Export (0) Print
Expand All

Configuring a Web access policy

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

The Forefront TMG Web Access Wizard creates a basic Web access policy that specifies which users are allowed or denied Internet access and how traffic from internal networks to the Internet is inspected.

To configure Web access policy by running the Web Access Wizard, do the following:

To run the Web Access Wizard

  1. In the Forefront TMG Management console, click the Web Access Policy node.

  2. On the Tasks tab, click Configure Web Access Policy. If you have already run the wizard, a message appears warning you that the changes you made to settings and rules when you previously ran wizard will be discarded. Click Yes to confirm that the wizard should run again.

  3. On the Web Access Policy Type page, select the type of Web access policy that you want to apply in your organization.

  4. On the Web Protection page, click Yes, enable the malware inspection feature to turn on malware inspection globally.

Dd877962.note(en-us,TechNet.10).gifNote:
To configure malware inspection it must be enabled globally and enabled on each access rule that serves content you want to inspect. Malware inspection is available for evaluation for 90 days. After this period, a license is required. Note that when running as part of Essential Business Server, a license is provided for one year.

  1. Select Create a simple global access policy for all the clients in my organization to allow all users to visit all Web sites except those URLs that you specifically block. You can also enable malware scanning for HTTP traffic and configure caching by using this policy.

  2. Select Create customized Web access policies for users, groups and computers to specify that Web policy is controlled by authenticated user access, non-authenticated IP address access, or a mixture of both. Using this policy, you can create rules for authentication and anonymous access, enable malware scanning, configure caching, and specify how requests that do not match users and IP addresses specified in rules should be handled.

  3. Specify settings for the Web policy type you have selected. The tables below provide information about the pages that appear when you choose either Create a simple global access policy for all the clients in my organization or Create customized Web access policies for users, groups and computers.

Running the Web Access Wizard with simple policy settings

If you selected the setting Create a simple global access policy for all the clients in my organization use the information in the following table to complete the wizard.

Page Field or property Setting or action Rules or global settings

Restricted Web Destinations

Add

With this setting you can create an allow rule that allows access to the External network, and you can create a deny rule that blocks access to Web sites you specify.

All users can access all sites not specified on this page.

Rule created: Web Access Default Rule

  • Rule type: Allow

  • From: Internal

  • To: External

  • Applies to: All Users

Rule: Web Access Restrictions

  • Rule type: Deny

  • From: Internal

  • To: Specified URL destinations

  • Applies to: All Users

  • Exceptions: Any users specified on the Restricted Destination Exceptions page

Restricted Destinations Exceptions

Add

Select this setting to exempt users or user groups from the deny rule.

Exemptions to:

  • Web Access Restrictions rule

Malware Inspection Settings

Do not inspect Web content requests from the Internet.

Inspect Web content requested from the Internet.

Select this setting to configure antivirus scanning of Web traffic.

This setting applies malware inspection to the rules created by the wizard.

Web Cache Configuration

Enable Web caching

Select this setting to enable Web caching, Once you select the setting, select the drive you want to use for Web caching from the list, and then click Cache Drives to turn on caching and define cache drives. Caching is not active until both of these steps are complete. After completing the wizard, you can configure cache setting and create cache rules to download content. For instructions, see Caching Web site content.

This global setting applies to all content that is specified for caching by the defined cache rules.

Running the Web Access wizard with customized policy settings

If you selected the setting Create customized Web access policies for users, groups and computers use the information in the following table to complete the wizard.

Page Field or property Setting or action Rules or global settings

Access Policy Groups

Users and user groups only

Select this setting to create a policy based on client authentication. Access is allowed and restricted based on user name.

None

Computers, IP addresses and subnets

Select this setting to allow clients Web access without user authentication. Access is allowed and restricted based on source IP address.

None

Any of the above

Select this value to require a mixture of client authentication and anonymous access based on source IP address.

None

Default Web Access Policy

Allow the Web request

Select this setting to provide a default rule (processed last in the rule list) of allowing traffic. If you enable this setting, the following applies:

  • If your Web access policy is based on users and groups and a request does not match an authenticated rule for the requested destination, the request will be allowed.

  • If your Web access policy is based on source IP address and a request does not match an anonymous rule for the requested destination, the request will be allowed.

If you selected Allow the Web request and Web policy is based on users and groups, the following rule is created:

  • Rule name: Web Access Default Rule

  • Allow or Deny: Allow

  • From: Internal

  • To: External

  • Applies to: Authenticated Users

If you selected Allow all Web access and Web policy is based on source IP addresses, the following rule is created:

  • Rule

  • Allow or Deny: Allow

  • From: Internal

  • To: External

  • Applies to: All Users

Deny the Web request

Select this setting to provide a default fallback policy of denying traffic. If you select this option, the following applies:

  • If your Web access policy is based on users and groups, a request that does not match an authenticated rule for the requested destination will be denied.

  • If your Web access policy is based on a source IP address, a request that does not match an anonymous rule for the requested destination will be denied.

If you selected Deny all Web access and Web policy is based on users and groups, the following rule is created:

  • Rule name: Web Access Default Rule

  • Allow or Deny: Deny

  • From: Internal

  • To: External

  • Applies to: Authenticated Users

If you selected Deny all Web access, and Web policy is based on source IP addresses, the following rule is created:

  • Rule name: Web Access Default Rule

  • Allow or Deny: Deny

  • From: Internal

  • To: External

  • Applies to: All Users

Anonymous Web Access Policies

Add

Select this setting to create an anonymous access rule that allows or denies access to specific locations.

The following rule is created:

  • Rule name: The rule name is the policy name that you specified in the Add Access Policy dialog box.

  • Allow or Deny

  • From: Specified source IP addresses

  • To: Specified destinations

  • Applies to: All Users

Authenticated Web Access Policies

Add

Select this setting to create an access rule that requires users to authenticate and that allows or denies access to specific locations.

The following rule is created:

  • Rule name: The rule name is the policy name you specified in the Add Access Policy dialog box.

  • Allow or Deny

  • From: Specified user set

  • To: Specified destinations

  • Applies to: Specified user set

Malware Inspection Settings

Inspect Web content requested from the Internet

Select to configure antivirus scanning of Web traffic.

This setting applies scanning to all rules created with the wizard.

Allow partial file delivery

Select this option to specify that partial file delivery is enabled. Trickling partial files to clients improves the user experience. Users see a progress bar and gradually-opened page as data is scanned. If you select this option, trickling is not applied to all content types. By default, specific content types use progress notifications instead of trickling. For more information, see Planning for Malware Inspection.

File delivery settings

Block encrypted archives

This setting specifies that Forefront TMG does not allow downloading of any encrypted files for which it cannot inspect the content.

Encrypted archive download settings

Web Cache Configuration

Enable Web caching

Select this setting to enable Web caching. Once you select the setting, select the drive you want from the list, and then click Cache Drives to turn on caching and define cache drives. Caching is not active until both of these steps are complete After completing the wizard, you can configure cache settings and create cache rules to download content. For instructions, see Caching Web site content.

This global setting applies to all content that is specified for caching by the defined cache rules.

Copyright © 2009 by Microsoft Corporation. All rights reserved.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft