Configuring IP preferences
Microsoft Forefront Threat Management Gateway can drop all IP packets with any IP option in their header, all IP packets that have any of a list of selected IP options in their header, or all IP packets whose header contains any IP option that is not in the list of selected IP options. Forefront TMG can also drop all IP fragments.
This topic includes procedures for enabling IP options filtering and IP fragment filtering. For more information about IP options filtering and IP fragment filtering, see Overview of intrusion detection.
To enable IP options filtering
In the Forefront TMG Management console tree, click Firewall Policy.
On the Tasks tab, click Configure IP Preferences.
On the IP Options tab, select Enable IP options filtering.
Select one of the following:
- Deny all packets with any IP option
- Deny packets with the selected IP options
- Deny packets with all except selected IP options
If you select Deny packets with the selected IP options or Deny packets with all except selected IP options, also select the applicable IP options.
Click OK.
To enable IP fragment filtering
In the Forefront TMG Management console tree, click Firewall Policy.
On the Tasks tab, click Configure IP Preferences.
On the IP Fragments tab, select Block IP fragments, and then click OK.
Click OK.
Note
Kerberos authentication depends on UDP packets, which are commonly fragmented. If your Forefront TMG computer is in a domain, and you enable the blocking of IP fragments, Kerberos authentication will fail. For example, if the computer uses Kerberos for authentication during user logon, logon will fail. It is recommended that you do not enable the blocking of packets containing IP fragments in scenarios where Kerberos authentication is used.
Important
After you finish configuring the IP preferences, in the details pane, click Apply to save and update the configuration, and then click OK.