How to create E-Mail protection Policy in Forefront TMG 2010

April 14, 2010

1. On the TMG computer (or using the remote management console), open the Forefront TMG Management Console.

2. Click Forefront TMG (Array Name) in the left pane.

3. Click E-Mail Policy and in the task pane click Configure E-Mail Policy

4. When you access this option, the E-mail Protection Wizard launches. Click Next to continue

5. The next step allows you to define two options: the internal mail server that TMG will send e-mail to and the domain from which TMG will accept messages. The internal mail server for this scenario will be the Exchange 2007 Hub Transport Server (Example: 10.10.10.10/24) and TMG will accept messages only when the destination is domain(Example: wolverine.com.au). If you have multiple domains and multiple HT within your organization you also can add multiple entries in this option. the page of the wizard that allows you to perform this configuration.

6. To add Exchange 2007 Hub Transport Server’s IP Address, click Add. Add the Exchange 2007 Hub Transport Server(s) computer name and IP address

7. Click OK. The Internal Mail Server Configuration page now has the Exchange server(s) name and IP address

8. Click Add to add domain (Example: wolverine.com.au)

9. Click OK. The Internal Mail Server Configuration page now shows the accepted domains, Click Next to continue.

10. On the next page of the wizard, you define which network interface TMG uses to Communicate with the Exchange Server that you specified in step 6 (Example: 10.10.10.10). For this example select Internal Interface where TMG has connectivity to the Exchange Hub Transport Server,

11. Click Next. The External Mail Routing Configuration page appears

12. Enter the fully qualified domain name (FQDN) that will appear in the response to a HELO or EHLO SMTP command. This name should be the one that resolves to the reverse DNS lookup of the external TMG’s IP address. Select the TMG interface that will be used to communicate to the Internet. For this example the FQDN is mail.wolverine.com.au and the interface will be External

13. Click Next and the Mail Protection Configuration page appears. Select both options (Enable Spam Filtering and Enable Virus And Content Filtering).

14. Click Next. A summary page with all selections appears

15. Click Finish. The dialog box appears, asking whether you want to enable the system policy for SMTP Protection. Click Yes.

16. The E-Mail Policy tab changes according to the settings that you selected in the Wizard,

17. Click Apply to save the changes and then click OK.

18 Apply changes. Close TMG console.

Relevant Articles:

Understanding E-Mail Protection on Forefront TMG

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine


How to configure HTTS Inspection in Forefront TMG 2010

April 14, 2010

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, You will find Configure Malware Inspection, Configure HTTPS Inspection, Configure URL Filtering, Configure URL Category. Now follow these steps to define/create these policies.

1. Click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection

3. Click the Generate button and the Generate Certificate dialog box will appear

4. Select the Trusted Certificate Authority (CA) name text field and replace the existing text with Edge Firewall

5. Leave the Issuer Statement field blank and click Generate Certificate Now. You will see a certificate. Click OK to close the Certificate display and click Close to close the Generate Certificate window.

6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options. You will see the Certificate Deployment Options dialog box,

7. Click Automatic Deployment. You will see an authentication dialog box

8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store. Click OK. A command window will appear briefly and if the procedure succeeds, the dialog box

9. Click OK to close this dialog box.

10. Click OK to close the Certificate Deployment options dialog box.

11. In the HTTPS Outbound Inspection dialog box, click the Destination Exceptions tab to display the HTTPS inspection exceptions list

12. Click Add to open the Add Network Entities dialog box

13. In the Add Network Entities dialog box, click New and then click Domain Name Set. You will see the New Domain Name Set Policy Element dialog box

14. In the Name field, type Excluded Sites. Click Add. When New Domain appears in the Domain names included in this list, change it to display http://www.wolverine.com.au. Click Add again and change New Domain to display http://www.wordpress.com. In the Description field, type Sites approved by NetSec for HTTPS inspection exclusion. The page should now appear

15. Click OK to close the window. In the Add Network Entities window expand Domain Name Sets, highlight Excluded Sites, click Add, and then click Close. The HTTPS Outbound Inspection dialog box will appear

16. In the HTTPS Outbound Inspection dialog box, click the Certificate Validation tab.

17. In the Block Expired Certificate After (Days) text box, type 7

18. In the HTTPS Outbound Inspection dialog box, click the Client notification tab.

19. Select Notify Users That Their HTTPS Traffic Is Being Inspected

20. Click the Source Exceptions tab to add the computers that you want to exempt from HTTPS inspection. By default this list is empty. For the purpose of this example we will leave this option empty.

21. Click OK to close the HTTPS Outbound Inspection dialog box.

22. Click Apply in the TMG management centre pane, type the appropriate notes in the Configuration Change Description window and click Apply to save your changes. The centre pane feature display will change

23. Click the Monitoring tab in the left pane, and then click the Alerts tab in the centre pane. You should find an informational alert indicating successful CA certificate import,

Configuring the HTTP Filter

1. On the TMG Server computer (or using remote management console), open the TMG Management Console.

2. Click TMG (Array Name) in the left pane.

3. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

4. When you choose Configure HTTP, the Configure HTTP Policy For Rule dialog box will appear. In this dialog box you have four options to choose- HTTP methods, Extensions, Headers and Signature. Follow the steps to do accomplish these methods. You can do all these at once or do later by repeating these steps.

General

In general option, you can mention Header length, Allow any payload, Block high bit characters and block windows executable content. Accept default and go next steps or modify as your desired config.

HTTP Methods

1. Open the drop-down list in the option Specify The Action Taken For HTTP Methods and select Block Specified Methods (Allow All Others).

2. The Add button will became available. Click Add and type PUT

3. Click OK and your Methods tab will appear

4. Type the appropriate notes in the Configuration Change Description window and click Apply to commit this change.

Extensions

1. Open the drop-down list in the option Specify The Action Taken For File Extensions and select Block Specified Methods (Allow All Others)

2. The Add button will become available. Click Add and type MP3

3. Click OK. The Methods tab will appear.

4. Click OK and then, in the main TMG console, click Apply to commit this change.

Headers

1. Click Firewall Policy, right-click the http://www.wolverine.com.au Web Publishing rule and choose Configure HTTP.

2. Click the Headers tab and the window will appear

3. In the Server Header drop-down list, choose Modify Header In Response

4. Type the name with which you want to substitute the Server’s name

5. Click OK and then click Apply in the main TMG console to commit the changes.

Blocking Signature

1. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

2. When you click Configure HTTP the Configure HTTP Policy For Rule dialog box will appear. Click the Signatures tab and the window will appear

3. Click Add and the do the following in the Signature window:

· Type Block MSN Messenger in the Name field.

· Select Request Headers from the Search In drop-down list.

· Type Description as Block MSN Messenger signature

· In Signature Type, type MSN Messenger

4. Click OK and your Signature tab will appear

5. Click OK to close this window and then click Apply in the main TMG console to apply the changes.

6. Repeat step 1 to 6 if you want block more signature

Important! blocking signature using Request URL my block entire web sites containing that specific signature.

Relevant Articles:

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine


Follow

Get every new post delivered to your Inbox.

Join 382 other followers

%d bloggers like this: