Configuring web access rule properties

Article
02/25/2011

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

After you have created a web access rule by using the Web Access Policy wizard or the New Access Rule wizard, you can configure the rule with additional details by editing its properties. There are many web access rule properties that you can configure. The following procedure describes how to modify these properties.

Modifying a web access rule

In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the details pane, right-click the rule you want to modify, and then click Properties.
Modify the access rule’s properties as required, according to the tasks described in the following table.

Task & Description Steps

Task & Description	Steps
Enable or disable the rule If a rule is disabled, it is not evaluated by the rules engine.	Click the General tab, and then select or clear the Enable check box.
Modify the rule action Set the action that will be taken if all the conditions specified in the rule are met.	Click the Action tab, and select Allow to allow traffic matching the rule, or Deny to deny traffic matching the rule.
Enable user override for deny rules (SP1 only) Enable user override if you want to allow users to decide for themselves whether to access a site that was previously denied to them. When user override is enabled and configured correctly, the “access denied” HTML page provides the option to continue to the restricted site.	Click the Action tab of a deny access rule, and then select Allow user override. Important User override is available only for deny rules that have URL categories or URL category sets as their destination. When a user clicks Override Access Restriction, the rule is removed from consideration while this specific access request is evaluated against the firewall policy rule base. Accordingly, for user override to work, one of the subsequent firewall policy rules must allow access to the requested destination. If you want to limit the length of the session, select Override effective for (minutes). The default period of time is 30 minutes; you can adjust this time as required by your policy. For more information, see Planning for deny rule user override (SP1).
Modify denial notification When a web access policy rule denies access to some web site or set of web sites, you can create a custom message alerting clients that they have been denied access. You can create a different denied access message for each rule in the web access policy. Alternatively, you can direct web clients to a custom web page hosted on a web server.	Click the Action tab of a deny access rule, click Advanced, and then do one of the following: To modify the default denial message, verify that Display denial notification to user is selected. In the box under Add custom text or HTML to notification (optional), type the message you want to show users who attempt to access blocked web sites. Note You can use HTML tags, such as: `<a href="mailto:admin@contoso.com?subject=Access to web site denied">Contact the system administrator</a>.` If the rule blocks access to a URL category, you can expose the URL category of the blocked web site to users by selecting Add denied request category to notification. This option is only available when URL filtering is enabled. To direct web clients to a custom web page hosted on a web server, select Redirect web client to the following URL, and type the complete URL, using the following format: https://URL. Note In Forefront TMG 2010 Service Pack 1, you can use the following tokens on the custom web page: [DESTINATIONURL]—Displays the denied URL. [URLCATEGORYNAME]—Displays the denied URL category in the Forefront TMG installation language. [URLCATEGORYID]—Displays a number representing the denied URL category ID, necessary if you want to display the URL category in the default language setting of the user’s browser. [OVERRIDEGUID]—Displays the array GUID, necessary if you want to create a user override button similar to the one on the default notification page. For example: `https://192.168.1.3/Default.aspx?OrigUrl=[DESTINATIONURL]&Category=[URLCATEGORYNAME]&CategoryId=[URLCATEGORYID]`.
Enable or disable logging of a rule With logging enabled, client requests that are allowed or denied by this rule will be saved in the applicable log.	Click the Action tab, and then select or clear the Log requests matching this rule check box.
Modify protocols for a rule The access rule applies to IP traffic using the protocols selected here. A rule intended to allow web traffic will allow HTTP, and depending on your requirements, HTTPS and FTP.	Click the Protocols tab, and for This rule applies to, select from the following: To specify that the rule applies to web-related protocols only, select Selected protocols, and then click Add. In the Add Protocols dialog box, click to expand Web, select FTP, HTTP, and HTTPS, clicking Add after each, and then click Close. Note Do not select the protocols ending in "Server". These are used for web publishing and not for outbound access. To specify that the rule applies to all protocols, select All outbound traffic. To specify that this rule applies to all traffic except those protocols that you select, select All outbound traffic except selected, and then click Add. In the Add Protocols dialog box, select the required protocol, click Add, and then click Close. Note For information about creating and editing custom protocol definitions, see Configuring protocols. To allow traffic from a specific range of ports only, click Ports, and then select Limit access to traffic from this range of source ports. Type the range of source ports allowed in the From and To boxes. To allow traffic with specific HTTP characteristics only, click Filtering and select Configure HTTP. For information about creating HTTP filter, see Configuring HTTP filtering.
Modify rule sources Specify the source networks, computers, subnets, address ranges and URL categories (or sets of each of these) that apply to this rule.	Click the From tab, and do one of the following: To add a traffic source to the rule, click Add on the list This rule applies to traffic from these sources. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close. To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.
Modify rule destinations Specify the destination networks, computers, subnets, address ranges and URL categories (or sets of each of these) that apply to this rule.	Click the To tab, and do one of the following: To add a traffic destination to the rule, click Add on the list This rule applies to traffic from these destinations. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close. To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.
Modify authentication requirements for a rule The access rule applies to the user sets listed in the Users tab.	Click the Users tab and do one of the following: To specify that the rule is anonymous and that users are not required to authenticate for the rule, ensure that All Users appears in the user sets list. To add a user set to the rule, click Add, and then select the following on the Add Users dialog box: To specify that access should only be granted to users that can authenticate successfully, select All Authenticated Users. To specify anonymous access, select All Users. You can also select a custom user group if one has been created. For more information, see Configuring user sets. To specify exceptions to the rule, click Add on the Exceptions list, and then specify users that are exempt from the user authentication requirements for the rule. Note When you set a rule to require authentication, users are authenticated according to the web proxy authentication method for the source network specified on the From tab of the rule. If the web proxy properties of the source network are set to require authentication, this setting will take precedence over authentication settings on a specific rule. For more information, see Planning for web access authentication. If authentication is required on a rule, users who cannot present authentication credentials will be denied access, as well as users who present credentials that fail the authentication process.
Modify the schedule for a rule Specify when to apply this rule.	Click the Schedule tab, and on the Schedule list, select one of the following: Always, to specify that the rule is always applicable. Weekends, to specify that the rule applies only on Saturday and Sunday. Work hours, to specify that the rule is active from Monday to Friday, from 9.00 until 17.00. Note You can edit the days and times of these default schedules, or create new ones. For more information about creating and editing schedules, see Configuring schedules. When you modify a rule so that it will be applied only at specific times (by configuring the schedule), the modified rule is applied only to new connections. Traffic from existing connections will continue to pass, even if it is not at an allowed time.
Modifying content types for a rule You can use this to specify the content types that apply to a rule.	Click the Content Types tab. Click Selected content types and select the appropriate content type sets from the Content types list. To view the MIME and file types included in a particular content type set, do the following: Select the content type set, and then click Details. Click the Content Types tab of the Application Properties window, and review the Selected types list. To add a MIME or file type to the Selected types list, select it from the Available types list. When finished, click OK. To define a new content type, click New and then specify settings for the content type. Note For more information about content types, see Configuring content types.
Modify malware inspection settings for a rule Specify whether content downloaded from web servers should be scanned for malware, and modify rule-specific malware inspection options.	Click the Malware Inspection tab. To enable malware inspection for traffic allowed by this rule, select Inspect content downloaded from web servers to clients. While it is recommended that you keep the default settings, you can set malware inspection options for this rule that are different than those set globally. To do so, click Use rule specific settings for malware inspection. Then click Rule Settings to fine-tune malware inspection block thresholds and other options for this rule. Note the following: When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. An HTML page is issued to notify the user that the file has been blocked. The setting Block suspicious files is designed to block files that appear to be infected with unknown malware. The setting Block corrupted files is turned off by default. Turning on this setting may cause a false positive and block files that are not actually harmful. The setting Block files if archive depth level exceeds is designed to block malware that arrives in archives with deep nesting to avoid detection. The setting Block archive files if unpacked content is larger than (MB) is designed to avoid having small archive files decompress to a large size when unpacked. Note Malware inspection can only be configured on the rule if it is enabled globally. For more information, see Enabling malware inspection. To scan HTTPS traffic for malware, you must enable HTTPS inspection. For more information, see Configuring HTTPS inspection.

Enable or disable the rule

If a rule is disabled, it is not evaluated by the rules engine.

Click the General tab, and then select or clear the Enable check box.

Modify the rule action

Set the action that will be taken if all the conditions specified in the rule are met.

Click the Action tab, and select Allow to allow traffic matching the rule, or Deny to deny traffic matching the rule.

Enable user override for deny rules (SP1 only)

Enable user override if you want to allow users to decide for themselves whether to access a site that was previously denied to them.

When user override is enabled and configured correctly, the “access denied” HTML page provides the option to continue to the restricted site.

Click the Action tab of a deny access rule, and then select Allow user override.

Important

User override is available only for deny rules that have URL categories or URL category sets as their destination.
When a user clicks Override Access Restriction, the rule is removed from consideration while this specific access request is evaluated against the firewall policy rule base. Accordingly, for user override to work, one of the subsequent firewall policy rules must allow access to the requested destination.

If you want to limit the length of the session, select Override effective for (minutes). The default period of time is 30 minutes; you can adjust this time as required by your policy.

For more information, see Planning for deny rule user override (SP1).

Modify denial notification

When a web access policy rule denies access to some web site or set of web sites, you can create a custom message alerting clients that they have been denied access. You can create a different denied access message for each rule in the web access policy.

Alternatively, you can direct web clients to a custom web page hosted on a web server.

Click the Action tab of a deny access rule, click Advanced, and then do one of the following:

To modify the default denial message, verify that Display denial notification to user is selected. In the box under Add custom text or HTML to notification (optional), type the message you want to show users who attempt to access blocked web sites.
Note
- You can use HTML tags, such as:
  
  <a href="mailto:admin@contoso.com?subject=Access to web site denied">Contact the system administrator</a>.
- If the rule blocks access to a URL category, you can expose the URL category of the blocked web site to users by selecting Add denied request category to notification. This option is only available when URL filtering is enabled.
To direct web clients to a custom web page hosted on a web server, select Redirect web client to the following URL, and type the complete URL, using the following format: https://URL.
Note

In Forefront TMG 2010 Service Pack 1, you can use the following tokens on the custom web page:
- [DESTINATIONURL]—Displays the denied URL.
- [URLCATEGORYNAME]—Displays the denied URL category in the Forefront TMG installation language.
- [URLCATEGORYID]—Displays a number representing the denied URL category ID, necessary if you want to display the URL category in the default language setting of the user’s browser.
- [OVERRIDEGUID]—Displays the array GUID, necessary if you want to create a user override button similar to the one on the default notification page.
For example: https://192.168.1.3/Default.aspx?OrigUrl=[DESTINATIONURL]&Category=[URLCATEGORYNAME]&CategoryId=[URLCATEGORYID].

Enable or disable logging of a rule

With logging enabled, client requests that are allowed or denied by this rule will be saved in the applicable log.

Click the Action tab, and then select or clear the Log requests matching this rule check box.

Modify protocols for a rule

The access rule applies to IP traffic using the protocols selected here. A rule intended to allow web traffic will allow HTTP, and depending on your requirements, HTTPS and FTP.

Click the Protocols tab, and for This rule applies to, select from the following:
- To specify that the rule applies to web-related protocols only, select Selected protocols, and then click Add. In the Add Protocols dialog box, click to expand Web, select FTP, HTTP, and HTTPS, clicking Add after each, and then click Close.
  
  Note
  
  Do not select the protocols ending in "Server". These are used for web publishing and not for outbound access.
- To specify that the rule applies to all protocols, select All outbound traffic.
- To specify that this rule applies to all traffic except those protocols that you select, select All outbound traffic except selected, and then click Add. In the Add Protocols dialog box, select the required protocol, click Add, and then click Close.
  
  Note
  
  For information about creating and editing custom protocol definitions, see Configuring protocols.
To allow traffic from a specific range of ports only, click Ports, and then select Limit access to traffic from this range of source ports. Type the range of source ports allowed in the From and To boxes.
To allow traffic with specific HTTP characteristics only, click Filtering and select Configure HTTP. For information about creating HTTP filter, see Configuring HTTP filtering.

Modify rule sources

Specify the source networks, computers, subnets, address ranges and URL categories (or sets of each of these) that apply to this rule.

Click the From tab, and do one of the following:

To add a traffic source to the rule, click Add on the list This rule applies to traffic from these sources. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close.
To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.

Modify rule destinations

Specify the destination networks, computers, subnets, address ranges and URL categories (or sets of each of these) that apply to this rule.

Click the To tab, and do one of the following:

To add a traffic destination to the rule, click Add on the list This rule applies to traffic from these destinations. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close.
To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.

Modify authentication requirements for a rule

The access rule applies to the user sets listed in the Users tab.

Click the Users tab and do one of the following:

To specify that the rule is anonymous and that users are not required to authenticate for the rule, ensure that All Users appears in the user sets list.
To add a user set to the rule, click Add, and then select the following on the Add Users dialog box:
- To specify that access should only be granted to users that can authenticate successfully, select All Authenticated Users.
- To specify anonymous access, select All Users.
- You can also select a custom user group if one has been created. For more information, see Configuring user sets.
To specify exceptions to the rule, click Add on the Exceptions list, and then specify users that are exempt from the user authentication requirements for the rule.
Note
- When you set a rule to require authentication, users are authenticated according to the web proxy authentication method for the source network specified on the From tab of the rule.
- If the web proxy properties of the source network are set to require authentication, this setting will take precedence over authentication settings on a specific rule. For more information, see Planning for web access authentication.
- If authentication is required on a rule, users who cannot present authentication credentials will be denied access, as well as users who present credentials that fail the authentication process.

Modify the schedule for a rule

Specify when to apply this rule.

Click the Schedule tab, and on the Schedule list, select one of the following:

Always, to specify that the rule is always applicable.
Weekends, to specify that the rule applies only on Saturday and Sunday.
Work hours, to specify that the rule is active from Monday to Friday, from 9.00 until 17.00.

Note

You can edit the days and times of these default schedules, or create new ones. For more information about creating and editing schedules, see Configuring schedules.
When you modify a rule so that it will be applied only at specific times (by configuring the schedule), the modified rule is applied only to new connections. Traffic from existing connections will continue to pass, even if it is not at an allowed time.

Modifying content types for a rule

You can use this to specify the content types that apply to a rule.

Click the Content Types tab.
Click Selected content types and select the appropriate content type sets from the Content types list.
To view the MIME and file types included in a particular content type set, do the following:
1. Select the content type set, and then click Details.
2. Click the Content Types tab of the Application Properties window, and review the Selected types list.
3. To add a MIME or file type to the Selected types list, select it from the Available types list.
4. When finished, click OK.
To define a new content type, click New and then specify settings for the content type.

Note

For more information about content types, see Configuring content types.

Modify malware inspection settings for a rule

Specify whether content downloaded from web servers should be scanned for malware, and modify rule-specific malware inspection options.

Click the Malware Inspection tab.
To enable malware inspection for traffic allowed by this rule, select Inspect content downloaded from web servers to clients.
While it is recommended that you keep the default settings, you can set malware inspection options for this rule that are different than those set globally. To do so, click Use rule specific settings for malware inspection. Then click Rule Settings to fine-tune malware inspection block thresholds and other options for this rule. Note the following:
- When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. An HTML page is issued to notify the user that the file has been blocked.
- The setting Block suspicious files is designed to block files that appear to be infected with unknown malware.
- The setting Block corrupted files is turned off by default. Turning on this setting may cause a false positive and block files that are not actually harmful.
- The setting Block files if archive depth level exceeds is designed to block malware that arrives in archives with deep nesting to avoid detection.
- The setting Block archive files if unpacked content is larger than (MB) is designed to avoid having small archive files decompress to a large size when unpacked.

Note

Malware inspection can only be configured on the rule if it is enabled globally. For more information, see Enabling malware inspection.
To scan HTTPS traffic for malware, you must enable HTTPS inspection. For more information, see Configuring HTTPS inspection.

Concepts

Enabling access to the Internet

Configuring web access rule properties

Modifying a web access rule

Related Topics

Concepts

Additional resources