Configuring a Web access policy
[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]
The Forefront TMG Web Access Wizard creates a basic Web access policy that specifies which users are allowed or denied Internet access and how traffic from internal networks to the Internet is inspected.
Running the Web Access Wizard
To configure Web access policy by running the Web Access Wizard, do the following:
To run the Web Access Wizard
In the Forefront TMG Management console, click the Web Access Policy node.
On the Tasks tab, click Configure Web Access Policy. If you have already run the wizard, a message appears warning you that the changes you made to settings and rules when you previously ran wizard will be discarded. Click Yes to confirm that the wizard should run again.
On the Web Access Policy Type page, select the type of Web access policy that you want to apply in your organization.
On the Web Protection page, click Yes, enable the malware inspection feature to turn on malware inspection globally.
Note
To configure malware inspection it must be enabled globally and enabled on each access rule that serves content you want to inspect. Malware inspection is available for evaluation for 90 days. After this period, a license is required. Note that when running as part of Essential Business Server, a license is provided for one year.
Select Create a simple global access policy for all the clients in my organization to allow all users to visit all Web sites except those URLs that you specifically block. You can also enable malware scanning for HTTP traffic and configure caching by using this policy.
Select Create customized Web access policies for users, groups and computers to specify that Web policy is controlled by authenticated user access, non-authenticated IP address access, or a mixture of both. Using this policy, you can create rules for authentication and anonymous access, enable malware scanning, configure caching, and specify how requests that do not match users and IP addresses specified in rules should be handled.
Specify settings for the Web policy type you have selected. The tables below provide information about the pages that appear when you choose either Create a simple global access policy for all the clients in my organization or Create customized Web access policies for users, groups and computers.
Running the Web Access Wizard with simple policy settings
If you selected the setting Create a simple global access policy for all the clients in my organization use the information in the following table to complete the wizard.
| Page | Field or property | Setting or action | Rules or global settings |
|---|---|---|---|
Restricted Web Destinations |
Add |
With this setting you can create an allow rule that allows access to the External network, and you can create a deny rule that blocks access to Web sites you specify. All users can access all sites not specified on this page. |
Rule created: Web Access Default Rule
Rule: Web Access Restrictions
|
Restricted Destinations Exceptions |
Add |
Select this setting to exempt users or user groups from the deny rule. |
Exemptions to:
|
Malware Inspection Settings |
Do not inspect Web content requests from the Internet. Inspect Web content requested from the Internet. |
Select this setting to configure antivirus scanning of Web traffic. |
This setting applies malware inspection to the rules created by the wizard. |
Web Cache Configuration |
Enable Web caching |
Select this setting to enable Web caching, Once you select the setting, select the drive you want to use for Web caching from the list, and then click Cache Drives to turn on caching and define cache drives. Caching is not active until both of these steps are complete. After completing the wizard, you can configure cache setting and create cache rules to download content. For instructions, see Caching Web site content. |
This global setting applies to all content that is specified for caching by the defined cache rules. |
Running the Web Access wizard with customized policy settings
If you selected the setting Create customized Web access policies for users, groups and computers use the information in the following table to complete the wizard.
| Page | Field or property | Setting or action | Rules or global settings |
|---|---|---|---|
Access Policy Groups |
Users and user groups only |
Select this setting to create a policy based on client authentication. Access is allowed and restricted based on user name. |
None |
Computers, IP addresses and subnets |
Select this setting to allow clients Web access without user authentication. Access is allowed and restricted based on source IP address. |
None |
|
Any of the above |
Select this value to require a mixture of client authentication and anonymous access based on source IP address. |
None |
|
Default Web Access Policy |
Allow the Web request |
Select this setting to provide a default rule (processed last in the rule list) of allowing traffic. If you enable this setting, the following applies:
|
If you selected Allow the Web request and Web policy is based on users and groups, the following rule is created:
If you selected Allow all Web access and Web policy is based on source IP addresses, the following rule is created:
|
Deny the Web request |
Select this setting to provide a default fallback policy of denying traffic. If you select this option, the following applies:
|
If you selected Deny all Web access and Web policy is based on users and groups, the following rule is created:
If you selected Deny all Web access, and Web policy is based on source IP addresses, the following rule is created:
|
|
Anonymous Web Access Policies |
Add |
Select this setting to create an anonymous access rule that allows or denies access to specific locations. |
The following rule is created:
|
Authenticated Web Access Policies |
Add |
Select this setting to create an access rule that requires users to authenticate and that allows or denies access to specific locations. |
The following rule is created:
|
Malware Inspection Settings |
Inspect Web content requested from the Internet |
Select to configure antivirus scanning of Web traffic. |
This setting applies scanning to all rules created with the wizard. |
Allow partial file delivery |
Select this option to specify that partial file delivery is enabled. Trickling partial files to clients improves the user experience. Users see a progress bar and gradually-opened page as data is scanned. If you select this option, trickling is not applied to all content types. By default, specific content types use progress notifications instead of trickling. For more information, see Planning for Malware Inspection. |
File delivery settings |
|
Block encrypted archives |
This setting specifies that Forefront TMG does not allow downloading of any encrypted files for which it cannot inspect the content. |
Encrypted archive download settings |
|
Web Cache Configuration |
Enable Web caching |
Select this setting to enable Web caching. Once you select the setting, select the drive you want from the list, and then click Cache Drives to turn on caching and define cache drives. Caching is not active until both of these steps are complete After completing the wizard, you can configure cache settings and create cache rules to download content. For instructions, see Caching Web site content. |
This global setting applies to all content that is specified for caching by the defined cache rules. |
Copyright © 2009 by Microsoft Corporation. All rights reserved.