How to configure HTTS Inspection in Forefront TMG 2010


Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, You will find Configure Malware Inspection, Configure HTTPS Inspection, Configure URL Filtering, Configure URL Category. Now follow these steps to define/create these policies.

1. Click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection

3. Click the Generate button and the Generate Certificate dialog box will appear

4. Select the Trusted Certificate Authority (CA) name text field and replace the existing text with Edge Firewall

5. Leave the Issuer Statement field blank and click Generate Certificate Now. You will see a certificate. Click OK to close the Certificate display and click Close to close the Generate Certificate window.

6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options. You will see the Certificate Deployment Options dialog box,

7. Click Automatic Deployment. You will see an authentication dialog box

8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store. Click OK. A command window will appear briefly and if the procedure succeeds, the dialog box

9. Click OK to close this dialog box.

10. Click OK to close the Certificate Deployment options dialog box.

11. In the HTTPS Outbound Inspection dialog box, click the Destination Exceptions tab to display the HTTPS inspection exceptions list

12. Click Add to open the Add Network Entities dialog box

13. In the Add Network Entities dialog box, click New and then click Domain Name Set. You will see the New Domain Name Set Policy Element dialog box

14. In the Name field, type Excluded Sites. Click Add. When New Domain appears in the Domain names included in this list, change it to display http://www.wolverine.com.au. Click Add again and change New Domain to display http://www.wordpress.com. In the Description field, type Sites approved by NetSec for HTTPS inspection exclusion. The page should now appear

15. Click OK to close the window. In the Add Network Entities window expand Domain Name Sets, highlight Excluded Sites, click Add, and then click Close. The HTTPS Outbound Inspection dialog box will appear

16. In the HTTPS Outbound Inspection dialog box, click the Certificate Validation tab.

17. In the Block Expired Certificate After (Days) text box, type 7

18. In the HTTPS Outbound Inspection dialog box, click the Client notification tab.

19. Select Notify Users That Their HTTPS Traffic Is Being Inspected

20. Click the Source Exceptions tab to add the computers that you want to exempt from HTTPS inspection. By default this list is empty. For the purpose of this example we will leave this option empty.

21. Click OK to close the HTTPS Outbound Inspection dialog box.

22. Click Apply in the TMG management centre pane, type the appropriate notes in the Configuration Change Description window and click Apply to save your changes. The centre pane feature display will change

23. Click the Monitoring tab in the left pane, and then click the Alerts tab in the centre pane. You should find an informational alert indicating successful CA certificate import,

Configuring the HTTP Filter

1. On the TMG Server computer (or using remote management console), open the TMG Management Console.

2. Click TMG (Array Name) in the left pane.

3. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

4. When you choose Configure HTTP, the Configure HTTP Policy For Rule dialog box will appear. In this dialog box you have four options to choose- HTTP methods, Extensions, Headers and Signature. Follow the steps to do accomplish these methods. You can do all these at once or do later by repeating these steps.

General

In general option, you can mention Header length, Allow any payload, Block high bit characters and block windows executable content. Accept default and go next steps or modify as your desired config.

HTTP Methods

1. Open the drop-down list in the option Specify The Action Taken For HTTP Methods and select Block Specified Methods (Allow All Others).

2. The Add button will became available. Click Add and type PUT

3. Click OK and your Methods tab will appear

4. Type the appropriate notes in the Configuration Change Description window and click Apply to commit this change.

Extensions

1. Open the drop-down list in the option Specify The Action Taken For File Extensions and select Block Specified Methods (Allow All Others)

2. The Add button will become available. Click Add and type MP3

3. Click OK. The Methods tab will appear.

4. Click OK and then, in the main TMG console, click Apply to commit this change.

Headers

1. Click Firewall Policy, right-click the http://www.wolverine.com.au Web Publishing rule and choose Configure HTTP.

2. Click the Headers tab and the window will appear

3. In the Server Header drop-down list, choose Modify Header In Response

4. Type the name with which you want to substitute the Server’s name

5. Click OK and then click Apply in the main TMG console to commit the changes.

Blocking Signature

1. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

2. When you click Configure HTTP the Configure HTTP Policy For Rule dialog box will appear. Click the Signatures tab and the window will appear

3. Click Add and the do the following in the Signature window:

· Type Block MSN Messenger in the Name field.

· Select Request Headers from the Search In drop-down list.

· Type Description as Block MSN Messenger signature

· In Signature Type, type MSN Messenger

4. Click OK and your Signature tab will appear

5. Click OK to close this window and then click Apply in the main TMG console to apply the changes.

6. Repeat step 1 to 6 if you want block more signature

Important! blocking signature using Request URL my block entire web sites containing that specific signature.

Relevant Articles:

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s