Malware Inspection – Blog by Raihan Al-Beruni

How to configure HTTS Inspection in Forefront TMG 2010

Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, You will find Configure Malware Inspection, Configure HTTPS Inspection, Configure URL Filtering, Configure URL Category. Now follow these steps to define/create these policies.

1. Click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection

3. Click the Generate button and the Generate Certificate dialog box will appear

4. Select the Trusted Certificate Authority (CA) name text field and replace the existing text with Edge Firewall

5. Leave the Issuer Statement field blank and click Generate Certificate Now. You will see a certificate. Click OK to close the Certificate display and click Close to close the Generate Certificate window.

6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options. You will see the Certificate Deployment Options dialog box,

7. Click Automatic Deployment. You will see an authentication dialog box

8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store. Click OK. A command window will appear briefly and if the procedure succeeds, the dialog box

9. Click OK to close this dialog box.

10. Click OK to close the Certificate Deployment options dialog box.

11. In the HTTPS Outbound Inspection dialog box, click the Destination Exceptions tab to display the HTTPS inspection exceptions list

12. Click Add to open the Add Network Entities dialog box

13. In the Add Network Entities dialog box, click New and then click Domain Name Set. You will see the New Domain Name Set Policy Element dialog box

14. In the Name field, type Excluded Sites. Click Add. When New Domain appears in the Domain names included in this list, change it to display http://www.wolverine.com.au. Click Add again and change New Domain to display http://www.wordpress.com. In the Description field, type Sites approved by NetSec for HTTPS inspection exclusion. The page should now appear

15. Click OK to close the window. In the Add Network Entities window expand Domain Name Sets, highlight Excluded Sites, click Add, and then click Close. The HTTPS Outbound Inspection dialog box will appear

16. In the HTTPS Outbound Inspection dialog box, click the Certificate Validation tab.

17. In the Block Expired Certificate After (Days) text box, type 7

18. In the HTTPS Outbound Inspection dialog box, click the Client notification tab.

19. Select Notify Users That Their HTTPS Traffic Is Being Inspected

20. Click the Source Exceptions tab to add the computers that you want to exempt from HTTPS inspection. By default this list is empty. For the purpose of this example we will leave this option empty.

21. Click OK to close the HTTPS Outbound Inspection dialog box.

22. Click Apply in the TMG management centre pane, type the appropriate notes in the Configuration Change Description window and click Apply to save your changes. The centre pane feature display will change

23. Click the Monitoring tab in the left pane, and then click the Alerts tab in the centre pane. You should find an informational alert indicating successful CA certificate import,

Configuring the HTTP Filter

1. On the TMG Server computer (or using remote management console), open the TMG Management Console.

2. Click TMG (Array Name) in the left pane.

3. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

4. When you choose Configure HTTP, the Configure HTTP Policy For Rule dialog box will appear. In this dialog box you have four options to choose- HTTP methods, Extensions, Headers and Signature. Follow the steps to do accomplish these methods. You can do all these at once or do later by repeating these steps.

General

In general option, you can mention Header length, Allow any payload, Block high bit characters and block windows executable content. Accept default and go next steps or modify as your desired config.

HTTP Methods

1. Open the drop-down list in the option Specify The Action Taken For HTTP Methods and select Block Specified Methods (Allow All Others).

2. The Add button will became available. Click Add and type PUT

3. Click OK and your Methods tab will appear

4. Type the appropriate notes in the Configuration Change Description window and click Apply to commit this change.

Extensions

1. Open the drop-down list in the option Specify The Action Taken For File Extensions and select Block Specified Methods (Allow All Others)

2. The Add button will become available. Click Add and type MP3

3. Click OK. The Methods tab will appear.

4. Click OK and then, in the main TMG console, click Apply to commit this change.

Headers

1. Click Firewall Policy, right-click the http://www.wolverine.com.au Web Publishing rule and choose Configure HTTP.

2. Click the Headers tab and the window will appear

3. In the Server Header drop-down list, choose Modify Header In Response

4. Type the name with which you want to substitute the Server’s name

5. Click OK and then click Apply in the main TMG console to commit the changes.

Blocking Signature

1. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP

2. When you click Configure HTTP the Configure HTTP Policy For Rule dialog box will appear. Click the Signatures tab and the window will appear

3. Click Add and the do the following in the Signature window:

· Type Block MSN Messenger in the Name field.

· Select Request Headers from the Search In drop-down list.

· Type Description as Block MSN Messenger signature

· In Signature Type, type MSN Messenger

4. Click OK and your Signature tab will appear

5. Click OK to close this window and then click Apply in the main TMG console to apply the changes.

6. Repeat step 1 to 6 if you want block more signature

Important! blocking signature using Request URL my block entire web sites containing that specific signature.

Relevant Articles:

How to block bandwidth intensive websites using Microsoft ISA

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: how to install and configure Forefront TMG 2010—Step by step part II

Beer mug

Configure Malware Inspection, NIS and URL Filter in Forefront TMG 2010

Enabling Per-Rule Malware Inspection

1. On the Forefront TMG Management Console, click Web Access Policy.

2. Select the access rule that you want to change, right-click it, and choose Properties

3. Click the Malware Inspection tab. Check Inspect content download from web server and Force Full Content Request.

4. Click Apply and Ok. Apply Changes

Testing Internet Access with Malware Inspection

1. Click Forefront TMG (Array Name) in the left pane.

2. Click the Logs & Reports node in the left pane and then click Edit Filter in the Task Pane

3. In the Filter By drop-down list, select Client IP.

4. In the Condition drop-down list, select Equals.

5. In the Value field, enter the IP address of the test client, such as 10.10.10.10

6. Click Add To List and then click Start Query.

7. At a test client workstation, launch Internet Explorer and open the Web site http://www.eicar.org/anti_virus_test_file.htm

8. Click the file called eicar.com in the download area for HTTP Protocol. The user will receive the notification from TMG

9. In TMG Logging you can see that the file was blocked, along with details about the reason why was blocked.

Configuring URL Filtering

1. In the left pane of the TMG management console, select Web Access Policy.

2. In the right pane, click Configure URL Filtering.

3. To enable URL Filtering globally, on the General tab of the URL Filtering Settings dialog box, select Enable URL Filtering

4. In the URL Filtering Settings dialog box, click the URL Category Override tab. Note that by default this list is empty.

5. Click OK to close the URL Filtering Settings dialog box.

6. In the right pane of the TMG management console, click the Toolbox tab.

7. In the Toolbox, click New and then click URL Category Set

8. On the Welcome To The New URL Category Set Wizard page, type Blocked Categories and click Next.

9. On the URL Category Selection page, do the following:

· Select Includes All Selected URL Categories.

· In the URL Category list, select Dating / Personals, Media Sharing, and Web Phone

10. On the Completing The New URL Category Set Wizard summary page, verify that the configuration agrees with that described by the Security team and click Finish.

Per-Rule URL Filtering Configuration

1. In the TMG management console centre pane, double-click the Blocked Web Destinations deny rule.

2. In the Blocked Web Destinations Properties dialog box, click the To tab, and then click Add.

3. In the Add Network Entities dialog box, expand URL Category Sets, select Blocked Categories, click Add, and then click Close.

4. In the Blocked Web Destination properties dialog box, verify that the destinations list appears as shown

5. Click the Action tab.

6. In the Denied URL Request Action section, do the following:

· Select Display Denial Notification To User.

· Type Access to this site is blocked by Security Team in the Add Custom Text Or HTML To Notification Text field.

· Select Add Denied Request Category To Notification.

7. Click OK to close the Blocked Web Destinations Properties dialog box.

8. In the TMG management console centre pane, click Apply to enforce the rule changes. When prompted by Change Control, enter a description of your actions and click Apply.

Testing URL Filtering

At any client served by TMG, open a browser and type http://explicit.bing.net in the address bar. Notice that the request denial page includes the message “Access to this site is blocked by Security Team” you specified in step 6 of Per-Rule URL Filtering Configuration.

Network Inspection System (NIS)

1. In the left pane of the TMG management console, select Intrusion Prevention System

2. In the middle pan, Select Network Inspection System, Click on Enable. NIS property will appear

3. Click General Tab, Check Enable NIS

4. Click on Exceptions Tab, Select Site Exempt from NIS, Click Add button and add desired sites. Click Add button again to add Network Set such as Internal Network.

5. Click Definition Tab. You may keep default settings or desired settings

6. Click Protocol Anomalies Policy Tab, Click on Allow to avoid legitimate sites

7. Apply changes. Click ok.

8. Click on Behavioural Intrusion Detection Tab, Enable all Common behavioural intrusion detection check boxes.

9. Apply changes and Click Ok.

Important! In the NIS Tasks, you can add desired policies or accept Microsoft Default Policies. You can also define exception rules in NIS.

Generating Malware, NIS and URL filter report

1. Click Logs & Reports in the TMG console, click the Reporting tab, and then click Create One-Time Report under Tasks in the right pane

2. The One-Time Report Wizard launches. Enter a name for the report and click Next.

3. On the Report Period page, you can specify the start time and end time for data collection to be shown in the report. The start and end times can be based on a day or a month. Because reports are based on the previous day, the date needs to be prior to the current date. After selecting the start and end dates, click Next.

4. On the Report Content page, you can select the content to be included in the report. If you want only malware statistics, check boxes Malware Protection/URL Filtering/Network Inspection System/Security (one or more boxes) and click Next.

5. On the Send E-Mail Notification page, you can configure TMG to send e-mail notification for completed reports. After filling in the relevant fields, click Next.

6. On the Report Publishing page, the administrator can choose to publish the report to a central directory either on the same TMG server or a remote different server. After filling in the relevant fields, click Next.

7. On the Completing the One-Time Report Wizard page, you are notified that you have successfully completed the One-Time Report Wizard. You can also view a brief summary of the report’s configuration. Click Finish.

8. The report now appears under the Reporting tab with the information that you just configured. Click Apply to process the report.

9. Click Logs & Reports in the TMG console and then click Create Recurring Report Job under Tasks in the right pane. Follow similar steps and add schedules to run the report.

Relevant Articles

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Forefront TMG 2010: Publishing Exchange server 2010

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Beer mug