Configuring HTTP filtering

  • Article

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to configure HTTP filters. You can use an HTTP filter on inbound and outbound access rules to control the types of data and HTTP commands that you want to allow to cross the firewall.

For more detailed information about HTTP filtering, see Planning for HTTP filtering.

The following procedures describe the steps you should do to configure HTTP filtering on an access rule:

  • Accessing the rule for HTTP filtering—Describes how to access the Configure HTTP policy for rule dialog box, in which you can configure HTTP filtering.

  • Configuring headers and URL blocking—Describes how to set the maximum number of bytes for a header, payload, URL or query, and how to block requests to URLs containing specific characters.

  • Configuring HTTP methods (verbs)—Describes how to block specific HTTP methods (verbs), extensions and headers.

  • Configuring HTTP extension blocking—Describes how to block extensions, such as executable (.exe) files.

  • Configuring header blocking—Describes how to block specific HTTP headers.

  • Configuring blocked signatures—Describes how to block specific signatures, which can be any string in the header or body.

  • Determining signatures—Describes how to monitor specific network traffic in order to determine its signature.

Accessing the rule for HTTP filtering

To access the rule on which to configure HTTP filtering

  1. In the Forefront TMG Management console, in the tree, click the Firewall Policy node.

  2. In the details pane, right-click the rule you want to modify, and then click Configure HTTP. The Configure HTTP policy for rule dialog box opens.

  3. Configure HTTP filtering according to the needs of your network, using the instructions in the following procedures.

Configuring headers and URL blocking

Note

For a description of the parameters that you need to configure in this procedure, see “HTTP filtering settings overview” in Planning for HTTP filtering.

To configure headers and URL blocking

  1. Click the General tab in the Configure HTTP policy for rule dialog box.

  2. In Maximum headers length (bytes), specify the maximum number of bytes allowed in the URL and HTTP header for an HTTP request before it is blocked.

    Note

    This setting applies to all rules, so if you change it in one rule, it is changed in all rules.

  3. Clear Allow any payload length to block requests exceeding the number of bytes specified in Maximum payload length (bytes).

  4. In Maximum URL length (bytes), type the maximum URL length allowed. Requests with URLs exceeding this value will be blocked.

  5. In Maximum query length (bytes), type the maximum query length allowed in a request. Requests with queries exceeding this value will be blocked.

  6. Select Verify normalization to block requests with URLs containing escaped characters after normalization.

    Note

    While use of the verify normalization function is recommended, be aware that it may also block legitimate requests that contain a %.

  7. Select Block high bit characters to specify that URLs with high-bit characters will be blocked.

  8. Select Block responses containing Windows executable content to specify that responses containing Windows executable content (responses that begin with MZ) will be blocked.

Configuring HTTP methods (verbs)

HTTP methods (also known as HTTP verbs) are instructions sent in a request message that notifies an HTTP server of the action to perform on the specified resource. An example of blocking by method would be to block POST, so that internal clients cannot post data to an external Web page. This is useful in a secure network scenario where you want to prevent sensitive information from being posted on a web site. This can also be useful in Web publishing, to prevent malicious users from posting malicious material to your web site.

To configure HTTP methods (verbs)

  1. Click the Methods tab in the Configure HTTP policy for rule dialog box.

  2. In Specify the action taken for HTTP methods, select the action to be taken for the methods listed. You can allow all methods, block those listed and allow all others, or allow those listed and block all others. It is recommended that you only allow selected methods, because this is the most secure configuration.

  3. To add a method, click Add. In the Method dialog box, type the method that you want to add.

  4. To delete an existing method, select the method in the list, and then click Remove.

  5. To edit an existing method, select the method in the list, and then click Edit.

Configuring HTTP extension blocking

You can allow all extensions or allow only those in the list. You can also select to block those in the list and allow all others. It is recommended that you only allow selected extensions, because this is the most secure configuration. For example, if you are publishing a web site, the web site designer or Web server administrator will be able to define a list of extensions that are required for site functionality.

A typical use of extension blocking is to block executable (.exe) files.

To configure HTTP extension blocking

  1. Click the Extensions tab in the Configure HTTP policy for rule dialog box.

  2. In Specify the action taken for file extensions, select an action.

  3. Enable Block requests containing ambiguous extensions to block requests with extensions that cannot be determined.

  4. To add an extension, click Add. In the Extension dialog box, type the extension you want to add.

  5. To edit an existing extension, select it in the list, and then click Edit.

  6. To delete an existing extension, select it in the list, and then click Remove.

Configuring header blocking

To configure header blocking

  1. Click the Headers tab in the Configure HTTP policy for rule dialog box.

  2. Click Add to add a header that should be blocked. Then in the Header dialog box, select either Request Headers or Response Headers from Search In, and type in the header name. All headers are allowed, except those that appear in the Allow all headers except the following list.

  3. To edit a header, select it in the list, and then click Edit. To allow a header that is currently on the blocked list, select it, and then click Remove.

  4. In Server Header, specify how the server header will be returned in the response. The server header is a response header that contains information, such as, the name of the server application and software version information; for example, HTTP: Server = Microsoft-IIS/6.0. The possible settings are:

    • Send original header—The original header will be returned in the response.

    • Strip header from response—No header will be returned in the response.

    • Modify header in response—If you select this option, in Change to, type the value that will appear in the response. It is recommended that you modify the server header. The value that will appear in the response can be any value, because the server header is rarely used by clients.

  5. In Via Header, specify how the Via header will be forwarded in the request or returned in the response. For a description, see “Maximum query length (bytes)”, in Planning for HTTP filtering.

    The possible settings are:

    • Send default—The default header will be used.

    • Modify header in request and response—The Via header will be replaced with a modified header. If you select this option, in Change to, type the header that will appear instead of the Via header.

Configuring blocked signatures

You can specify whether to allow or block requests, based on the specific signatures in the headers or body.

To configure blocked signatures

  1. Click the Signatures tab in the Configure HTTP policy for rule dialog box.

  2. Click Add to add a blocked signature. Then, in the Signature dialog box, specify the following:

    • In Search in, specify whether the signature appears in the request URL body or header, or in the response body or header.

    • In HTTP Header, type the header name, if you specified a header type signature.

    • In Signature, type the signature string. A signature can be any string in a header or body. It is recommended that you choose strings that are specific enough to block only those requests or responses that you want to block. For example, if you add the letter "a" as a signature, any request or response containing "a" will be blocked. Similarly, including "Mozilla" in a signature would block most Web browsers. A more typical example signature would be User-Agent: adatum-software-abc.

    • In Byte range, specify From and To values, if you have selected Response Body or Request Body as the signature type. By default, Forefront TMG only inspects the first 100 bytes of the request and response body. Increasing this default value may affect system performance.

  3. You can enable or disable signatures using the check boxes next to the signature names. Click Show only enabled search strings to list only enabled signatures.

  4. To modify a blocked signature, select it in the Block content containing these signatures list, and then click Edit.

  5. To allow a blocked signature, select it in the Block content containing these signatures list, and then click Remove.

Determining signatures

You can determine a signature to block specific traffic by monitoring network traffic.

Important

Because some network traffic monitoring tools may introduce a security risk, it is recommended that you use these tools only in a laboratory environment, and not in a production environment.

To determine signatures

  1. Add the Windows network monitoring tools. This is available in the Management and Monitoring tools section of Windows optional components.

  2. To open Network Monitor after installation, click Start, point to Administrative Tools, and click Network Monitor. If a message appears reminding you to select a network, close it.

  3. In the Select a Network dialog box, expand Local Computer. If internal clients are located in the Forefront TMG default Internal network, select Internal to trace signatures used by these clients. This allows you to use traced signatures to block client access to specific Internet services.

  4. Network Monitor captures all of the packets from the Internal network. You can filter the results after the capture, or you can create a filter before you start the capture. To create a filter before starting, from the menu, click Capture and select Filter (or press F8). In the Capture Filter dialog box, select the entry INCLUDE *ANY < - > *ANY, and then click Edit.

  5. Click Edit Address, and under Add, click Address. In the Address Expression dialog box, click Edit Addresses.

  6. In the Address Database dialog box, click Add to open the Address Information dialog box.

  7. In the Address Information dialog box, specify the name of the client computer. Provide the IP address of the client computer in Address, and from the Type list, select IP. Then select OK, and click Close to close the Address Database dialog box.

  8. In Address Expression, verify that the option Include is selected. In the Station 2 column, select the client that you just created. Leave Direction as the default (both directions), choose the destination in the Station 1 column to be the Forefront TMG computer, and then click OK.

  9. Click OK to close the Capture Filter dialog box.

  10. If there is a large amount of traffic between the two computers, you may need to increase the capture buffer. You can do this from the menu, by clicking Capture and selecting Buffer Settings. In the Capture Buffer Settings dialog box, increase the Buffer Size. Click OK.

  11. On the client, close all of the applications except for the one for which you want to capture a signature.

  12. From the Network Monitor menu, click Capture and select Start (or press F10).

  13. On the client computer, start the application. For example, sign in to Windows Live™ Messenger or AOL Instant Messenger.

  14. From the Network Monitor menu, click Capture, and select Stop and View (or press SHIFT+F11). Inspect the packets that were captured. Typically, the fourth packet (after the handshake packets SYN, SYNACK, and ACK) is an HTTP request packet from the client computer, which contains the information you are looking for, although you may have to look in later packets.

  15. Double-click the packet to view its details. Look for a unique signature related to the application you want to block. If the packet has been parsed properly by Network Monitor, you can view and click all of the headers separately in the details pane (the center pane) and see the full signature in the Hex pane (the bottom pane). Otherwise, you may have to search for the signature in the Hex pane.

Concepts

Configuring protection from web-based threats
Planning for HTTP filtering