Verifying your Forefront TMG secure Web gateway deployment
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help you test and validate the functionality of the Forefront TMG secure Web gateway features you have deployed. Run the tests after you complete your deployment, and before you implement secure Web gateway in your production environment.
The following procedures describe:
Testing proxy and cache functionality—Before you start testing, verify the following:
Web caching is configured. For information, see Configuring caching in Forefront TMG secure Web gateway.
You have created at least one Web access rule. For information, see Creating a basic Web access policy (https://go.microsoft.com/fwlink/?LinkId=179465).
A local address table (LAT) is configured on the Forefront TMG server. For information, see Understanding the ISA Server 2000 Local Address Table (https://go.microsoft.com/fwlink/?LinkId=179663).
Testing URL filtering. Before you start testing, verify the following:
One or more Web destination categories are defined as Blocked Web Destinations. For information, see Blocking destinations in Web access policy rules.
URL Category Override is defined for at least one Web site. For information, see Looking up and overriding a site’s URL category.
The denial notification users receive when access is blocked is customized in one of the following ways:
The default Forefront TMG access denial message is customized. For information, see Customizing the default access denial message.
Users are redirected to a Web page containing a custom message. For information, see Redirecting users to a custom access denial page.
Testing HTTPS inspection. Before you start testing, verify the following:
HTTPS inspection is enabled and configured. For information, see Configuring HTTPS inspection in Forefront TMG secure Web gateway.
Malware inspection is enabled and configured. For information, see Configuring malware inspection in Forefront TMG secure Web gateway.
At least one destination or source Web site or computer is excluded from HTTPS inspection. For information, see Excluding sites and computers from HTTPS inspection.
Forefront TMG Client is installed on the client computer. For information, see Deploying Forefront TMG Client (https://go.microsoft.com/fwlink/?LinkId=179467).
End-user notifications of HTTPS inspection are enabled on Forefront TMG and on Forefront TMG Client. For information, see Notifying users of HTTPS inspection.
Testing malware inspection. Before you start testing, verify that malware inspection is enabled and configured. For information, see Configuring malware inspection in Forefront TMG secure Web gateway.
Testing NIS. Before you start testing, verify that NIS is enabled and configured. For information, see Configuring NIS in Forefront TMG secure Web gateway.
Tip
For information on Forefront TMG reports, and for instructions on how to configure and view reports, see Configuring Forefront TMG reports (https://go.microsoft.com/fwlink/?LinkId=179662).
Testing proxy and cache functionality
On the client computer’s browser, set the Local Area Network (LAN) Settings to use the Forefront TMG server as the proxy server for your LAN.
Browse to What Is My IP (https://go.microsoft.com/fwlink/?LinkId=179317) and confirm your proxy and external IP settings.
Browse to your intranet Web site. You should go through your proxy when the bypass flag is turned off on the client browser.
Browse to your Outlook Web Access site and conduct a short Outlook Web Access session.
Browse to well-known Web sites, for example, https://www.bing.com. Make sure they are all accessible and that the pages are displayed correctly.
Download a large file from two different computers. Because the file should be served from the cache, the second download should be much faster than the first download. Verify it in the Forefront TMG log viewer.
Open an FTP connection to ftp://ftp.hp.com. You should be able to log on to the site, and list and download files.
If you fail to create a Web proxy session, or if any of the tests fail, in the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query to detect and analyze the traffic from the client computer.
Testing URL filtering
On the client computer, browse to Web sites that URL filtering is configured to block, and verify that your custom block message is displayed.
Browse to a Web site for which a category override is defined, and verify that it is allowed or blocked according to the configuration of the override.
Verify that you can query the URL filtering database:
In the Forefront TMG Management console, in the tree, click Web Access Policy.
In the Tasks pane, click Configure URL Filtering, and then click Query for URL Category.
On the Category Query tab, enter a URL or an IP address, and then click Query.
Verify that you can report classification issues to Microsoft Reputation Services Feedback and Error Reporting (https://go.microsoft.com/fwlink/?LinkId=178581).
In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query filtered by the Blocked Web Destinations rule. Check the query results and verify that the correct URL category has been detected.
Testing HTTPS inspection
On the client computer, browse to The Anti-Virus or Anti-Malware test file (https://go.microsoft.com/fwlink/?LinkId=179319) and download one of the test virus files over HTTPS. Verify that Forefront TMG malware protection notifies the client computer that access to the file is blocked.
Browse to a secure Web site, and then do the following:
Verify that while HTTPS traffic is being inspected, Forefront TMG Client displays a Secure Connection Inspection balloon notification on the client computer.
Check the site’s certificate details to verify it was issued by Microsoft Forefront TMG HTTPS Inspection Certificate Authority.
Verify that the client computer trusts the certificate, that is, no Certificate Error page is displayed.
Browse to a Web site that is excluded from HTTPS inspection, or browse to any Web site from a computer that is excluded from HTTPS inspection, and verify that the certificate was not issued by Microsoft Forefront TMG HTTPS Inspection Certificate Authority.
In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query filtered by Malware Inspection result = Infected File and Log Time. Check the query results and verify that Destination Port is 443 and Protocol is https-inspect.
Testing malware inspection
On the client computer, browse to The Anti-Virus or Anti-Malware test file (https://go.microsoft.com/fwlink/?LinkId=179319) and download one of the test virus files over HTTP. Verify that Forefront TMG malware protection notifies the client computer that access to the file is blocked.
In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, initiate a query filtered by Malware Inspection result = Infected File.
Check the query results to verify that the file was blocked.
Make sure that malware definitions are up to date. For information, see Configuring definition updates for malware inspection.
Testing NIS
On the client computer, attempt to browse to the following URL: https://www.contoso.com/testNIS.aspx?testValue=1\!2@34$5%256%5e%5b%7bNIS-Test-URL%7d%5d1\!2@34$5%256%5e
Verify that the attempt failed, and that this message is displayed in the browser: Network Access Message: The page cannot be displayed.
On Forefront TMG, verify that this alert was generated: NIS Blocked Traffic Matching a Known Signature.
In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query filtered by NIS scan result = Blocked. Check the query results to verify that the signature was detected.
In the Forefront TMG Management console, in the tree, click Update Center. On the Definition Updates tab, verify that Forefront TMG receives signature definition updates.