Creating a Web Access Policy using the Forefront Threat Management Gateway (TMG) Beta 1 (Part 1)

If you would like to read the other parts in this article series please go to:

The Microsoft Forefront Threat Management Gateway is the next version of the ISA Firewall. While the ISA brand is going away, the software that we’ve come to know and love will continue under the new name of the Forefront TMG. Along with a new name come some new features and capabilities. Although the current version of the TMG firewall is likely far from feature complete, there are some changes that I think you’ll like.

One of those new features shows up as a new node in the left pane of the TMG firewall console. This new node, named Web Access Policy provides a location where you can configure the TMG firewall to allow outbound HTTP, HTTPS and Web proxy forwarded FTP connections to the Internet. This change also seems to represent an increased focus on HTTP for the product. While previous versions of the ISA Firewall did have a sophisticated Web proxy filter and HTTP Security Filter, the TMG firewall takes things to the next level by adding malware inspection for outbound HTTP requests.

Overview of the Tasks tab on the Web Access Policy Node

One of the first things you’ll notice when you open the TMG firewall console is the cleaner look of the left pane of the console. Now we just have one level under the name of the server and the new node sticks out to any dyed in the wool ISA firewall admin. In the figure below you can see the new Web Access Policy node.


Figure 1

When you go to the Web Access Policy node and click the Tasks tab in the Task Pane, you’ll see that the TMG team has made things easier on us by creating a “one-stop shop” for Web Access and Web proxy filter configuration. The two main tasks are the Configure Web Access Policy and Configure Malware Inspection, both of which are new with the Forefront TMG firewall. You can also see in the collection of Related Tasks that they’ve brought together all of the Web proxy filter and HTTP configuration tasks for the serve into a single list.


Figure 2

Let’s take a look at these tasks before we get into the details of how to create a Web Access Policy. First, we’ll click on the Configure Malware Inspection link on the Tasks tab in the Task Pane. This brings up the Malware Inspection dialog box and the General tab. Here you have the option to enable or disable malware inspection for the entire system. Note that this enables malware inspection for the system, not for any specific rule. You must first enable it here before you can enable is for any specific rule, or as we’ll see later, any collection of Web Access rules.


Figure 3

Click on the Exceptions tab. Here you can put together a list of sites that you never want to have content checked for malware. The Sites Exempt from Malware Inspection group is automatically included.


Figure 4

If you click on the Site Exempt from Malware Inspection entry on the list above and click the Edit button, you can see the sites that are included in the Sites Exempt from Malware Inspection domain name set. These sites include *.microsoft.com, *.windows.com and *.windowsupdate.com. You can add more sites here if you like.

There’s an interesting security issue here. You can protect yourself by limiting what sites you can access, and you can protect yourself by inspecting content from malware. And you can do both. The philosophy behind inspecting connections for malware is that even if the site is trusted, there is still the chance that it may have been compromised by malware. In this case, does it make sense to exempt sites from content inspection? I don’t have a definitive answer on this issue, but it’s something that you should decide for yourself when you consider whether or not you want to exempt sites from malware inspection.


Figure 5

On the Inspection Settings page, you have many options regarding how the system will evaluate malware. The options include:

  • Attempt to clean infected files. The TMG will try to clean the file. If a file cannot be cleaned, it is not saved and is removed from storage. A page will be presented to the user that the file could not be cleaned and has been deleted.
  • Block files with low and medium severity threats (higher level threats are blocked automatically). This increases the sensitivity of the scanner. However, how the TMG firewall determines what is a low, medium or high threat isn’t documented in the Help file.
  • Block suspicious files. This will block files that the TMG firewall considers suspicious. However, the method on how it determines whether a file is suspicious or not is not specified in Help at this time.
  • Block corrupted files. This will block files that the TMG determines are corrupted. However, the Help file at this time does not specify how the TMG firewall determines a file to be corrupted.
  • Block files that cannot be scanned. This will block files that the TMG cannot scan. However, how the TMG determines a file to be unscannable isn’t specified in the Help file.
  • Block encrypted files. This will have the TMG block files that are encrypted.
  • Block files if scanning time exceeds (seconds). This option allows you to se a time limit on how long the TMG can take to scan a file before it decides to give up and delete the file. The default value is 300 seconds (5 minutes).
  • Block files if archive depth level exceeds. This sets a limit on how many times a file can be archived within an archive before the TMG decides to delete it. An example would be a zip file that’s zipped again. Often malware will try to hide itself by archiving itself many times. The default value is 20
  • Block files larger than (MB). This sets a file size limited on what can be downloaded through the Forefront TMG firewall’s Web proxy filter. The default value is 1000 MB.
  • Block archive files if unpacked content if larger than (MB). This sets a size limit on unpacked files. The default value is 4095 MB.

As you can see, you have a lot of options here. Personally, I think some of the limits are a bit high, and can potentially stress memory and disk performance, but if you have a robust box (quad processor, 8 GB+ memory, fast hard disks), these values might not be so unreasonable.


Figure 6

Malware scanning can be a bit disconcerting to your end users. One way to make this experience less painful for them, and to reduce your Help desk calls, you can choose to “trickle” files to the users while they’re being scanned. The users will see a progress bar as the file is downloaded, as I’ll show you later.

Note that you need to put a checkmark in the Send progress notifications to clients as files are downloaded and inspected (applies to the second content types only) if you want the users to get the progress bar.

Now, this is a bit confusing. What I think is going on here is that if you select this option, you won’t get trickling of partial content. Instead, you get a progress bar on the Web page I’ll show you later, and only for the content types you select by clicking the Select Content Types button. If you don’t select this option, the users see a download dialog box that might go slower than if the content wasn’t being inspected.

However, I don’t want you to quote me on this, as I haven’t tested each of the scenarios so it’s still not clear what the end user experience is for “tricked” and “non-trickled” files. I’ll keep you updated, probably in a blog post, when we get this issue figured out and well defined.


Figure 7

Here are the list of MIME types that determine whether or not the content will be trickled or not, depending on the decision you made in the previous dialog box. As you can see, most MIME types are selected by progress notification and not for trickling.


Figure 8

The figure below shows you what the user sees when downloading a file when we enable progress notification. In this example I showed a progress download Open Office (not that I use Open Office, but I needed a file large enough to give me time to take the screenshot).


Figure 9

When the file download is complete, the Web browser will inform user that there is no malware detected in the file and that the user can click the Download button in the browser to download the clean file.


Figure 10

Let’s move to the last tab in the Malware Inspection dialog box. This is the Storage tab. Here you can configure the location where the downloaded files are stored for malware inspection.


Figure 11

I took a look at the Windows\Temp file to see if the was anything interesting in it. Turns out that the Forefront TMG firewall stores a lot of files in that folder, as the figure below shows. I don’t know what all the files in this folder do, but it appears that there are a number of log files. I believe that the .etl files are trace logs, though I can’t say for sure.


Figure 12

The security settings on this folder are interesting. As you can see, the SQLServer2005ReportingServiceWebServiceUsers$ISAS account has permissions on this folder. There is another folder under this one named Emp and the fwsrv account has Full control.


Figure 13

Summary

In this first part of a three part series on Web Access Policy in the Forefront Threat Management Gateway (TMG), we covered some of the anti-malware configuration options and the Tasks tab entries on the Web Access Policy node in the TMG firewall console. In the next part of this series, we will take a close look at the other options in the Tasks tab of the Web Access Policy Task Pane.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top