Export (0) Print
Expand All

Creating network objects

In Microsoft Forefront Threat Management Gateway, a network object can define one or more IP addresses, one or more ranges of IP addresses, a subnet, a set of hosts, or a combination of an IP address and port, depending on its type. Network objects are used in defining rules. 

The following types of network objects can be created in Forefront TMG:

  • Networks
  • Network sets
  • Computers
  • Address ranges
  • Subnets
  • Computer sets
  • URL sets
  • Domain name sets
  • Web listeners
  • Server farms

For instructions for creating networks, see Defining networks. This topic includes procedures for creating the other network objects.

  1. In the Forefront TMG Management console tree, click Networking.

  2. In the details pane, select the Networks tab.

  3. On the Tasks tab, click Create a New Network.

  4. When the New Network Wizard starts, follow the on-screen instructions.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click Computer.

  4. In Name, type a name for the computer.

  5. In Computer IP Address, type the IP address for the computer. You can also click Browse to locate the IP address based on the name of the computer.

  6. Click OK to close the dialog box.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click Address Range.

  4. In Name, type a name for the address range.

  5. In Start Address, type the first address in the range.

  6. In End Address, type the last address in the range.

  7. Click OK to close the dialog box.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click Subnet.

  4. In Name, type a name for the subnet.

  5. In Network address, type the first address in the address range comprising the subnet.

  6. Do one of the following:

    • In the spin box, type or select a number from 0 through 32 that specifies the number of successive ones in the binary value of the network mask.
    • In Network mask, type the network mask. The network mask is ANDed with the first address in the subnet (specified in Network address) to determine the range of IP addresses included in the subnet.
      The subnet mask typically consists of zero, one, two, or three binary octets that are represented in dotted-decimal format by the decimal number 255 and one binary octet that contains a series of ones (which may be empty) followed by a series of zeros and is represented by one of the following decimal numbers:
      254
      252
      248
      240
      224
      192
      128
      0
  7. Click OK to close the dialog box.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click Computer Set.

  4. In Name, a name for the computer set.

  5. Click Add, and select Computer, Address Range, or Subnet, depending on the object that you are adding to the computer set. Provide the required information for the object that you selected. Repeat this step as necessary until the computer set contains all of the required computers, address ranges, and subnets.

  6. Click OK to close the dialog box.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click URL Set.

  4. In Name, type a name for the URL set.

  5. Click Add, and then type a URL to include in the URL set.

    Each URL may include a host name and a path. Wildcard characters are allowed. However, URLs containing a query string that are included in a URL set are ignored. A protocol (HTTP, HTTPS, or FTP) and a port number may be included, but these are ignored.

    Hosts may be specified in any of the following formats:

    • FQDN (for example, www.northwindtraders.com).
    • DNS suffix (for example, *.net).
    • IP Address.
    • Wildcard character (*).

    Paths may be specified in any of the following formats:

    • Full path (for example, default.htm).
    • Prefix (for example, /pictures/travel/* or /*).

    Forefront TMG does not support the use of International Domain Name (IDN) URLs.

  6. Click OK to close the dialog box.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click Domain Name Set.

  4. In Name, type a name for the domain name set.

  5. Click Add, and then type a domain name to include in the domain name set.

    When specifying a domain name, you can use an asterisk (*) to specify a set of computers. For example, to specify all computers in the fabrikam.com domain, type the domain name as *.fabrikam.com. Note that the asterisk can appear only at the start of the domain name and can be specified only once in the name.

    When you specify a single computer, specify the computer name using the fully qualified domain name (FQDN). For example, type computer_name.fabrikam.com, and not //computer_name.

  6. Click OK to close the dialog box.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click Web listener.

  4. When the New Web Listener Wizard starts, follow the on-screen instructions.

  1. In the Forefront TMG Management console tree, click Firewall Policy.

  2. On the Toolbox tab, click Network Objects.

  3. On the toolbar beneath Network Objects, click New, and then click Server Farm.

  4. When the New Server Farm Wizard starts, follow the on-screen instructions.

    Forefront TMG creates a connectivity verifier for each Web server when you configure a server farm. On the Connectivity Monitoring page of the wizard, you can select an HTTP/HTTPS GET request for a specified URL, a PING request, or a request to establish a TCP connection for testing connectivity.

    The HTTP/HTTPS GET request option is only supported for servers whose names do not contain non-English characters.

    If you select HTTP as the connectivity verifier method, you must enable the system policy rule titled: Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers.

    If your Web server is configured to use a port other than port 80, specify that port on the Farm Connectivity tab. The default setting for the farm connectivity verifiers is a GET request for port 80.

    If you configure the connectivity verifier to send an HTTP/HTTPS GET request to a non-standard HTTP port, you will have to create an access rule to allow the requests to be sent to the servers.

Cc995125.note(en-us,TechNet.10).gifImportant:
After you finish creating your network objects, in the details pane, click the Apply button to save and update the configuration, and then click OK.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft