Bypassing Forefront TMG for firewall client requests

Microsoft Forefront Threat Management Gateway is designed to handle communications between different networks. Usually, clients on a specific network should not traverse Forefront TMG to reach hosts located in the same network. Instead, direct access should be used.

Direct access enables Firewall client computers to do the following:

  • Bypass the Microsoft Firewall Client configuration and connect directly to resources.
  • Make Web proxy requests that bypass the Web proxy filter.

This allows Firewall clients to access resources located in their local network without going through Forefront TMG and allows clients to make Web requests without going through Forefront TMG as a proxy.

Whenever a Winsock application running on a Firewall client computer attempts to send a request, Firewall Client software determines whether the destination is local. Local requests are sent directly to the destination. Requests for remote destinations are sent to the Firewall service on a Forefront TMG server and are handled in accordance with access rules. By default, Firewall Client considers the following addresses as local:

  • All domain suffixes specified on the Domains tab in the properties of the client network. This list comprises a local domain table (LDT).
  • All addresses on the client network. Forefront TMG supplies network address range to all Firewall clients in the network according to the addresses defined on the Addresses tab of the network properties. These IP address ranges are stored in memory by the Firewall Client Agent.
  • All addresses specified in the local routing table on the Firewall client computer.
  • All IP addresses contained in a local address table (LAT) file - Locallat.txt - created on the Firewall client computer.

The LDT, together with other Firewall client settings configured on Forefront TMG, are pushed to clients during Firewall client installation, when a manual refresh is specified on the client, or every six hours.

Creating a Local Domain Table

  1. In the Forefront TMG Management console, click Networking.
  2. On the details pane, click the Networks tab.
  3. Right-click the required network, and then click Properties.
  4. On the Domains tab, do the following:
    • Click Add to specify a domain that Firewall clients on the network should access directly. In the Domain Properties dialog box, type in the Fully Qualified Domain Name (FQDN) for the domain. Click OK to close the dialog box.
    • To remove a domain from direct access, select the domain in the Domain names list, and then click Remove.
    • To edit an existing domain name, select the domain in the Domain names list, and then click Edit.

Creating a LocalLAT.txt file

  1. On the Firewall client computer, navigate to the following folders:
    • In Windows XP, create the file in the \Documents and Settings\All Users\Application Data\Microsoft\Firewall Client 2004 folder.
    • In Windows Vista, create the file in the \ProgramData\Microsoft\Firewall Client 2004 folder.
  2. Create a new text file named LocalLAT.txt.
  3. In the file, enter the IP address range pairs for direct access. Each address pair defines either a range of IP addresses or a single IP address. The following example shows a Locallat.txt file that has two entries. The first entry is an IP address range, and the second entry is a single IP address.
  4. Save and close the file.
  5. Open the Computer Management snap-in. Do this in Windows Vista as follows:
    • Click Start, right-click Computer, and then click Management.
    • Double-click Services and Applications. Then click Services.
    • Right-click the Firewall Client Agent service, and then click Restart.

Any software deployment method, such as Group Policy, can be used to deliver LocalLAT.txt to Firewall clients.

Web proxy applications running on Firewall client computers can bypass the Web proxy filter and directly access resources. For Web proxy applications using automatic proxy detection, you can specify direct access settings in the Forefront TMG Management console and push them to clients. For Web proxy applications that do not use automatic detection, you specify direct access settings in the application. Requests that bypass the filter and are not considered local are forwarded as Firewall client requests to Forefront TMG, and traffic inspection and filtering is applied.