TMG Back to Basics – Part 4: Network Objects

If you would like to read the other parts in this article series please go to:

Introduction

Continuing our TMG “Back to Basics” series, this time we’re going to take a close look at Network Objects. This is one TMG concept that doesn’t get much attention. Although Network Objects aren’t particularly exciting, they are critical to configuring all firewall rules on the TMG firewall. If you don’t have a Network Object to support the source or destination in a firewall rule, then you won’t be able to create the rule that you intend to create.

Network Objects allow you to configure source and destination settings for all firewall rules, including publishing rules, on the TMG firewall. Network Objects are reusable software pieces settings that allow you to define source and destination in a variety of ways. Those of you who have been working with Microsoft firewall products for a while may remember that Network Objects were first introduced with ISA Server 2004. The TMG firewall builds on the Network Objects used in previous versions of the ISA firewall and significantly improves on them.

Working with Network Objects

To find the Network Objects, click the Firewall Policy node in the left pane of the TMG firewall console, and then click the Toolbox tab in the Task Pane. Click the Network Objects section header. Here you will see a list of the types of Network Objects available to you, as shown in Figure 1. Each folder actually contains a number of Network Objects you can use to construct TMG firewall rules.


Figure 1

Click the Networks folder. Here you’ll see a list of TMG Firewall Networks that are configured on this machine, as shown in Figure 2. Remember that a TMG Firewall Network is required for each NIC on your TMG computer. In addition, there are some default TMG Firewall Networks, such as the VPN Clients network, which is dynamically constructed to include the IP addresses used by remote access VPN client computers.

For more information on TMG Firewall Networks, check out my article here.


Figure 2

Now click on the Network Sets folder. This exposes the Network Sets that are currently configured on this computer, as shown in Figure 3. A Network Set is a collection of Networks that you can use when setting a source or destination on an Access Rule or Publishing Rule. The default Network Sets include:

  • All Networks (and Local Host). This Network Set includes all IPv4 addresses. While this Network Set can be useful for some troubleshooting scenarios, it’s a fairly dangerous Network Set to use because if you create a rule that uses this Network Set as a destination, it includes the Local Host Network, which is the TMG firewall itself and this could potentially open the firewall up to unintended compromise.
  • All Protected Networks. This Network Set includes all TMG Firewall Networks except for the default External Network. Essentially, this Network Set is defined by all TMG Firewall Network that are behind the TMG firewall.
  • Forefront Protection Manager. This is not used, as Forefront Protection Manager was cancelled.


Figure 3

If you double click on All Protected Networks you will see the Properties dialog box for that Network Set. Click the Networks tab, shown in Figure 4. Note that all Networks that do not have a checkmark in the checkbox are included in the Network Set. This can be a little confusing at first glance since the logical assumption would be that checked items are included.


Figure 4

Click the Computers folder. Here you see the Computer objects configured on the TMG firewall, as shown in Figure 5. There are no default Computer objects. All computer objects are custom objects and you need to create them yourself.


Figure 5

If you double click on one of the Computer objects, you’ll see that it consists of a name and an IPv4 address, as shown in Figure 6.


Figure 6

Click on the Computer Sets folder. Here you see the Computer Sets that are currently configured on the TMG firewall. There are a number of default Computer Sets, and the default Computer Sets will vary based on which edition of the TMG firewall you’re using. In other words, the Standard Edition of the TMG firewall will have different default Computer Sets than the Enterprise Edition of the TMG firewall. In Figure 7 below, you’ll notice that there are a number of Forefront Protection Manager Computer Sets. These are not used because the Forefront Protection Manager project was cancelled.

Some important Computer Sets that you should know about include:

  • Anywhere. This means, literally, anywhere – which is the same as all IPv4 IP addresses.
  • Array Servers. This is automatically configured for you to include the IP addresses of all servers that are part of the same array.
  • Enterprise Remote Management. This Computer Set includes the IP addresses of machines that are allowed to remotely manage the array. This is not automatically populated except in the situation where you use an EMS. In all other cases, you will need to enter the addresses yourself.
  • Managed Server Computers. This is a predefined list of computers that are allowed to connect to the EMS server.

You can double click on the other Computer Sets to see their intended purposes.


Figure 7

When you double click on one of the Computer Sets, you can see the details of the set, as shown in Figure 8. A Computer Set can contain multiple entries, and each entry can be an IPv4 address, a range of IPv4 addresses or even a subnet.


Figure 8

Click the Address Ranges folder. In the TMG firewall, there is a single default Address Range, which is Anywhere (IPv6), as shown in Figure 9. Since TMG has very limited support for IPv6, this Address Range is mostly often used to support DirectAccess on UAG DirectAccess servers.


Figure 9

When you double click on the Address Range, you can see that it includes the name of the Address Range, the Start Address and the End Address, as shown in Figure 10.


Figure 10

Click the URL Sets folder next. There is a single default URL Set, shown in Figure 11, which is not used as it was intended to be used to support Forefront Protection Manager scenarios because – yep, you remembered – FPM was cancelled. All URL Sets now are custom URL Sets that you need to create yourself. URL Sets are used in rules that use the HTTP or HTTPS protocols and are applied only to Web proxy clients. If you want to set a source or destination in a firewall rule that will not have Web proxy clients, then you should use Domain Name Sets instead of URL Sets. In the past, URL Sets were useful for URL Filtering – but with the new TMG Firewall URL Filtering feature, URL Sets are typically used for highly customized access control settings on firewall rules.


Figure 11

Now click the URL Categories folder. Here, as shown in Figure 12, you see a large number of URL Categories that are used by the URL Filtering feature included with the TMG firewall. These URL Categories are dynamically updated by the Microsoft Reputation Services servers on the Internet and are not populated on the TMG firewall – so you will not see the URLs in a particular set when you look at the Properties dialog box of specific URL Category.


Figure 12

Click the URL Category Sets folder. Here you see a list of the default URL Category Sets, shown in Figure 13. Each Category Set is a collection of other URL Categories. URL Category Sets are intended to simplify the task of URL filtering for you, so that you don’t have to pick and choose multiple URL Categories yourself to get your desired result for web filtering.


Figure 13

Double click on one of the URL Categories and click the URL Categories tab in the Properties dialog box. Here, as shown in Figure 14, you will see a list of all the URL Categories. The URL Categories that belong to the set will have a checkmark in the checkbox next to the category.


Figure 14

Click the Domain Name Sets folder. Here you see a list of Domain Name Sets configured on this computer, as shown in Figure 15. Domain Name Sets include domain names, which can also include a wildcard on the high-order label in a domain name. Domain Name Sets are used by all TMG client types: SecureNAT, web proxy and Firewall client (TMG client). There are also a number of built-in domain name sets, which vary depending on whether you’re using the Standard or Enterprise Edition of the TMG firewall. Some of the Domain Name Sets are pre-populated for you, such as the Sites Example from HTTPS Inspection.


Figure 15

You can see the details of a Domain Name Set when you double click on it, as shown in Figure 16. You can add more domain names to the list by clicking the Add button.


Figure 16

Click on the Web Listeners folder, as you can see in Figure 17. Note that there are no default Web Listeners – all Web Listeners are custom and you need to create the ones you need.


Figure 17

Creating New Network Objects

So far you’ve seen the Network Objects and the default objects that are included with the TMG firewall. But you can also create your own custom Network Objects, and in some cases, you will have to create custom objects since there are no default objects for a particular group.

To create a new Network Object, click on the New menu. From there you see a list of Network Object types as shown in Figure 18.


Figure 18

If you choose the Computer Network Object, the New Computer Rule Element dialog box appears, as shown in Figure 19. Here you enter a name for the computer, the IPv4 address of the computer, and an optional description.


Figure 19

If you choose the Address Range option, you’ll see the New Address Range Rule Element dialog box that’s shown in Figure 20. Here you enter a Name for the Address Range, then the Start Address and the End Address. There is also an optional description.


Figure 20

If you select the Subnet option, you’ll see the New Subnet Rule Element dialog box that’s shown in Figure 21. Here you enter a name for the subnet, the Network Address, which includes the network ID and the mask, and an optional description.


Figure 21

If you click Computer Set, you will see the New Computer Set Rule Element dialog box that’s shown in Figure 22. Here you click the Add button and then enter an IPv4 address, an IPv4 address range, or an IPv4 subnet with network ID and subnet mask.


Figure 22

If you select URL Set, you’ll see the New URL Set Rule Element dialog box that’s shown in Figure 23. Here you enter a name for the URL, and then click the Add button to add URLs to the set. Note that you can use wildcards when defining a URL in the set.


Figure 23

If you click Domain Name Set, you’ll see the New Domain Name Set Policy Element dialog box that’s shown in Figure 24. Here enter a name for the set and then click the Add button to add domain names. Once again, you can use wildcards for the high-level name in the domain.


Figure 24

Summary

In this article, we walked through a high level overview of Network Objects and how they are defined in the TMG firewall console. Some of the Network Objects have default values that are included right out of the box, while others require that you configure existing objects or create your own. We finished up by showing how you create a subset of Network Objects. In the second part of this article, we’ll go over how you create some of the more complex Network Objects and how to run the wizards to create these more complex network objects.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top