Defining exemptions to malware inspection

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to exclude network entities from malware inspection scans.

You can exclude sources and destinations, as follows:

  • Excluding sources—The main reason for excluding sources from malware inspection is to avoid scanning content more than once, which has a performance cost and is problematic in some scenarios. A typical scenario is when content is scanned for malware by a downstream proxy. In such a case, you should configure the upstream proxy to exclude from scanning all requests coming from the downstream proxy.

  • Excluding destinations—The two main reasons for excluding destinations from malware inspection are to improve performance by the exclusion of trusted sites, and to solve compatibility issues.

The following procedure describes how to exempt destinations and sources from malware inspection.

To specify destinations and sources exempt from malware inspection

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. On the Tasks tab, click Configure Malware Inspection.

  3. Click the Destination Exceptions tab or the Source Exceptions tab, and then click Add.

  4. In the Add Network Entities dialog box, click New, and then select the exempted network objects. You can specify an entire network, computers or IP addresses, or domain name sets and URL sets. If you select domain names, ensure they can be resolved by Domain Name System (DNS).

  5. To modify the default domain set (destination exemptions only) or other exempted network objects, select the appropriate entry, and then click Edit.

  6. To remove sites from the exemption list, select the appropriate entry, and then click Remove.

  7. When you have finished, click OK, and then on the Apply Changes bar, click Apply.

Configuring malware inspection with Web proxy chaining

In a Web proxy chaining deployment, enabling malware inspection on both an upstream and a downstream Forefront TMG server is not supported. If you have such a deployment, you must make sure malware inspection is enabled only on the upstream or downstream server, as follows:

  • Configuration required when malware inspection is enabled on the upstream server:

    Perform the following two steps:

    1. When using Web proxy chaining, the identity of each client is known to the downstream server, but not propagated to the upstream server. As a result, all requests from users behind the downstream server share the same temporary storage limit on the upstream server. To prevent downstream users from consuming all of this relatively small temporary storage limit, add the downstream server to the computer set on the upstream server. To do this, open the Forefront TMG Management console on the upstream server. In the tree, click the Intrusion Prevention System node, and on the Behavioral Intrusion Detection tab, click Configure Flood Mitigation Settings. On the IP Exceptions tab, click Add, and add the downstream server to the list.

    2. Disable malware inspection on the downstream server, or on the Web chaining rule.

  • Configuration required when malware inspection is enabled on the downstream server

    Do one of the following:

    • Disable malware inspection on the upstream server.

    • Exclude traffic originating behind the downstream server from inspection by the upstream server. To do this, open the Forefront TMG Management console on the upstream server. In the tree, click the Web Access Policy node, and on the Tasks tab, click Configure Malware Inspection. On the Source Exceptions tab, click Add, and exclude the downstream server from malware inspection.

Concepts

Configuring malware inspection
Planning to protect against malicious web content