Bypassing Forefront TMG for Web proxy client requests

  • Article

Applications making requests as Web proxy clients can bypass the Web proxy filter and directly access resources. Typically, this is required to allow clients to access resources located in their local network or to allow clients to access external Web sites without going through Forefront TMG. Web proxy clients can be configured for direct access as follows:

  • Client browsers that do not use automatic detection by means of an automatic configuration script or a Web Proxy Automatic Discovery (WPAD) entry must be configured manually for direct access. For more information about automatic detection, see About automatic discovery.
  • Client browsers configured to use a Forefront TMG automatic configuration script can obtain direct access information.

If a request that bypasses the Web proxy filter is for resources that are not in the client network, you can configure the client as either a SecureNAT client or Firewall client. This allows Forefront TMG to handle the request and to apply traffic inspection and filtering.

Configuring direct access for Web proxy clients not using automatic detection

This procedure assumes Windows Internet Explorer as the Web browser. To configure Web browsers to use the automatic configuration script, do the following.

To configure Web browsers to use the automatic configuration script

  1. In Internet Explorer, click the Tools menu, and then click Internet Options.

  2. Click the Connections tab, and then click LAN Settings.

  3. Select the Bypass proxy server for local addresses check box to configure the browser not to forward requests for host names (for example, https://webserver) to the Web proxy filter. This option is only available for single label names. Names or addresses with a period (.), such as IP addresses of a fully qualified domain name, are forwarded to the Web proxy filter. These types of entries should be specified in the Exceptions list, as follows:

    • Click Advanced, and then in the Exceptions list, type in the domain name or IP address you do not want handled by the Web proxy filter.

Configuring direct access for Web proxy clients using automatic detection

Direct access settings configured in Forefront TMG are delivered to clients in an automatic configuration script every six hours. Internet Explorer can specify the static location of the script or use the WPAD protocol in order to discover a server on which the configuration script is located. For instructions about configuring clients, see Configuring Web browsers for automatic detection. Direct access settings are configured in the Forefront TMG Management console, as follows.

To configure direct access settings

  1. In the Forefront TMG Management console, click Networking.

  2. On the details pane, click the Networks tab.

  3. Right-click the required internal or perimeter network, and then click Properties.

  4. On the Web Browser tab, do one of the following:

    • Select Bypass proxy for Web servers in this network to specify that Web proxy clients should bypass the Web proxy filter for Web servers located in the client network.
    • Select Directly access computers specified in the Domains tab to allow Web proxy clients to bypass the Web proxy filter for destinations specified on the Domains tab.
    • Select Directly access computers specified in the Addresses tab to allow Web proxy clients to bypass the Web proxy filter for destinations on the Addresses tab. By default, the Addresses tab contains the IP address range of the network.
    • Select Add to specify an IP address range, domain, or computer to access directly. To remove an entry from the Directly access these servers or domains list, select it, and then click Remove. To modify an entry on the list, select it, and then click Edit.
    • Select Direct Access to specify that Web proxy clients should bypass the Web proxy filter if Forefront TMG is unavailable.

Configuring domains for direct access

To configure a domain for direct access

  1. In the Forefront TMG Management console, click Networking.

  2. On the details pane, click the Networks tab.

  3. Right-click the required internal or perimeter network, and then click Properties.

  4. On the Domains tab, do one or more of the following:

    • To add an entry, click Add, and then type in a domain for direct access. Repeat for each domain you want to add.
    • To remove an entry, in the Domain names list, click the entry you want to remove, and then click Remove.
    • To modify an entry, in the Domain names list, click the entry you want to modify, and then click Edit.