Content Filter – Blog by Raihan Al-Beruni

Configure Forefront TMG as a Proxy Cache

A Proxy Server provides a number of useful functions in a company’s network infrastructure. Proxy Servers will go out and retrieve Web pages and content and return the Web pages to the internal network users. The fact that the proxy is retrieving the Web pages and not the actual clients adds an extra layer of protection to the clients because their internal IP addresses are hidden from the Internet. The proxy mechanism makes surfing external Web sites safer for internal clients.

If employees are constantly requesting pages from the same Web sites, the proxy server can store those requests locally on the server. When additional requests are made for content that has already been retrieved and stored locally, the proxy server will send the requesting client the copies of the pages from its stored cache. Utilizing this function, a proxy server will not have to go back out again and fetch the requested Web pages.

Forefront TMG 2010 can be configured to act as a proxy server in your environment to accelerate the performance of Internet access, as the name implies. In the following flow chart shows how TMG perform Proxy Cache.

Figure: Flow chart

Forefront TMG 2010 performs the following steps:

1. Forefront TMG 2010 checks whether the object is valid. If the object is valid, Forefront TMG 2010 retrieves the object from the cache and returns it to the user.

2. If the object is invalid, Forefront TMG 2010 checks the Web Chaining rules.
3. If a Web Chaining rule matches the request, Forefront TMG 2010 performs the action specified by the Web Chaining rule; for example, route the requested directly to a specified Web server, an upstream proxy, an alternate specified server.

4. If the Web Chaining rule is configured to route the request to a Web server, Forefront TMG 2010 determines whether the Web server is accessible.
5. If the Web server is not accessible, Forefront TMG 2010 determines whether the cache was configured to return expired objects. If the cache was configured to allow Forefront TMG 2010 to return an expired object as long as a specific maximum expiration time hasn’t passed, the object is returned from the cache to the end user.

6. If the Web server is available, Forefront TMG 2010 determines whether the object may be cached depending on whether the cache rule is set to cache the response. If it is, Forefront TMG 2010 caches the object and returns the object to the end user.

Figure: Simple Visio diagram of proxy cache

Cache Storage: Forefront TMG 2010 can store objects on the local hard disk, and for faster access can store most of the frequently requested objects on both the disk and the RAM. Cached pages
can be stored immediately in memory (RAM) to be accessed by end users requesting the Web content. A lazy-writer or buffered-writer approach is used to write pages to the disk. By default, 10 percent of physical memory is allocated for RAM caching. The cache file can be stored as follows:

Drive:\urcache\Dir1.cdat
Must be NTFS non system partition (Local disk)
Maximum cache size 64GB

Types of Cache:

Forward Caching: To cache all Internet traffic from external to internal.
That’s all Internet pages requested by internal users.

Reverse Caching: To cache all objects sent from internal to external. This
works with publishing to help offloading the published server.

Configuring Forefront TMG 2010 Web Proxy & Proxy Cache

1. open the Forefront TMG Management Console. Click Forefront TMG (Array Name) in the left pane.

2.In the left pan click on Web Access Policy

3.In the right pane under the Tasks tab, scroll down and click on Web Proxy. Check enable web proxy client connections for this network. Check Enable HTTP and type port 80 or if you want to use web proxy port 8080 then type port 8080.

4. Click on Authentication, Select integrated. Click ok.

5. Click on Advanced, select unlimited Click ok.

6. Now click on Apply and ok.

7. Click on Configure Web Caching , You’ll see the Cache Settings dialog box. Click the Cache Drives tab to access the Forefront TMG 2010 cache storage configuration.
3.Select the array member to enable the Configure button

3. Click Configure to define the cache size and location.

4.To define the cache location and size, select the non system partition where you want to store the cache file and enter the desired size of the cache file in the Maximum Cache Size (64000MB) text box. Click Set and then click OK to close the Cache Settings window.
6. click Apply to apply changes.

Add new cache Rule

1. Go back to Cache Settings mentioned above

2. Click on Cache Rules Tab, Click New button, you will be presented with Cache rule wizard

3. Type name of cache rule for example: Microsoft update Cache rule, click Next

4. You will see cache rule destination, Click Add>Click New>Click URL sets

5. Type Name of the URL sets (For Example Microsoft Update). Click on Add and type URL. Repeat it and the following urls.

6. Click Ok. Now you will see Microsoft Update URL set. Select Microsoft Update URL set. Click Add and Click close to close URL sets.

7. Click Next. Select “If a valid version of the object exist in the cache. If no valid version exists. Route the request to the server”. Click Next.

8. In the cache content window select “If source and request header indicate to the cache” You may also select dynamic contents. Click Next

9. In the Cache Advance Configuration Window, Check Do not cache object larger then 1GB or your preference but remember you have 64GB cache size. Check Cache SSL response. Click next.

10. In the HTTP caching window, keep default settings, Click next

11. In the FTP caching window, keep default or Modify, Click next

12. Click Finish. Apply Changes.

Relevant Articles:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Beer mug

How to configure HTTS Inspection in Forefront TMG 2010

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, You will find Configure Malware Inspection, Configure HTTPS Inspection, Configure URL Filtering, Configure URL Category. Now follow these steps to define/create these policies.

1. Click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection

3. Click the Generate button and the Generate Certificate dialog box will appear

4. Select the Trusted Certificate Authority (CA) name text field and replace the existing text with Edge Firewall

5. Leave the Issuer Statement field blank and click Generate Certificate Now. You will see a certificate. Click OK to close the Certificate display and click Close to close the Generate Certificate window.

6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options. You will see the Certificate Deployment Options dialog box,

7. Click Automatic Deployment. You will see an authentication dialog box

8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store. Click OK. A command window will appear briefly and if the procedure succeeds, the dialog box

9. Click OK to close this dialog box.

10. Click OK to close the Certificate Deployment options dialog box.

11. In the HTTPS Outbound Inspection dialog box, click the Destination Exceptions tab to display the HTTPS inspection exceptions list

12. Click Add to open the Add Network Entities dialog box

13. In the Add Network Entities dialog box, click New and then click Domain Name Set. You will see the New Domain Name Set Policy Element dialog box

14. In the Name field, type Excluded Sites. Click Add. When New Domain appears in the Domain names included in this list, change it to display http://www.wolverine.com.au. Click Add again and change New Domain to display http://www.wordpress.com. In the Description field, type Sites approved by NetSec for HTTPS inspection exclusion. The page should now appear

15. Click OK to close the window. In the Add Network Entities window expand Domain Name Sets, highlight Excluded Sites, click Add, and then click Close. The HTTPS Outbound Inspection dialog box will appear

16. In the HTTPS Outbound Inspection dialog box, click the Certificate Validation tab.

17. In the Block Expired Certificate After (Days) text box, type 7

18. In the HTTPS Outbound Inspection dialog box, click the Client notification tab.

19. Select Notify Users That Their HTTPS Traffic Is Being Inspected

20. Click the Source Exceptions tab to add the computers that you want to exempt from HTTPS inspection. By default this list is empty. For the purpose of this example we will leave this option empty.

21. Click OK to close the HTTPS Outbound Inspection dialog box.

22. Click Apply in the TMG management centre pane, type the appropriate notes in the Configuration Change Description window and click Apply to save your changes. The centre pane feature display will change

23. Click the Monitoring tab in the left pane, and then click the Alerts tab in the centre pane. You should find an informational alert indicating successful CA certificate import,

Configuring the HTTP Filter

1. On the TMG Server computer (or using remote management console), open the TMG Management Console.

2. Click TMG (Array Name) in the left pane.

3. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

4. When you choose Configure HTTP, the Configure HTTP Policy For Rule dialog box will appear. In this dialog box you have four options to choose- HTTP methods, Extensions, Headers and Signature. Follow the steps to do accomplish these methods. You can do all these at once or do later by repeating these steps.

General

In general option, you can mention Header length, Allow any payload, Block high bit characters and block windows executable content. Accept default and go next steps or modify as your desired config.

HTTP Methods

1. Open the drop-down list in the option Specify The Action Taken For HTTP Methods and select Block Specified Methods (Allow All Others).

2. The Add button will became available. Click Add and type PUT

3. Click OK and your Methods tab will appear

4. Type the appropriate notes in the Configuration Change Description window and click Apply to commit this change.

Extensions

1. Open the drop-down list in the option Specify The Action Taken For File Extensions and select Block Specified Methods (Allow All Others)

2. The Add button will become available. Click Add and type MP3

3. Click OK. The Methods tab will appear.

4. Click OK and then, in the main TMG console, click Apply to commit this change.

Headers

1. Click Firewall Policy, right-click the http://www.wolverine.com.au Web Publishing rule and choose Configure HTTP.

2. Click the Headers tab and the window will appear

3. In the Server Header drop-down list, choose Modify Header In Response

4. Type the name with which you want to substitute the Server’s name

5. Click OK and then click Apply in the main TMG console to commit the changes.

Blocking Signature

1. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

2. When you click Configure HTTP the Configure HTTP Policy For Rule dialog box will appear. Click the Signatures tab and the window will appear

3. Click Add and the do the following in the Signature window:

· Type Block MSN Messenger in the Name field.

· Select Request Headers from the Search In drop-down list.

· Type Description as Block MSN Messenger signature

· In Signature Type, type MSN Messenger

4. Click OK and your Signature tab will appear

5. Click OK to close this window and then click Apply in the main TMG console to apply the changes.

6. Repeat step 1 to 6 if you want block more signature

Important! blocking signature using Request URL my block entire web sites containing that specific signature.

Relevant Articles:

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mug

How to block bandwidth intensive websites using Microsoft ISA

Users spending hours watching video and downloading mp3!!! Here is the way, you can ban those sites that are bandwidth hungry. You can add a policy in your ISA server and apply. This will save lots of download limit and speed up your internet during peak hours.

name	Action	Protocols	listener	To	Condition
Block Forbidden Sites	Deny	All OutBound Traffic	internal	Restricted Sites	All Users

Open ISA management console>Tasks>Create New Access Policy

Click on Add>Domain Name Set>Type “Restricted Sites” on Name>Add sites you want to block>click Ok

Select restricted sites and click on add

here you can add your desired group of users you want to ban, I added All Users.

Click finish and apply. Log on to any computer using a test user placed in above mentioned group and browse restricted site. you will see it is blocked by proxy.