuration options (DNS or DHCP), using group policy, or by deploying the TMG Firewall Client with the proxy server settings configured appropriately.

Configuration

A common deployment scenario for web proxy chaining is when a proxy server (or array) is located at the main office, and another proxy server (or array) is located in a remote branch office (see diagram below). Users at the main office are configured to use the main proxy server to access the Internet. Users at the branch office are configured to use their local proxy server, which is configured to forward requests to the upstream proxy server located at the main office.


Figure 1

Web proxy chaining is enabled by creating web chaining rules. These rules determine how the firewall routes web proxy requests once the firewall has allowed them. To configure web proxy chaining in this basic scenario, open the TMG management console on the downstream proxy server and highlight the Networking node in the console tree.


Figure 2

In the main window, select the Web Chaining tab, then in the Tasks pane select Create New Web Chaining Rule.


Figure 3

The New Web Chaining Rule Wizard opens. Give the new web chaining rule a descriptive name.


Figure 4

Select the appropriate Web Chaining Rule Destination. We have nearly unlimited options here, but for demonstration purposes we’ll choose to forward all requests bound for the Internet by selecting the External network.


Figure 5

Select the option to redirect requests to a specified upstream server.


Figure 6

Specify the IP address, hostname, or FQDN of the upstream proxy server. Unless you have altered the web proxy listener ports on the upstream proxy server, there will be no need to change the default ports listed here. Leave the Apply malware inspection to Web content received from or sent to an upstream proxy checked ONLY if the upstream proxy server is NOT performing malware inspection, because malware inspection is NOT SUPPORTED on both the downstream and upstream proxy servers at the same time. The choice of where to scan for viruses and malware is yours. If you choose to scan on the upstream proxy servers, you can stop malicious software from entering your network closer to the edge. If the upstream proxy servers are aggregating a large number of requests for downstream proxy servers, this can significantly increase the load and may result in excessive CPU and disk utilization, which may also introduce latency. In this case, scanning on the downstream proxy servers will help distribute this load, reducing resource consumption on the upstream proxy servers.


Figure 7

Select an appropriate backup action for your environment. If the downstream proxy server has a direct connection to the Internet, you can select the option to retrieve requests directly from the specified destination. If there is another proxy server (or array) in different location which can be used as an upstream proxy server, select the option to route requests to an upstream server (you will be prompted for additional information). If the downstream proxy server has no alternative routes (or none are allowed to be used by your corporate security policy) then select the default option to ignore requests.


Figure 8

The new web chaining rule now appears in the list. Web chaining rules are processed in order, so our new rule is placed before the last default rule. Although we created a new web chaining rule here, it is possible to modify the default rule to provide the same results.


Figure 9

Note:
It is important to remember that access rules must be in place on both the downstream and upstream proxy servers in order to facilitate web access.

Connection Limits

In many cases, enabling web proxy chaining will cause the downstream proxy server to exceed connection limits enforced by flood mitigation settings on the upstream proxy server. Upstream proxy servers see connection requests coming from a single host (the downstream proxy server) instead of each individual client. If the downstream proxy server is aggregating requests for a large number of clients, it will be necessary to modify the default connection limits on the upstream proxy server. This should be configured by adding the downstream proxy servers to the IP exception list, rather than modifying the default limits for all hosts. You will find the flood mitigation settings in the TMG management console by highlighting Intrusion Prevention System in the console tree, clicking the Configure Flood Mitigation Settings in the main window, and then selecting the IP Exceptions tab and creating a computer set that includes your downstream proxy servers.


Figure 10

Conclusion

Depending on your specific requirements, web proxy chaining configuration can be relatively simple (as discussed here) or quite complex. The example outlined above assumes that all traffic will be routed to the upstream proxy, and that no authentication is required. In many cases, the downstream proxy will have a direct connection to the internet, and only portions of the traffic will be routed to the upstream proxy. Frequently, the upstream proxy server will require authentication, thus requiring additional planning and configuration. In part two of this series we’ll explore some of those deployment scenarios in more detail.

If you would like to read the next part in this article series please go to Configuring Web Proxy Chaining with Forefront Threat Management Gateway (TMG) 2010 (Part 2).

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top