Protocols
Microsoft Forefront Threat Management Gateway uses protocols in access rules and server publishing rules that specify how incoming and outbound access is allowed for specific protocols.
Predefined protocols
Forefront TMG provides a large number of predefined protocols, available in the Forefront TMG Management console Toolbox. Note that predefined protocols cannot be modified or deleted. Predefined protocols are categorized in functional groups. These categories were created to help facilitate selection of the appropriate protocol for your specific scenario. Note that some protocols are listed in more than one category.
| Protocol category | Description |
|---|---|
Common Protocols |
This category includes protocols used for common publishing and access needs, such as HTTP and HTTPS. |
Infrastructure |
This category includes protocols used for common networking infrastructural needs, such as: address assignment (DHCP), Active Directory (LDAP), and name resolution (DNS). |
This category includes protocols used by mail servers, such as SMTP, IMAP4, POP3, and others. |
|
Instant Messaging |
This category includes protocols required for instant messaging, including MSN Messenger, ICQ, H.323, and others. |
Remote Terminal |
This category includes protocols required to allow remote management, including RDP, Telnet, and others. |
Streaming Media |
This category includes protocols required for streaming media, including MMS, RTSP, and others. |
VPN and IPsec |
This category includes protocols required for VPN connections, such as IKE Client, IKE Server, L2TP, and others. |
Web |
This category includes protocols used to access Web sites, such as HTTP, HTTPS, FTP, and others. You can select protocols only from this category when creating Web publishing rules. |
User-Defined |
This category includes protocols that are defined by users. |
Authentication |
This category includes protocols required for authentication, such as RADIUS, RSA SecurID, and Kerberos. |
Server Protocols |
This category includes server protocols used in server publishing rules, such as RPC Server, Microsoft SQL Server, FTP Server, and others. Protocols used for server publishing include "Server" as part of their name and are always inbound. For example, FTP Server protocol is an inbound protocol used for server publishing, while FTP protocol is outbound. |
All Protocols |
This category includes all protocols that are in the Toolbox (predefined and user-defined). |
Protocol properties
Predefined and user-defined protocols have a number of properties, discussed in the following sections.
Protocol Type
Specifies which low-level protocol is used for the protocol definition: TCP, UDP, ICMP, or IP-level.
Direction
Forefront TMG uses protocol direction to specify whether traffic is considered outbound or inbound. For TCP, this includes Inbound and Outbound. For UDP this includes Send, Receive, Send Receive, or Receive Send. For ICMP and IP-level, this includes Send and Send Receive.
- For access rules, protocol direction is usually defined as outbound. This allows traffic from the rule source (specified in the From property of the rule) to the rule destinations (specified in the To property of the rule). Predefined protocols with an outbound direction do not have the suffix "Server" in the name.
- For server publishing rules, protocol definition must be defined as inbound. This allows traffic from the rule source to the published service on the server. For server publishing rules, predefined protocols with an inbound direction are always identified with the suffix "Server". When you define custom protocols for server publishing, you are not required to add the suffix. However, you must define the protocol as inbound.
Port Range
For TCP and UDP, this is a range of ports between 1 and 65,535 that is used for the initial connection. More than one protocol can be associated with the same port.
If you create a rule denying access to a specific protocol, be sure to include all protocols that use the same port in the exception list. Alternatively, you can create a rule denying any one of the protocols that use the port and place the deny rule before the access rule in the rules order. For example, if you create a protocol to be used in a rule that denies access to a virus, do not create an access rule that allows access to everything except the new protocol. Instead, create a rule that denies access to the new protocol. Place this rule before any other access rules that allow protocols on the same ports as the new protocol.
Protocol Number
For IP-level protocols, this is a number between 0 and 254.
ICMP Properties
- For ICMP, this is the ICMP code and type.
Secondary Connections
- This is the range of ports, protocol types, and direction used for additional connections or packets that follow the initial connection. You can configure one or more secondary connections if required. You cannot define secondary connections for IP-level primary protocols.