TMG Firewall Web Filtering (Part 2)

If you would like to read the first part in this article series please go to TMG Firewall Web Filtering (Part 1).

Introduction

In the first part of this series on TMG firewall web filtering, we discussed how the firewall’s web filtering feature works, what it can do, and how you can use it to help secure your network. In this article, we’ll go into the details on how to configure the TMG firewall’s web filtering feature.

The TMG firewall’s web filtering feature is configured on a rule-by-rule basis. First, we’ll talk about how you can configure this feature manually. Note that you can also configure web filtering by using the Getting Started Wizard, but in this case we want to get a deeper understanding of the configuration options so we’ll look at how you do it outside of the wizard.

In the figure below, you can see the Tasks tab in the Task Pane, with the three options available for configuring the TMG firewall’s web filtering features.


Figure 1

In our scenario, we will be updating the Web access policy that’s created by the Web Access Wizard (the Getting Started Wizard will create a default policy if you enable web filtering in the wizard). In this example, we’ll add the following categories to the policy:

  • Dating / Personals
  • Media Sharing
  • Web phone

In addition, we want our users to know which URL category was assigned for any of their requests that are denied. This will allow the users to let us know if a site has been blocked erroneously and which category was assigned to the site that they believe should not have been blocked.

The following steps can be used to configure URL filtering:

  1. In the left pane of the TMG firewall console, select Web Access Policy.
  2. In the Tasks tab on the Task Pane, click Configure URL Filtering.
  3. On the General tab of the URL Filtering Settings dialog box, select Enable URL Filtering as shown in the figure below.


Figure 2

  1. In the URL Filtering Settings dialog box, click the URL Category Override tab. This list is empty by default.
  2. Click OK to close the URL Filtering Settings dialog box.
  3. On the Tasks tab in the Task Pane in the TMG firewall console, click the Toolbox tab.
  4. On the Toolbox tab, click New and then click URL Category Set as shown in the figure below.

F18xx005-jmharr
Figure 3

  1. On the Welcome to the New URL Category Set Wizard page, type Contoso Blocked Categories and click Next.
  2. On the URL Category Selection page, perform the following steps:
    a. Select the Includes All Selected URL Categories option.
    b. In the URL Category list, select Dating / Personals, Media Sharing, and Web Phone as seen in the figure below. Click Next.

F18xx08
Figure 4

  1. On the Completing The New URL Category Set Wizard summary page, verify the configuration and click the Finish button.

Configuring URL Filtering on a Per-Rule Basis

At this point, we can now update the default rule that was built by the Web Access Wizard so that it will apply filtering to the categories we just configured. Perform the following steps to update the default rule to enforce our customized policy:

  1. In the TMG firewall console, double-click the Blocked Web Destinations deny rule.
  2. In the Blocked Web Destinations Properties dialog box, click the To tab. Then click Add.
  3. In the Add Network Entities dialog box, expand URL Category Sets, select Contoso Blocked Categories, click Add, and then click Close.
  4. In the Blocked Web Destinations Properties dialog box, confirm that the This rule applies to traffic sent to these destinations list appears as shown in the figure below.

F18xx09
Figure 5

  1. Click the Action tab.
  2. In the Denied URL Request Action section:
    a. Select the Display Denial Notification To User option.
    b. Enter Access to this site is blocked by Contoso Security in the Add Custom Text Or HTML To Notification text field.
    c. Select Add Denied Request Category To Notification.


The rule’s Action tab should appear as shown in the figure below.

F18xx008-jmharr
Figure 6

  1. Click OK to close the Blocked Web Destinations Properties dialog box.
  2. In the center pane of the TMG firewall console, click Apply to activate the changes in the firewall policy.

TMG Firewall URL Filtering in Action

From any client computer that is protected by the TMG firewall, open Internet Explorer and enter explicit.bing.net and then press ENTER. Notice that the request denial page includes the messaging you specified in step 6 of Rule-based URL Filtering Configuration.

Overriding URL Categories

There will likely be times when a site is legitimately categorized, but someone in the organization needs to get to the site anyhow. This often happens when a user is doing some kind of research or the site has some special value to someone in your organization. Often this is a CxO (upper management) level employee, so you’ll need to make an exception for these users so that you can continue to block the category, but allow the specific individual(s) access to the particular site he/she needs to get to. To do this, you will need to know how to configure exceptions to the URL categories.

The following steps show you how to create such exceptions:

  1. In the Task Pane of the TMG firewall console, click the Tasks tab.
  2. In the Tasks pane, click URL Category Overrides.
  3. In the URL Filtering Settings dialog box, click Add.
  4. In the URL Categories Override dialog box, in the Override The Default URL Category For This URL Pattern text box, type blogs.windowsecurity.com  as seen in the figure below.
  5. In the Move URL Pattern To This URL Category drop-down list, select Technical Information, and then click OK.


Figure 7

  1. In the URL Filtering Settings dialog box, click OK.
  2. In the center pane of the TMG firewall console, click Apply.

Using the Update Center in the TMG Firewall Console

The TMG firewall stores the definitions of known viruses, worms, and other malware. The TMG firewall has a centralized mechanism called the Update Center that allows the administrator to configure the update frequency as well as the automatic update action to keep these important definitions up to date.

The TMG firewall has a number of features that use the information that is gathered by the update feature:

  • Network Inspection System (NIS)
  • Malware Inspection
  • Exchange (Anti Spam)
  • Forefront Security for Exchange (FSE)
  • URL Filtering Updates

The TMG firewall uses the Windows Automatic Update agent to obtain updates from Microsoft Update to get updated definitions. The update agent uses the computer’s default update server selection. If the computer uses updates from WSUS, the agent will also get updates from WSUS. If WSUS is not used, then the agent will use the Windows Update site. Information about update activities is stored in the %systemroot%\windowsupdate.log file. Note that the frequency settings in the TMG firewall’s Update Center do not override the general Windows Update settings. Windows will download updates and the TMG firewall downloads signatures.

The following takes place when TMG firewall updating is enabled:

  1. The TMG scheduler reads the schedule from the local policy store.
  2. The scheduler invokes Updateagent.exe.
  3. Updateagent.exe calls the Windows Update API.
  4. The Windows Update service connects to the Microsoft Update site and downloads the update. The service can be configured to check and retrieve signatures in one of the following ways:

  • Use WSUS server The TMG firewall requests updates from a local WSUS server.
  • Use Microsoft Update Live Servers The TMG firewall requests updates from Microsoft Update servers over the Internet.
  • Use WSUS servers and if not working use Microsoft Update live servers The TMG firewall will request updates from a local WSUS server and if the update does not exist, it will request it from the live Microsoft Updates servers.

  1. The updates are installed on the TMG firewall.

Walk Through the Update Center

Let’s walk through the Update Center in the TMG firewall console:

  1. On the Tasks Tab in the Task Pane of the TMG firewall console, click Update Center.
  2. Click Configure Settings as shown in the figure below.


Figure 8

  1. The Update Center Properties dialog box appears, as seen in the figure below.

F18xx16
Figure 9

  1. Select Malware Inspection and click Configure Selected.
  2. The Definition Update Configuration settings appear, as shown in the figure below.

F18xx17
Figure 10

  1. Notice that the default automatic update action is Check For And Install Updates. The other two options available are Only Check For Updates and No Automatic Action.
  2. The Automatic polling frequency is set to 15 minutes by default. This can be increased up to 4 hours.
  3. An alert can be triggered if no new updates are installed within a pre-defined number of days. The default value is set to 5 days.
  4. Click OK to return to the Definition Updates tab under Update Center Properties settings.
  5. Select Network Inspection Service (NIS) and click Configure Selected. The Definition Update Configuration settings for NIS appears.
  6. Click OK to return to the Definition Updates tab under Update Center Properties Settings.
  7. Click the Microsoft Update tab as seen in the figure below.

F18xx18
Figure 11

  1. The TMG firewall uses Microsoft Update to populate malware updates to TMG. To enable the TMG firewall to receive updates, confirm that the option Use The Microsoft Update Service To Check For Updates is selected.
  2. Click Microsoft Update Service to configure the policy configuration for protection mechanism definition updates as seen in the figure below.

F18xx19
Figure 12

  1. The default option is Use Machine Default Service But Fall back To Microsoft Update. This option is useful if the computer’s default service is set to use Windows Server Update Services (WSUS). However, if the WSUS is unavailable, the TMG firewall can use Microsoft Update directly. Click OK.

If you need to determine when updates were installed, the Definition Updates pane shows the status of the last update and the time when the last check for new updates was performed. In addition, the version number for the definitions and their license status as shown in the figure below.


Figure 13

You can force the firewall to check for updates manually by clicking Check For Definitions in the Task pane. If new updates are detected and installed, an alert will appear on the Alerts tab, as seen in the figure below.


Figure 14


Figure 15

If the TMG firewall is unable to install or activate the definitions, an alert will appear informing you that definition updates failed.

Summary

In this, part 2 of the two part article series on the TMG firewall’s web filtering feature, we went over how to configure the web filtering feature using the TMG firewall console. There are both global and per-rule settings that you need to consider when using this feature. You can also use the Update Center to support the web filtering feature, which will enable you to configure an update frequency and whether or not to use WSUS. Finally, you can check the Alerts tab in the Monitoring node in the TMG firewall console to see if the updates to the web filtering database have been downloaded and enabled.

If you would like to read the first part in this article series please go to TMG Firewall Web Filtering (Part 1).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top