Configuring user sets

Microsoft Forefront Threat Management Gateway provides a number of predefined user sets that cannot be modified, but you can by creating new user sets for use in firewall policy rules.

Creating a user set

1. In the Forefront TMG Management console tree, click Firewall Policy.
2. On the Toolbar tab, click Network Objects.
3. On the toolbar beneath Users, click New.
4. When the New User Set Wizard starts, follows the on-screen instructions.

Modifying a user set

1. In the Forefront TMG Management console tree, click Firewall Policy.
2. On the Toolbox tab, click Network Objects.
3. Click to expand Users, and double-click the user set.
4. In the user set property pages, modify the required settings.

Note the following:

• For Windows user sets you can specify any user or group. For RADIUS, SecurID and LDAP user sets you can specify either all users in the namespace or a specific user. If you specify all users in a namespace, the rule will be applied for any user who successfully authenticates to the RADIUS, SecurID, or LDAP server.
• For outbound client requests, only Windows and RADIUS authentication is supported. SecurID and LDAP server are only supported for incoming requests handled by Web publishing rules.

When RADIUS or SecurID authentication is used, Forefront TMG compares the credentials passed by the user with the string specified on the Users tab of a rule's properties. For example, if you apply a rule to a user set that includes only Domain\User and the user types credentials as User@Domain, the rule is not applied.