Planning Web access policy

  • Article

Microsoft Forefront Threat Management Gateway helps you to create a comprehensive Web access policy for your organization. A Web access policy specifies the following:

  • Which computers can access the Internet. For example, you can specify that a set of computers has no Internet access.
  • Which users are allowed Internet access. For example, you can allow one set of users to access the Internet but block others.
  • Which Internet sites are specifically allowed or blocked. For example, you can block access to a specific site for everyone. Alternatively, you may want to allow only managers to access all sites and allow all other employees access to work-related sites only.
  • Times at which specific Web destinations are available.
  • How Internet traffic is filtered and scanned.  Forefront TMG filters and inspects HTTP traffic that passes through it. You can specify that HTTP traffic should be scanned for malware content, and you can configure application-layer HTTP filtering that examines HTTP commands and data.

The Forefront TMG Web access policy consists of the following:

  • A set of access rules that control how client requests for Web resources located in other networks are handled.
  • A number of global configuration settings that determine how Web traffic is handled.

For instructions about configuring a Web access policy, see Configuring Web access.

Controlling computer access to the Internet

Every access rule specifies a source and destination. You specify which computers are allowed to access the Internet with the source setting. For example, if a rule specifies the default Internal network as the source, then all users from that network can make Web requests. Alternatively, you can specify a computer or set of computers, IP addresses, or a subnet as the source of the rule. Requests for the rule are only accepted from the source specified.

Controlling user access to the Internet

You can allow all users from a specified source to access the Internet, or limit access to specific users. Differentiated user access provides you with granular control of Internet access, and it allows you to track user access in the logs.  You control user access by means of user authentication. You can require all Web proxy requests received on a specific network to be authenticated, or you can configure specific access rules to require user authentication. For more information, see About Web access authentication.

Web proxy clients can provide credentials for authentication using a number of authentication methods, including Basic, Digest, WDigest, and Integrated NTLM. For more information, see About authentication methods. Internal clients using Basic, Digest, WDigest, or Integrated authentication can authenticate against an Active Directory domain controller. In addition, clients using Basic authentication can authenticate against a RADIUS server. For more information, see Overview of client authentication.

When you configure an initial Web access policy using the Web Access Policy Wizard, you can only configure user authentication requirements if the Forefront TMG server is a member of an Active Directory domain.  If Forefront TMG is installed in a workgroup and you want to use RADIUS authentication, you must configure user authentication on rules after running the wizard. For more information, see Configuring RADIUS authentication for Web requests.

Controlling Internet destinations

Each access rule allows or denies access to specific destinations. The destination can be an entire network, specific computers or IP address ranges, or domain names and URLs. When you create a Web access policy using the Web Access Policy Wizard, you can restrict and allow access to specific Web destinations.

Controlling access times

Each access rule specifies a schedule that indicates when the rule is applied.  For example, you can create a rule allowing some employees Internet access at all times, but you can restrict other users' access to evening and weekend hours. When you run the Web Access Policy Wizard to create a Web policy, the rules automatically created have no time restriction imposed. After running the wizard, you can modify these rules to control Web access for specific times.

Filtering and scanning

By default, Web requests are handled by the Forefront TMG Web proxy filter, which provides application-layer inspection and caching. In addition, you can configure malware scanning and HTTP filtering for Web requests. HTTP filtering provides the HTTP application-layer filter, which examines HTTP commands and data. Malware inspection scans HTTP traffic for malware such as worms, viruses, and spyware. When you configure a Web access policy using the Web Access Policy Wizard, you can enable the malware inspection feature and specify that it should apply to the rules created automatically with the wizard. HTTP filtering is not configured with the wizard. After running the wizard, you can modify HTTP filtering properties for each rule. For more information, see Overview of malware inspection and Configuring HTTP filtering.

Access rule ordering

The order in which access rules appear in the rules list affects how Web access policy is evaluated. Rules are evaluated from first to last. For example, if you created a rule higher in the list to allow unrestricted access to the Internet and a rule lower in the list denies access to www.contoso.com, the second rule will never be evaluated, and requests will always be allowed. For more information about ordering rules, see Firewall policy best practices.