Verifying your Forefront TMG secure Web gateway deployment

  • Article

Applies To: Forefront Threat Management Gateway (TMG)

This topic is designed to help you test and validate the functionality of the Forefront TMG secure Web gateway features you have deployed. Run the tests after you complete your deployment, and before you implement secure Web gateway in your production environment.

The following procedures describe:

Tip

For information on Forefront TMG reports, and for instructions on how to configure and view reports, see Configuring Forefront TMG reports (https://go.microsoft.com/fwlink/?LinkId=179662).

Testing proxy and cache functionality

  1. On the client computer’s browser, set the Local Area Network (LAN) Settings to use the Forefront TMG server as the proxy server for your LAN.

  2. Browse to What Is My IP (https://go.microsoft.com/fwlink/?LinkId=179317) and confirm your proxy and external IP settings.

  3. Browse to your intranet Web site. You should go through your proxy when the bypass flag is turned off on the client browser.

  4. Browse to your Outlook Web Access site and conduct a short Outlook Web Access session.

  5. Browse to well-known Web sites, for example, https://www.bing.com. Make sure they are all accessible and that the pages are displayed correctly.

  6. Download a large file from two different computers. Because the file should be served from the cache, the second download should be much faster than the first download. Verify it in the Forefront TMG log viewer.

  7. Open an FTP connection to ftp://ftp.hp.com. You should be able to log on to the site, and list and download files.

  8. If you fail to create a Web proxy session, or if any of the tests fail, in the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query to detect and analyze the traffic from the client computer.

Testing URL filtering

  1. On the client computer, browse to Web sites that URL filtering is configured to block, and verify that your custom block message is displayed.

  2. Browse to a Web site for which a category override is defined, and verify that it is allowed or blocked according to the configuration of the override.

  3. Verify that you can query the URL filtering database:

    1. In the Forefront TMG Management console, in the tree, click Web Access Policy.

    2. In the Tasks pane, click Configure URL Filtering, and then click Query for URL Category.

    3. On the Category Query tab, enter a URL or an IP address, and then click Query.

  4. Verify that you can report classification issues to Microsoft Reputation Services Feedback and Error Reporting (https://go.microsoft.com/fwlink/?LinkId=178581).

  5. In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query filtered by the Blocked Web Destinations rule. Check the query results and verify that the correct URL category has been detected.

Testing HTTPS inspection

  1. On the client computer, browse to The Anti-Virus or Anti-Malware test file (https://go.microsoft.com/fwlink/?LinkId=179319) and download one of the test virus files over HTTPS. Verify that Forefront TMG malware protection notifies the client computer that access to the file is blocked.

  2. Browse to a secure Web site, and then do the following:

    • Verify that while HTTPS traffic is being inspected, Forefront TMG Client displays a Secure Connection Inspection balloon notification on the client computer.

    • Check the site’s certificate details to verify it was issued by Microsoft Forefront TMG HTTPS Inspection Certificate Authority.

    • Verify that the client computer trusts the certificate, that is, no Certificate Error page is displayed.

  3. Browse to a Web site that is excluded from HTTPS inspection, or browse to any Web site from a computer that is excluded from HTTPS inspection, and verify that the certificate was not issued by Microsoft Forefront TMG HTTPS Inspection Certificate Authority.

  4. In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query filtered by Malware Inspection result = Infected File and Log Time. Check the query results and verify that Destination Port is 443 and Protocol is https-inspect.

Testing malware inspection

  1. On the client computer, browse to The Anti-Virus or Anti-Malware test file (https://go.microsoft.com/fwlink/?LinkId=179319) and download one of the test virus files over HTTP. Verify that Forefront TMG malware protection notifies the client computer that access to the file is blocked.

  2. In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, initiate a query filtered by Malware Inspection result = Infected File.

    Check the query results to verify that the file was blocked.

  3. Make sure that malware definitions are up to date. For information, see Configuring definition updates for malware inspection.

Testing NIS

  1. On the client computer, attempt to browse to the following URL: https://www.contoso.com/testNIS.aspx?testValue=1\!2@34$5%256%5e%5b%7bNIS-Test-URL%7d%5d1\!2@34$5%256%5e

    Verify that the attempt failed, and that this message is displayed in the browser: Network Access Message: The page cannot be displayed.

  2. On Forefront TMG, verify that this alert was generated: NIS Blocked Traffic Matching a Known Signature.

  3. In the Forefront TMG Management console, in the tree, click Logs & Reports. In the details pane, click the Logging tab, and initiate a query filtered by NIS scan result = Blocked. Check the query results to verify that the signature was detected.

  4. In the Forefront TMG Management console, in the tree, click Update Center. On the Definition Updates tab, verify that Forefront TMG receives signature definition updates.

Concepts

Forefront TMG secure Web gateway solution guide