Enabling a network to receive Web proxy requests
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic provides instructions for configuring an internal or perimeter network to listen for Web proxy requests. A Web proxy client is an application or computer that sends requests to the TCP port on which a Forefront TMG network listens for outbound Web requests. By default, Forefront TMG listens for such requests on port 8080 of the default Internal network. Typically, dclients are Web browsers. For more information, see Internal and perimeter network properties and About firewall client computers.
Configuring a network to receive Web proxy requests consists of the following:
Enabling Web proxy requests on the network and specifying a port on which the network listens for such requests.
Optionally, specifying a custom limit for concurrent Web proxy connections on the network. A default of no limit is specified.
If all clients located on the network are required to authenticate for Web proxy access, configuring an authentication method.
Configuring network properties
Where to start. To open the network properties, in the Forefront TMG Management console, in the tree, click the Networking node. On the Networks tab, right-click the required network, and then click Properties.
To enable Web proxy requests on a network
On the Web Proxy tab of the network properties, select Enable HTTP.
In HTTP port, specify a port on which the network should listen for HTTP requests. By default, Forefront TMG listens for such requests on port 8080. You cannot configure Web proxy requests to connect to Forefront TMG using SSL. The Enable SSL setting is only used to chain requests securely over HTTPS to an upstream Web server.
To limit concurrent Web proxy connections on a network
On the Web Proxy tab of the network properties, click Advanced.
In the Advanced Settings dialog box, select Unlimited to specify that there is no limit on concurrent Web proxy connections.
In Maximum per server, type in a limit for concurrent Web proxy connections allowed on the network, and then type a value in Connection timeout to indicate how many seconds elapse before inactive connections are disconnected.
To require authentication for all Web proxy requests
On the Web Proxy tab of the network properties, click Authentication.
In the authentication methods list, select an appropriate authentication method.
Note
Digest, Integrated, or Basic authentication requires Forefront TMG and clients making the request to be domain members. For more information, see Planning for web access authentication.
Note
SSL certificate authentication is only used when chaining Web proxy requests to an upstream Web proxy. Clients making Web proxy requests to Forefront TMG cannot present an SSL certificate.
Select Require all users to authenticate to specify that every request handled by the Web proxy filter requires authentication. With this setting in place, no anonymous requests are allowed, and user credentials are requested and validated before Web access rules are evaluated.
Note
With this setting enabled, clients that cannot present credentials or who fail validation will be denied access.
Note
Selecting this setting may block traffic to sites, such as Microsoft Updates, that do not support user authentication.
Note
If you select this setting and do not select an authentication method, client requests will fail.
Click Select Domain to specify the domain to which authenticated users belong.
Click RADIUS servers if you want to use a RADIUS server to authenticate users making outbound Web requests. On the RADIUS server dialog box, specify the server details. https://technet.microsoft.com/en-us/library/dd877963(v=technet.10)