Controlling Internet Access: A Short Primer on TMG Access Rules (Part 2)
If you would like to read the first part in this article series please go to:
- Controlling Internet Access: A Short Primer on TMG Access Rules (Part 1)
- Controlling Internet Access: A Short Primer on TMG Access Rules - Part 3: TMG Firewall Web Publishing Rule Basics
- Controlling Internet Access: A short Primer on TMG Access Rules - Part 4: TMG Networks and Network Rules
In the first part of this two part series on Access Rules, we went over the purposes and the processes for creating an Access Rule and how to use the Access Rule wizard to create the rule. In this, part two of the series, we will take a look at the details of Access Rules after they’re created by the wizard. We want to do this because there are a number of settings that aren’t exposed in the Access Rule wizard.
If you double click on an access rule after you create it, you will see the Properties dialog box for the rule. The first tab you’ll see is the General tab. Here you can rename the rule and provide a description of the rule. I find that the description box is a real help, as you can document the purpose of the rule, who created the rule, when the rule was created, and the reason the rule was created, such as who requested the rule creation or the particular business problem it solves.
Notice that the Evaluation order is included on this tab. However, be aware that this is the evaluation order for the list of firewall rules outside of the System Policy rules. System Policy rules are always evaluated before firewall policy rules are evaluated. You can also enable or disable the rule by using the Enable checkbox.
On the Action tab, you have a number of options:
- Allow - When you select this option, the rule becomes an allow rule and when the connection attempt matches the settings in this rule, the connection will be allowed.
- Deny - When you select this option, the rule becomes a deny rule and when the connection attempt matches the settings in this rule, the connection will be denied.
- Display denial notification to user - If the rule is an HTTP rule, and you select this option, you can enter text that will be returned to the user when the connection is denied. This information will be displayed in the browser window. Using this, you can let the user know why the connection was denied.
- Add denied request category to notification - This option is only available when URL filtering is enabled if you enable URL filtering on your TMG firewall, you have the option to let the user know, when the request is denied, to what category the site the user tried to access belongs. In general, users don’t really care about this information, but if you have rules that apply to admins or power users, they might be interested in this information so that they can make requests to re-categorize the sites.
- Redirect web client to the following URL - If you don’t want to provide the user a page showing why the connection was denied, you have the option to redirect the user to a web site of your choice. This might be a web site that includes the terms of service agreement you have with your users or a similar educational site that provides users with information about appropriate use of the corporate Internet connection.
- Log requests matching this rule - This option is enabled by default and allows connections that match this rule to be logged in the TMG firewall logs. However, there are times when you might want to not log information – such as garbage traffic (NetBIOS broadcasts, LLMNR broadcasts, etc). This will reduce the overall size of your log files and make your logs cleaner and easier to read and parse.
On the Protocols page, you have options that are similar to those included in the Access Rule wizard. The This rule applies to drop down box provides the same options, and you can use the Add, Edit and Remove buttons to add, edit or remove protocols that will apply to this rule. You also have the Ports option that was available. The Filtering button, when enabled, allows you to configure the HTTP Policy for the rule (if it’s an HTTP rule). This feature was included with previous versions of the ISA firewall, which is more commonly known as the HTTP Security Filter. Other filters might be available – depending on the protocol you use – if the filter is applicable to outbound protocols. Most of the protocol filters we have with TMG are designed for inbound protection, but there are a few that apply to outbound protocols.
On the From tab, you can define the source locations to which the rule will apply. These are the clients that are on a TMG Protected Network. This option is similar to what you saw in the Access Rule wizard. When you click Add, it brings up the Add Network Entities dialog box and you can choose from a number of network entities or create new ones. One option that’s available on this tab, which was not exposed in the Access Rule wizard, is the Exceptions section. Here you can set sources to which you want the rule to apply, but then if there is a subset within that group that you want the rule to except, you can put those in the Exceptions section. This is a powerful option and something to keep in mind when designing your Access Rules.
The To tab is similar to the From tab, where you define the destination that you want the rule to match. When you click Add, it opens the Add Network Entities dialog box and you can choose the destination location from the list, or you can create a new destination location. As with the From tab, you also have the option to create Exceptions.
On the Users tab, you can define to which users the rule should apply. By default, All Users is the user set used for Access Rules. Keep in mind that All Users doesn’t really mean all users, but instead represents anonymous connections and authenticated connections – so it really means “user context is not considered”. If you want to force users to authenticate, you have to use another user set and remove the All Users user set.
If you click Add, you can select All Authenticated Users and then only users who can authenticate with the TMG firewall will be allowed access through this rule. Authentication can be done through the web proxy client configuration or the Firewall client (TMG client) configuration. If you want to create your own user set, you can click the New button.
When you click New, it brings up the Welcome to the New User Set wizard. On the first page of the wizard, enter a name for the user set. In this example, we’ll create a user set that includes the Domain Admins Active Directory group, so we’ll name this rule Administrators and click Next.
On the Users page, when you click Add, a fly out menu appears. The fly out menu includes the following authentication sources:
- Windows users and groups - These are users and groups contained in the Active Directory domain or a trusted domain to which the TMG firewall belongs.
- LDAP - These are users and groups that are contained in the Active Directory and you can use these when the TMG firewall is not a member of the domain. Keep in mind that TMG does not support LDAP authentication for Access Rules
- RADIUS - These are users that are accessible through RADIUS. Note that RADIUS itself doesn’t support Group Membership, although you can create a user set that contains multiple accounts that are accessible through RADIUS, which results in an ad hoc group on the TMG firewall. RADIUS is supported for outbound web connections through the TMG firewall.
- SecurID - These are users defined by SecurID. SecurID is not supported for outbound connections through the TMG firewall through Access Rules.
In this example, the TMG firewall is joined to the Active Directory domain, so we’ll select Windows users and groups.
This brings up the Select Users or Groups dialog box. We enter Domain Admins in the Enter the object names to select text box and click Check Names and then click OK to add this Active Directory group to the user set.
You will now see the new user set on the Users page. You can add more users to this user set if you like. In this example, we’ll click Next and not add any more users to the user set.
On the Completing the New User Set Wizard page, click Finish to create the new user set.
Now you can see the Administrators group in the Add Users dialog box and you can use this group in your Access Rules and publishing rules.
On the Schedule tab, you can define a schedule for the rule which defines the hours during which the rule will be applied. Note that when you define a schedule, the schedule is applied only to new connections, so that if users are already connected before the schedule expires, the user’s connection will not be dropped. However, if a new connection attempt that matches the rule is outside the schedule, then the connection will be denied. The default schedule is Always, but there are also two other built-in schedules: Weekends and Work hours. If you don’t like these built in schedules, you can click the New button and create a custom schedule.
The Malware Inspection tab is a new one which is available only on the TMG firewall. There are several options on this tab that weren’t exposed in the Access Rule wizard:
- Inspect content downloaded from web servers to clients - When you enable this option, all content downloaded from web servers will be inspected for malware using the Microsoft AV engine used by the TMG firewall.
- Force full content requests (remove HTTP Range header) - This forces the firewall to request the full content so that it can be evaluated as a whole. If only ranges were evaluated, potential threats might be missed.
- Use rule specific settings for malware inspection - You can customize the anti-malware settings for the rule when you select this option. If you select this option, you need to click the Rule Settings button to complete your custom configuration.
On the Edit Rule Malware Inspection Settings page, you have a number of options. The figure shows the default settings:
- Attempt to clean the infected files - When this section is enabled, the TMG firewall will try to clean the file before forwarding it to the user. If the file can’t be cleaned, it will be deleted.
- Block files with low and medium severity threats (higher level threats are blocked automatically) - The TMG firewall will not, by default, block medium and low threat files, using the Microsoft AM engine classification system.
- Block suspicious files - The TMG firewall uses heuristics to determine whether a file is potential malware. When this option is selected, the file will be blocked if the heuristics determine the file might be malware.
- Block corrupted files - When this option is enabled, files that are determined to be corrupt will be blocked.
- Block files that cannot be scanned - When this option is enabled, if the Microsoft AV engine can’t scan the file, the file will be blocked.
- Block encrypted files - If the file is encrypted, the Microsoft AV engine won’t be able to evaluate the file and therefore, when this option is enabled, will block the file.
- Block files if scanning time exceeds (seconds) - When this option is enabled, it limits the time the Microsoft AV engine can use to evaluate the file before deciding to forward or block it. The default value is 5 minutes.
- Block files if archive level depth exceeds - When this option is enabled, the AV engine blocks files that exceed the archive depth set here. The default value is 20 levels.
- Block files larger than (MB) - When this option is enabled, it will block files larger than the value listed in the text box, with the default value being 1000 MB (1 GB). This option can be used to improve performance on the TMG firewall, but you have to be careful not to block files that users need since users often work with large files.
- Block archive files if unpacked content is large than (MB) - This option sets the max size of an unpacked file. This value is used to preserve memory in on the TMG firewall.
In this article, we went over the details of Access Rules. While most of the options you want to configure are exposed in the Access Rule Wizard, there are some important options that are only accessible after you have created the rule, by going into the Properties dialog box for the rule. I hope that this two part series was helpful for those of you who are new to the TMG firewall and that you can use this information to create custom outbound access policies for your organization. If you have any questions, always feel free to write to me at [email protected] and I’ll answer your questions via email, over the blog, or in the next newsletter – or maybe I’ll even write an article based on your question!