Configuring Web proxy chaining

Web proxy chaining is implemented with Web chaining rules, on the Web Chaining tab of the Networks node in Forefront TMG Management.

When you install Microsoft Forefront Threat Management Gateway, a default Web chaining rule is configured. This rule is initially configured so that all requested objects are retrieved from the Internet and not redirected to an upstream server. You can modify the properties of this rule, but you cannot delete it.

You create a Web chaining rule by using the New Web Chaining Rule wizard. After creating the rule, you can modify it and define additional properties. The following table summarizes the settings that you specify when creating a Web chaining rule.

Wizard Page Value


Specify a unique name for the rule.

Web Chaining Rule Destination

Specify the network, IP addresses, URLs, domains, or other Forefront TMG network objects for which you want to route requests. For example, to specify that all Internet requests are routed to an upstream server, specify the destination as the External network.

Request Action

Specify how requests are routed:

  • Retrieve requests directly from the specified destination. Specifies that requests are forwarded directly to the destination. No upstream proxy is used.
  • Redirect requests to a specified upstream server. Indicates that requests are forwarded to an upstream server. Select Allow delegation of basic user credentials if Web proxy settings and access rules on the upstream server are configured to authenticate specific users for Web access. With this setting enabled, the client performs Basic authentication with the downstream proxy, and then the Basic credentials are delegated to the upstream server.
  • Redirect requests to. Specifies that requests are forwarded to another site. For example, use this setting to redirect all requests for unauthorized resources to a specific Web site. You specify the site and the port for the connection. Select SSL if a secure connection is required between the downstream Forefront TMG computer and the site.
  • Use automatic dialup. Specify that an automatic dial-up entry is used for the connection. You can select this option only if a dial-up entry is configured on the computer. The default dial-up entry will be used.

Primary Route

Specify settings for the primary route, as follows:

  • Server. Specify the fully qualified domain name (FQDN) of the upstream server or an IP address.
  • Port. Specify the port to use when connecting to the upstream server.
  • SSL port. Specify an SSL port to configure a secure connection with the upstream server.
  • Use this account. Specify the account that is used to authenticate the downstream server as a Web proxy client to the upstream server. Authentication is required if Web proxy settings on the upstream server network have Require all users to authenticate enabled, or if access rules on the upstream server require client authentication. In Authentication, select either Integrated Windows authentication (NTLM), or use Basic authentication. If you use Basic authentication, it is recommended that you use a secure SSL connection for the traffic.

Backup Action

If you specify that requests handled by the rule are routed to an upstream server and you have an alternative route to the Internet, you can specify a backup route if the primary upstream server is unavailable. Forefront TMG polls the upstream server at regular intervals to check that the route is available. Configure backup settings to do the following if the upstream server is unavailable:

  • Ignore requests. If the upstream server is unavailable, ignore and drop the request.
  • Retrieve requests directly from the specified location. If the upstream server is unavailable, forward the request directly to the specified destination.
  • Route requests to an upstream server. If the primary upstream server is unavailable, redirect the request to an alternative upstream server.
  • Use automatic dialup. Specify that an automatic dial-up entry is used for the backup route.

Backup Routing

If you have configured a secondary upstream server as the backup route, specify the properties for the backup server. These are the same as the properties that you specify on the Primary Route page.

After creating a Web chaining rule with the wizard, you can configure an additional setting in the property pages of the rule.

Property Page Value


Enable. Select or clear this setting to enable or disable the rule.

After configuring Web chaining rules, you must configure access rules on the downstream server to allow traffic to access sites specified in Web chaining rules.