Forefront TMG secure Web gateway features

Applies To: Forefront Threat Management Gateway (TMG)

This topic provides an overview of Forefront TMG secure Web gateway features, and helps you to identify the secure Web gateway deployment goals that are appropriate for your organization. Depending on your deployment goals, you can select to implement all of the secure Web gateway features or a combination of features that address your specific goals. For information, see Identifying your secure Web gateway deployment goals.

Secure Web gateway features overview

Forefront TMG secure Web gateway incorporates the following features:

• URL filtering—Destination URLs are examined for compliance with corporate policy and for malicious potential of destination Web sites. URL filtering identifies certain types of Web sites, such as known malicious sites and sites that display inappropriate or pornographic materials, and allows or blocks access to these sites, based on corresponding, predefined URL categories. You can allow or block access to configured categories on selected days of the week (for example, over the weekend), or at specific times of the day (for example, during work hours).

  Note

  Destination URLs refer to HTTP requests that originate from clients on networks protected by Forefront TMG.

  URL filtering checks the URLs against Microsoft Reputation Services, which combines multiple sources to increase the coverage of URLs and categorization and features over 90 URL categories (such as, Malicious, Anonymizers, or Illegal Drugs). According to the policy created by the Forefront TMG administrator, URL filtering either allows or blocks access to the requested site.

  You can also run URL filtering in reporting mode, where it monitors traffic and generates reports, without blocking or allowing access. You can use the reports and log entries to learn about Web usage in your organization, such as, which are the most browsed URL categories. For more information, see Planning for URL filtering (https://go.microsoft.com/fwlink/?LinkId=168614).

• HTTPS inspection—Enables Forefront TMG to inspect inside users’ SSL-encrypted Web traffic. By inspecting within these encrypted sessions, Forefront TMG can both detect possible malware and enforce the corporate policy, for example, by blocking access to sites whose certificates are out of date. Sensitive sites, such as banking sites, can be excluded from inspection for privacy considerations. For more information, see Planning for HTTPS inspection (https://go.microsoft.com/fwlink/?LinkId=168613).

• Malware inspection—Outbound Web traffic, including files from archived folders, are inspected for viruses and malware. Encrypted files can be blocked.

  Note

  Outbound inspection refers to HTTP requests that originate from clients on networks protected by Forefront TMG.

  Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG enables you to shape the user experience while Web content is scanned for malware, by selecting one of the following delivery methods for scanned content:

  • Trickling—Forefront TMG sends portions of the content to the user as the files are inspected. This process helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.

  • Progress notification—Forefront TMG sends an HTML page to the client computer, informing the user that the requested content is being inspected, and displaying an indication of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready, and displays a button for downloading the content.

  For more information, see Planning to protect against malicious Web content (https://go.microsoft.com/fwlink/?LinkId=168615).

• Network Inspection System (NIS)—Traffic can be inspected for exploits of known vulnerabilities in operating systems and applications. Based on protocol analysis, NIS enables the blocking of attacks while minimizing false positives; signature sets and engines are continuously and automatically updated to handle new threats and vulnerabilities, for example, regular Microsoft security update releases on the second Tuesday of each month.

  NIS, which is a vulnerability signature component of the Forefront TMG Intrusion Prevention System (IPS), comes with a predefined, out-of-the-box recommended policy. In addition, NIS provides granular control and policy configuration to comply with your specific organization needs, troubleshooting, and investigation requirements. For more information, see Planning to protect against known vulnerabilities (https://go.microsoft.com/fwlink/?LinkId=168616).

• Caching—For organizations that handle high volumes of Web traffic, Forefront TMG provides caching functionality to improve user Web surfing experience and reduce bandwidth costs. With the centralized cache rule mechanism of Forefront TMG, you can configure how objects stored in the cache are retrieved and served from the cache. For more information, see Planning to cache Web content (https://go.microsoft.com/fwlink/?LinkId=168617).

  For branch office deployments, Forefront TMG can interoperate with BranchCache, a feature of Windows 7 and Windows Server 2008 R2, that enables Web content on a wide area network (WAN) to be cached on computers at a local branch office, thus improving application response time and reducing WAN traffic. For more information, see the following articles:

  • BranchCache (https://go.microsoft.com/fwlink/?LinkId=168634)

  • Interoperability with BranchCache solution guide (https://go.microsoft.com/fwlink/?LinkID=179641)

Identifying your secure Web gateway deployment goals

The following table lists the possible Forefront TMG secure Web gateway deployment goals. After you identify the goals that are appropriate for your organization, you can map them to the relevant Forefront TMG feature or features.

Related Topics

Concepts

Forefront TMG secure Web gateway solution guide