When last we discussed TMG 2010, we completed our install and initial configuration, and were permitting outbound HTTP, HTTPS and DNS traffic. While that was a great start, I doubt it was even minutes before you found out how many other protocols you’re using without even noticing it until something blocks it. Remember, TMG is a proxy/firewall, and the one consistency amongst all firewalls is the concept of ‘implicit deny.’ In other words, that which you have not explicitly defined as permitted is going to be denied.
In my experience, what most companies opt to do with outgoing traffic is to permit everything by default. It’s only after they determine that this is a bad idea that they start to try to block specific things. While therein lies the path to madness, I have to recognise that this is probably the situation that you are in if you are doing this at work. If you are at home, your kids are probably screaming that IM no longer works, and your own torrents (of the latest Ubuntu version of course!) probably ground to an abrupt halt, and you really want to open things up, so we’re just going to embrace the madness and do an ip any rule to start. In a follow-up post, we’ll cover how to bring order to chaos by identifying the traffic we want, creating the rules to permit it, and ultimately, disabling the ip any rule.
We’ll begin by logging on to our TMG console, and browsing down to the firewall policy.
- Right-click Firewall Policy, scroll down to New, and over to Access Rule.
- As with most things Microsoft, this will launch a wizard. Our first step is to name our access rule. I like short, descriptive names, and I prefer CamelCase to make things readable and easier to script later, so I will call this AllowAllOutbound and then click Next.
- The default action is to deny. As we’re looking to permit all, we need to click Allow, and then click next.
- The next screen is where we need to define the traffic for this rule. Again, our choice is pretty easy based on our goal, “All outbound traffic” and then we click Next.
- The next step has us decide whether or not to enable malware inspection for this rule. This may be a bit confusing, as we’re dealing with an outgoing rule, but the help file defines this as “Outbound inspection refers to HTTP requests that originate from clients on networks protected by Forefront TMG.” This is not going to inspect the replies. So if you want to be a good citizen of the tubes, and you acknowledge that your client might have picked up the e-flu somewhere along the way, enabling this could protect the rest of the world from an infected client. We’ll tick the Enable option and then click Next.
- Now we need to define the source of this outgoing traffic we’re allowing. Assuming you want to cover all your users, click Add, expand Network Sets, and choose All Protected Networks, which will include your TMG server(s), your internal clients, and your VPN clients. Click to add them, then click Close, then click Next.
- In this step, we’re defining just where we want to permit this outgoing traffic. Since we’re trying to implement ip any, click Add, expand Network Sets, and choose All Networks (and Local Host.) Add them, click Close, and then click Next.
- Since we want this to apply to all users, click Next.
Hit Finish, and make sure the rule is at the top of the stack as #1. If it is not, click to highlight it, then click “move selected rules up” on the right-hand task pane until it is. Then hit Apply, enter your reason for this change, and you’re done.
Please keep in mind that we’ve just opened the flood gates, permitting all outbound traffic. That’s web, IM, P2P, and anything else. If that is really what you (or management) want then great, but in an upcoming post we’ll go over how to identify traffic that we want to permit and how to create a rule specifically allowing it. Once we have all desired traffic defined, we can disable the AllowAllOutbound rule and be in a much more secure posture.
How does your company approach outgoing traffic? Is it ip any, everything through a proxy, or somewhere in between. Leave a comment and share your war story!
You might also enjoy:
{ 22 comments… read them below or add one }
Great article. Thanks.
Yup, great as always
I hope the Forefront team for the next version, will adds a feature that can analyze the outgoing data stream and then suggest fitting policies.
That’s a great idea!
Is there a way to specify what outbound public IP address Forefront uses? I have 5 public IP’s and all are set in the NIC card. For some reason the main default IP set is not being used, a higher one in the range is. Just wondering if there is a way to tell Forefront what public IP to use.
Hi Jake,
See this post. Thanks for the inspiration.
Ed
Awesome, that worked!
Thanks.
Really Good Post. Most of the times management decides to allow all the websites & block specific http/https websites. Actually I am new to Microsoft TMG. So what I believe is, it is possible to block specific http sites with it. But is there any way I can block specific HTTPS sites with TMG.
Ex:- Suppose I want to block https://example.com & wants to allow all other https websites except the example.com.
Hi Kiran,
You need to create a list of sites you wish to deny, then a rule that denies access to those sites, and then place it higher up in your firewall policy. Rules are processed in order, so the deny will block sites on the list because it matches, all other sites won’t match so they will move down until they hit the rule that permits.
Ed
Hi Ed,
Sorry, I could not test it immediately after reply due to some reasons. But now when I am trying to test it I am facing some difficulties.
I have created “URL Sets” & added the list of websites which I dont want users to access. I also have created “URL Category Sets”. But I am not able to get how should I apply this to the Web Access rule or How should I apply this policy so that It will take effect & only those web sites will get blocked.
Create an access rule as a deny, apply it to your users using this URL Set, and make sure it appears ABOVE the access rule that allows Internet access.
Rules are parsed top to bottom, so hitting this deny before the rule that allows access will block the sites. Anything not on the URL Set will skip this rule for the next one down, etc.
HTH
Ed
Hi ED,
Thanks a lot. I just observed your above lessons & pics & now I am able to successfully block the specific websites in my Virtual Environment. So thanks a lot for the same. Now I would do some more tests on it to get familiar with it & then start the planning of deploying it in production environment.
So thanks a lot.
Great to hear that Kiran, good luck with the deployment!
Thanks ED.
That is Great… Thanks a lot for this. Now I just need to check this on my Test Environment. Thanks..
i have 5 public ip addresses, i want them to route to specific server and protocals? ie ,
196.23.29.66 Exchange Server
196.23.29.67 FTP server
198.23.29.68 Vpn
can tmg do this?
Sure, for each service you publish, you will select the specific external address you want to use when you set up your listener. See my other posts on TMG for some suggestions on how to get started with that. I cover Exchange and VPN, and some gotchas around FTP, plus how you can select the specific external address for your outbound client traffic.
HTH
Ed
Thanks Ed worked great!!!, i seem to also have a problem when importing my exchange servers cert. keeps saing invalid in tmg when i create a listener, do you maybe know why this is?
Sounds like you did not export it with the private key. If you didn’t create the cert with an exportable private key you will need to start over, otherwise just export with private key, and you can then import it into the TMG.
Ed
Hello Ed
How are you Woudl like to help me first of all let me tell yout that I have configured TMG 2010 as an edge firewall and DNS ip is 192.168.1.100 forwading request to the ISP’s DNS. I am getting alert on tmg server ,
“TMG disconnected a non-tcp connection from 192.168.1.100 bcoz the connxn limit for this ip address was exceeded larger custom limit should b3e configured for the ip address of chained proxy server and back to back TMG computer with NAT Relationship”".
I have already added 192.168.1.100 in the IP exception list. we have somewhere around 50 internet users logged in all the time would it affect if we have 200 users . What shall I do or do I need to ignore that after adding it in exception.
2nd prolem0) My clients (secure Nat)clents are not able to update their kaspersky antiviruse kindly tell me some rule that let my users update theri kaspersky update and can I configured Content dowload jobs for it.
Kindly suggest
Rohan Gaur
System Admin
If I understand you correctly, your internal DNS server which all clients use is unable to make all the outbound connections it needs for recursive queries. See this article and increase your non-TCP connections. Start HIGH, like 2000, and see how it goes.
I have no information for you on Kaspersky…I don’t use it on clients. Use your logging to create a filter for one client, try to run an update, and see what TMG logs. Build your rules according to what the logging tells you is happening.
HTH
Ed
Hi Ed, thanks for this info. Setup the rules etc and i get connected to the VPN. All tests fine. Problem is i cannot access any of my servers on the network once i am connected to the VPN.
Please help.
Many thanks.
Have you look at http://retrohack.com/how-to-configure-pptp-vpn-support-on-tmg-2010/ ?
HTH
Ed