Configuring URL filtering in Forefront TMG secure Web gateway

  • Article

Applies To: Forefront Threat Management Gateway (TMG)

This topic provides the following information on how to configure the URL filtering feature in Forefront TMG secure Web gateway:

  • Prerequisites

  • Configuration overview

  • Configuration steps

Prerequisites

  • URL filtering is subscription based, and is part of the Forefront TMG Web Security Service license. For licensing information, see How to Buy (https://go.microsoft.com/fwlink/?LinkId=179848).

  • URL filtering allows or blocks access to requested sites based on predefined URL categories. When site categorization is not found in the Forefront TMG cache, Forefront TMG queries Microsoft Reputation Services (MRS) for the appropriate category. In order to query the remotely hosted MRS, the Forefront TMG server must be connected to the Internet.

Configuration overview

The URL filtering feature is part of the Forefront TMG Web access policy. The configuration process consists of the following stages:

  1. When you define your organization’s Web access policy, filter out the types of Web destination categories that you do not want users to access, such as malicious or non-productive sites. For information, see Blocking destinations in Web access policy rules.

  2. If relevant, define specific periods or times when access is restricted. For example, define that access to non-productive sites is blocked during business hours only. For information, see Defining a rule’s activity period.

  3. If required, you can override the existing categorization. When users request access to a Web site and access to the site is blocked, they receive a denial notification that includes the denied request category; the notification text is customizable. If you suspect that a site is inappropriately categorized, check the site’s categorization, and if the site is categorized inappropriately, assign it the appropriate category. For information, see Looking up and overriding a site’s URL category.

    You can report classifications issues to Microsoft, thus increasing the likelihood that MRS will address coverage and accuracy gaps specific to your organization. For information, see Microsoft Reputation Services Feedback and Error Reporting (https://go.microsoft.com/fwlink/?LinkId=178581).

  4. You can customize the denial notifications that users receive when access is blocked. For each rule in the Web access policy, you can select one of the following customization options:

    • Customize the default access denial message. For information, see Customizing the default access denial message.

    • Redirect users to a Web page containing your custom message. For information, see Redirecting users to a custom access denial page.

Configuration steps

The following procedures guide you through the configuration of URL filtering.

Blocking destinations in Web access policy rules

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure Web Access Policy.

  3. On the Web Access Policy Rules page of the Web Access Policy Wizard, allow Forefront TMG to create a default rule blocking access to Web sites that you do not want users to access.

  4. On the Blocked Web Destinations page, block access to required URL categories and URL category sets.

  5. After completing the wizard, on the Apply Changes bar, click Apply.

Defining a rule’s activity period

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the details pane, right-click the rule you want to modify, click Properties, and then click the Schedule tab.

  3. On the Schedule list, select one of the following:

    • Always, to specify that the rule is always applicable.

    • Weekends, to specify that the rule applies only on Saturday and Sunday.

    • Work hours, to specify that the rule is active from Monday to Friday, from 9.00 until 17.00.

    Note

    When you modify a rule so that it will be applied only at specific times (by configuring the schedule), the modified schedule is applied only to new connections. Traffic from existing connections will continue to pass, even if it is not at an allowed time.

  4. You can edit the days and times of the default schedules, or create new ones, as follows:

    1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

    2. On the Toolbox tab, click Schedules.

    3. To edit an existing schedule, click to expand Schedules, and then double-click the schedule you want to modify. On the Schedule tab, select a time slot, and then select Active or Inactive.

    4. To create a new schedule, on the toolbar beneath Schedules, click New, and then, in the New Schedule property page, specify settings for the schedule.

Looking up and overriding a site’s URL category

  1. In the Forefront TMG Management console, in the tree, click Web Access Policy.

  2. In the Tasks pane, click Query for URL Category.

  3. On the Category Query tab, type a URL or an IP address, and then click Query. The result of the category is displayed on the tab, as well as some information about the source of the categorization, such as, override, IP address, or URL alias.

  4. To change a site’s categorization, copy the URL or IP address, click the URL Category Override tab, and then click Add.

  5. Under Override the default URL category for this URL pattern, type a URL, using the format: www.contoso.com/\*.

    Note

    • Each URL must include a host name and a path, and may include a query string and escaped characters (such as “%20” to represent a space).

    • Do not include a protocol (such as https://) with the URL.

    • Forefront TMG does not support the use of Internationalized Domain Name (IDN) URLs.

  6. Under Move URL pattern to this category, select an appropriate URL category.

  7. Click OK. The URL Categories Override dialog closes. Click OK again and then, on the Apply Changes bar, click Apply.

Customizing the default access denial message

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the details pane, right-click the rule you want to modify, and then click Properties.

  3. On the Action tab, under Denied URL Request Action, verify that Display denial notification to user is selected. In the box under Add custom text or HTML to notification (optional), type the message you want to show users who attempt to access blocked Web sites.

    Note

    You can use HTML tags, such as:

    <a href="mailto:admin@contoso.com?subject=Access to Web site denied">Contact the system administrator</a>.

  4. You can expose the URL category of the blocked Web site to users by selecting Add denied request category to notification. This option is only available when URL filtering is enabled.

Redirecting users to a custom access denial page

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the details pane, right-click the rule you want to modify, and then click Properties.

  3. On the Action tab, under Denied URL Request Action, select Redirect web client to the following URL, and then type the complete URL using the format: https://URL.

Concepts

Configuring Forefront TMG secure Web gateway