Introduction
It’s been more than six months since Microsoft released Forefront Threat Management Gateway (TMG) 2010, and recently Service Pack 1 for TMG was made available. In addition to the usual bug fixes, this update also includes new features and functionality, including improvements to URL filtering, enhanced reporting, and integration with Windows BranchCache. In this article we’ll take a closer look at some of these new features.
URL Filtering Improvements
A number of improvements have been made to URL filtering in TMG SP1. Among them are:
User override for blocked categories – With TMG RTM, a category can either be allowed or denied, with no option for the user to continue to the web site they are denied access. The new override feature will now allow administrators to effectively warn users about visiting certain sites, and optionally allowing them to continue if they choose. An example of this would be blocking the Online Communities category to restrict access to sites like Facebook and Twitter, and then presenting the users with a ‘soft’ block page that includes language indicating that, although they may continue to this site, access is being monitored and logged.
To configure blocked category override, create an access rule denying access to a particular category as you normally would. Before applying the configuration, right-click the access rule and choose Properties.
Figure 1
Choose the Action tab, and then select the option to Allow user override and optionally specify how long you wish the override to be effective for.
Figure 2
When a user attempts to access a site that is denied by an access rule configured to allow user override, the block page they receive will include the option to Override Access Restriction.
Figure 3
If a user elects to override the block and continue to the web site, TMG will simply bypass the rule and continue processing the request accordingly. This is important because it means the user must have access through another rule in the policy in order to access the site. If not, the request will be denied.
Enterprise category override – This new feature allows for category overrides to be configured at the enterprise level. Previously if you had multiple arrays, category overrides had to be configured on each array individually.
To configure enterprise-level category overrides, select the Enterprise node in the console tree.
Figure 4
In the Tasks pane, click the Configure URL Category Overrides link.
Figure 5
Category overrides defined here will be applicable to all arrays in the Enterprise.
Figure 6
Request information available for block page redirects – For organizations that elect not to use the native TMG block pages, but instead choose to redirect denied requests to another web server (to perhaps take advantage of scripting capabilities not available with the TMG block page), additional information is now available in the query string that will allow administrators to present detailed information in their custom block pages. The redirect query string can now include information about the original request, including the requested URL, the category name, the category ID, and the user override option.
To configure a redirect to a web server when a request is denied by URL filtering, double-click the access rule, choose the Action tab, and then click the Advanced… button.
Figure 7
Select the option to Redirect web client to the following URL:. Specify the destination URL in the following format:
http://<server_name>/default.aspx?OrigUrl=[DESTINATIONURL]&Category=[URLCATEGORYNAME]&CategoryId=[URLCATEGORYID]&ArrayGUID=[OVERRIDEGUID]
Figure 8
The fields included in the query string are mapped as follows:
[DESTINATIONURL] = URL of the denied request.
[URLCATEGORYNAME] = Name of the category the denied request belonged to.
[URLCATEGORYID] = ID number of the category the denied request belonged to.
[OVERRIDEGUID] = Array GUID used for blocked category override.
Branch Cache Integration
TMG SP1 now includes support for integrated hosted-mode Windows BranchCache. When TMG is installed on Windows Server 2008 R2 Enterprise edition, BranchCache can now be configured and managed directly through the TMG management console. To configure BranchCache with TMG SP1, select the Firewall Policy node in the console tree.
Figure 9
In the Tasks pane, click the Configure BranchCache link.
Figure 10
Select the option to Enable BranchCache (Hosted Cache Mode).
Figure 11
Select the Authentication tab, then choose the Select… button to select the certificate that TMG will present to client computers for authentication.
Figure 12
Optionally you can select the Storage tab and specify an alternate location to store the cache and define the percentage of the partition that can be used for cache.
Figure 13
Reporting Enhancements
Some subtle changes have been made to reporting in TMG SP1. The look-and-feel of reports has changed slightly and they now look more modern. A new user activity report is available to provide detailed reporting for individual user access, and the reports also include additional detail about user category overrides and BranchCache performance. To generate a user activity report, highlight the Logs & Reports node in the console tree.
Figure 14
In the Tasks pane, click the Create User Activity Report Job link.
Figure 15
The New User Activity Report Job Wizard launches. Enter a descriptive name for the report.
Figure 16
Select an appropriate Report Period for this report.
Figure 17
Enter the name(s) and/or IP address(es) of the user or users you wish to report on. Multiple users or IP addresses can be included, separated by semicolons. When users are a member of a domain, use the DOMAIN\USERNAME format as shown here.
Figure 18
Once complete right-click on the report and choose Generate and View Report.
Figure 19
Figure 20
Monitoring Improvements
BranchCache performance information is now displayed conveniently on the dashboard in the TMG management console.
Figure 21
New BranchCache alert definitions are also included.
Figure 22
Summary
TMG Service Pack 1 not only includes updates for bug fixes, it also includes significant new features as well as enhancements to existing ones. For URL filtering, the override option will allow administrators to indicate to users that visiting specific sites may be allowed, but not encouraged. The enterprise-level category override will ease administrative burdens for EMS-managed deployments with multiple arrays, and the addition of user activity reporting is especially welcome. BranchCache integration will simplify and streamline branch office deployments by eliminating the need for a dedicated BranchCache server. In addition, SharePoint 2010 is now fully supported with TMG SP1.
