Share via


System policy rules

Microsoft Forefront Threat Management Gateway system policy rules are a set of predefined access rules that control access to and from the Local Host network (the Forefront TMG server) to other networks. Some system policy rules are enabled by default to allow traffic that is necessary for managing the Forefront TMG environment. For more information, see About system policy. The following table lists the default system policy rules.

List order Name System policy group Protocols Source Destination Details

1

Allow access to directory services for authentication purposes

Authentication Services

LDAP

LDAP (UDP)

LDAP GC (global catalog)

LDAPS

LDAPS GC (Global Catalog)

Local Host

Internal

If Forefront TMG is not a domain member, this rule can be disabled.

2

Allow remote management from selected computers using MMC

Remote Management

Microsoft Firewall Control

NetBIOS datagram

NetBIOS Name Service

NetBIOS Session

RPC (all interfaces)

Remote Management Computers

Local Host

If you do not need a remote MMC connection to the Forefront TMG computer, this rule can be disabled. When this rule is enabled, RPC traffic is allowed to the Local Host network. However, by default, DCOM traffic is blocked by the RPC filter.

Remote management computers must be added to the predefined Remote Management Computers computer set.

3

Allow remote management from selected computers using Terminal Server

Remote Management

RDP (Terminal Services)

Remote Management Computers

Local Host

If you do not need remote desktop management of the Forefront TMG computer, disable this rule. Remote management computers must be added to the predefined Remote Management Computers computer set.

4

Allow remote management from selected computers using a Web application

Remote Management

Forefront TMG Web Management

Remote Management Computers

Local Host

If you do not need remote management from a Web application, disable this rule. Remote management computers must be added to the predefined Remote Management Computers computer set.

5

Allow remote logging to trusted servers using NetBIOS (disabled by default)

Remote Logging

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Local Host

Internal

Enable this rule if you are logging on to a remote SQL server.

6

Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers

Authentication Services

RADIUS

RADIUS Accounting

Local Host

Internal

If you are not using RADIUS authentication, disable this rule. If you are, limit the destination to the IP address of the RADIUS server.

7

Allow Kerberos authentication from Forefront TMG to trusted servers

Authentication Services

Kerberos-Sec (TCP)

Kerberos-Sec (UDP)

Local Host

Internal

If you are not authenticating clients, disable this rule.

8

Allow DNS from Forefront TMG to selected servers

Network Services

DNS

Local Host

All Networks (and Local Host)

This rule must be enabled for Forefront TMG to perform DNS queries.

9

Allow DHCP requests from Forefront TMG to all networks

Network Services

DHCP (request)

Local Host

Anywhere

If the Forefront TMG computer does not need to be a DHCP client, disable this rule.

10

Allow DHCP replies from DHCP servers to Forefront TMG

Network Services

DHCP (reply)

Internal

Local Host

If the Forefront TMG computer does not need to be a DHCP client, disable this rule. If the DHCP server is not in the Internal network, change the Source property.

11

Allow ICMP (PING) requests from selected computers to Forefront TMG

Diagnostic Services

Ping

Remote Management Computers

Local Host

Any computer that must ping the Forefront TMG computer must be included in the Remote Management Computers computer set.

12

Allow ICMP requests from Forefront TMG to selected servers

Diagnostic Services

ICMP Information Request

ICMP Timestamp

Ping

Local Host

All Networks (and Local Host Network)

This rule must be enabled to allow Forefront TMG to perform network management tasks.

13

Allow VPN client traffic to Forefront TMG (disabled by default)

This system policy rule is not modified through the system policy editor.

PPTP

External

Local Host

This rule is enabled automatically by Forefront TMG when you enable VPN traffic in Forefront TMG Management.

14

Allow VPN site-to-site traffic to Forefront TMG (disabled by default).

This system policy rule is not modified through the system policy editor.

None

External

IPSec Remote Gateways

Local Host

This rule is enabled automatically by Forefront TMG when you create a site-to-site network in Forefront TMG Management.

15

Allow VPN site to site traffic from Forefront TMG (disabled by default)

This system policy rule is not modified through the system policy editor.

None

Local Host

External

IPSec Remote Gateways

This rule is enabled automatically by Forefront TMG when you create a site-to-site network in Forefront TMG Management.

16

Allow Microsoft CIFS from Forefront TMG to trusted servers

Authentication Services

Microsoft CIFS (TCP)

Microsoft CIFS (UDP)

Local Host

Internal

If you do not need to access file shares from the Forefront TMG computer, disable this rule.

17

Allow remote SQL logging from Forefront TMG to selected servers (disabled by default)

Remote Logging

Microsoft SQL (TCP)

Microsoft SQL (UDP)

Local Host

Internal

Enable this rule if you are logging to a remote SQL server

18

Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads) (disabled by default)

Authentication Services

HTTP

Local Host

All Networks (and Local Host)

Enable this rule to allow the Forefront TMG to access certificate revocation lists. This is required if you are bridging the SSL connection on the Forefront TMG computer. Configure the destination to specify only the network from which the CRL is downloaded.

19

Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers (disabled by default)

Diagnostic Services

HTTP

HTTPS

Local Host

All Networks (and Local Host Network)

This rule is enabled automatically when you create a connectivity verifier.

20

Allow remote performance monitoring of Forefront TMG from trusted servers (disabled by default)

Remote Monitoring

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Remote Management Computers

Local Host

Enable this rule to allow remote performing monitoring of Forefront TMG.

21

Allow NetBIOS from Forefront TMG to trusted servers

Diagnostic Services

NetBIOS datagram

NetBIOS Name Service

NetBIOS Sessions

Local Host

Internal

If you do not plan to access file shares from the Forefront TMG computer, disable this rule.

22

Allow RPC from Forefront TMG to trusted servers

Authentication Services

RPC (all interfaces)

Local Host

Internal

If you do not need to connect from the Forefront TMG computer to other servers using the RPC protocol, disable this rule.

23

Allow HTTP/HTTPS from Forefront TMG to specified Microsoft error reporting sites

Diagnostic Services

HTTP

HTTPS

Local Host

Microsoft Error Reporting sites

This rule allows error reports to be sent to Microsoft.

24

Allow SecurID authentication from Forefront TMG to trusted servers (disabled by default)

Authentication Services

SecurID

Local Host

Internal

If you are not using SecurID authentication, disable this rule. If you are, limit the destination to the IP address of the RADIUS server.

25

Allow remote monitoring from Forefront TMG to trusted servers, using Microsoft Operations Manager (MOM) agent (disabled by default)

Remote Monitoring

Microsoft Operations Manager Agent

Local Host

Internal

Enable this rule if you are using MOM to monitor the Forefront TMG computer.

26

Allow HTTP/HTTPS requests from Forefront TMG to specified sites

Various

HTTP

HTTPS

Local Host

System Policy Allowed Sites

This rule is required to allow the Forefront TMG computer to communicate with site in the System Policy Allowed Sites domain name set.

27

Allow HTTP/HTTPS requests from Forefront TMG to specified Microsoft Updates sites

Various

HTTP

HTTPS

Local Host

System Policy Allowed sites

This rule is required to allow the Forefront TMG computer to communicate with Microsoft Updates sites listed in the Microsoft Update Domain Name Set.

28

Allow NTP from Forefront TMG to trusted NTP servers

Network Services

NTP (UDP)

Local Host

Internal

This rule allows Forefront TMG to contact NTP servers in the Internal network. Limit the destination to the IP address of the NTP server.

29

Allow SMTP from Forefront TMG to trusted servers

Remote Monitoring

SMTP

Local Host

Internal

If you do not intend to send SMTP alerts, disable this rule. Otherwise, limit the destination to the IP address of the SMTP server, instead of the Internal network.

30

Allow HTTP from Forefront TMG to selected computers for Content Download Jobs (disabled by default)

Various

HTTP

Local Host

All Networks (and Local Host)

This rule is automatically enabled when you create a Content Download Job in Forefront TMG Management.

31

Allow MS Firewall Control communication to selected computers

Remote Management

MS Firewall Control

MS Firewall Storage

Local Host

Remote Management Computers

If you are not using remote MMC, disable this rule.

32

Allow remote access to Configuration Storage server

Configuration Storage Servers

MS Firewall Control

MS Firewall Storage

Local Host

All Networks (and Local Host)

Enterprise Configuration Storage Servers

This rule is not relevant for Forefront TMG in the Essential Business Server scenario.

33

Allow access from trusted servers to the local Configuration Storage server

Configuration Storage Servers

Microsoft CIFS (TCP)

Microsoft CIFS (UDP)

MS Firewall Control

MS Firewall Storage

Local Host

Array Servers

Enterprise Remote Management Computers

Managed Forefront TMG Computers

Remote Management Computers

Replicate Configuration Storage Servers

Local Host

This rule is not relevant for Forefront TMG in the Essential Business Server scenario.

34

Allow replication between Configuration Storage servers

Configuration Storage Servers

MS Firewall Storage Replication

RPC (all interfaces)

Local Host

Replicate Configuration Storage Servers

Local Host

Replicate Configuration Storage Servers

This rule is not relevant for Forefront TMG in the Essential Business Server scenario.

35

Allow intra-array communication

Intra-array Communication

Microsoft CIFS (TCP)

Microsoft CIFS (UDP)

MS Firewall Control

RPC (all interfaces)

Array Servers

Array Servers

This rule is not relevant for Forefront TMG in the Essential Business Server scenario.

38

Allow Remote Access to Forefront TMG Reporting

Network Services

Forefront TMG Reporting Services

Enterprise Remote Management Computers

Remote Management Computers

Local Host