none
Block https://www.facebook.com/ in Forefront TMG

    Question

  • Hi,

    We have Forefront TMG deployed on our office and I'm trying to create an access rule to block certain social networking sites such as facebook. I was able to block facebook using a deny rule on a URL set i created with http://www.facebook.com/* within it. however, users are still ables to access facebook through https://www.facebook.com. https inpection is disabled and enabling it was not an option for me. I have tried creating a set of deny rules using domain name sets, ip address range, but still i was able to access facebook thru https.

    Here's my setup:

    Domain Name Set (FB Domain):

    facebook.com/*;*.facebook.com

    IP Address Range (FB address):

    69.63.181.16
    69.63.181.11
    69.63.189.12
    66.220.153.11 (https ip address used by fb)

    URL Set (Social Net):

    http://www.facebook.com/*; (plus other blocked sites)

     

    So I created the 3 deny rules separately and i also added redirection to somewhere for me to see which deny rule matches/applies.

    --------------------------------------------------------------------------------------------------------

         Action              Name                                   Condition      From            To          

    1    allow               VPN                                     all users        -------           -----

    2    deny               deny Domain Name Set         all users        internal         FB Domain

    3    deny               deny Address range              all users        internal         FB Address  

    4    deny               deny Social Net Sites             all users        internal        Social Net

    .....other rules

    n    allow              internet access                      all users         internal        external

    -----------------------------------------------------------------------------------------------------------

    We also have a group policy that sets the FTMG as the default proxy for IE browsers. I don't know if i have configured the rules incorrectly because facebook can still be accessed. Enabling HTTPS inspection must be the best way to address this problem but still I would like it to be the last resort.

    Can someone please tell me any detail I missed out or any setting configured incorrectly. It's just not working. All the rules would mean nothing if users are still able to access facebook.

     

    -Ron

     

     

     

     

     

     

    Thursday, February 03, 2011 5:03 AM

Answers

All replies

  • Hi,

    to block HTTPS websites follow the instructions in this guide:
    http://technet.microsoft.com/en-us/library/cc302531.aspx
    The URL does not have a path specified
    HTH


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    • Marked as answer by bertongbadtrip Friday, February 04, 2011 12:15 AM
    Thursday, February 03, 2011 6:21 AM
  • Thanks Marc. I'll double check my entries and put in the correct URL set and domain name for the sites i want to block. Would it be correct to say that to completely block access to facebook.com, all i have to do is to deny all internal traffic/requests to the domain *.facebook.com?

    Thanks again.

    Thursday, February 03, 2011 8:02 AM
  • Do you have the HTTPS protocoll in your deny rule as well?
    There should not be a problem to deny HTTP and HTTPS trafic to "Online Communities" and by doing that block https://www.facebook.com.
    Thursday, February 03, 2011 3:51 PM
  • Hi,

    yes this should be the correct way. Create a Firewall rule which denis requests to https://www.facebook.com for your users and place this rule above the allow rule for HTTP/HTTPS.
    You should also have a look into the realtime logging of TMG to see which Firewall Policy rule matches this traffic


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Thursday, February 03, 2011 3:57 PM
  • Hi,

    Yes, it's a deny rule for http/https. I also placed it above the allow rule for http/https. I finally got it working. I had to put in the right entries in the domain name set also in the URL set. Once configured properly, FTMG was able to block even https requests. Thank you so much for all the help. I'll go take a look at the logs and study it. 

    Ron

    Friday, February 04, 2011 12:29 AM
  • Hi

    unfortunately my rule to redirect requests for https://www.facebook.com still not working. Whar where the right entries for your "Domain name set" and "url set" that worket for you? the http requests to facebook are redirected to a custom deny page, the https request are getting the standard "page cannot be displayed" page.

    Wednesday, February 16, 2011 9:55 AM
  • hi,

    Actually I'm experiencing the same thing myself. I could redirect all http requests but when it comes to https, I'm just getting the "page cannot be displayed" page. I'm practically blocking domains that are against our IT policy so I did not include url sets anymore since i think it's redundant.

     

    Thursday, February 17, 2011 7:35 AM
  • Hi Marc,

    I'm trying to find a way to optimize my firewall rules so that later on I'd be sure that no rules would would be in conflict with any other rules. Also I'd like to make sure that TMG would be able to log user credentials (authenticated users) properly but will not affect anonymous traffic like for example windows updates etc. So I'm thinking of arranging the web access rules this way:

     

    allow authenticated users from computer to external --------->(for VIP's)

    deny authenticated users from internal to restricted sites/domains

    allow authenticated users from internal to external---->(allow internet)

    allow all users from internal to external ---------->(anonymous traffic)

    -----------------------------------------------------------------------------------------

    deny all users from all networks to all networks---->(default firewall rule)

     

    Am I setting these rules correctly? I'm also having problems when using authenticated users. Users are always asked to authenticate with the server. This happens to windows 7 workstations. I have set defualt settings for IE. I'm also using GPO to set IE proxy settings and the "use HTTP 1.1 over proxy" is enabled. On the firewall settings, I've set authentication to integrated.

    One user for example, is using yahoo messenger. Everytime he opens ym, the user is being asked for his credentials and it justs keeps popping up. So for now, I'm using all users and not the all authenticated users for my rules. In the TMG logs, all client usernames are anonymous. I'm not sure what I missed in my configurations. Your help is greatly appreciated.

     

    ron

    • Proposed as answer by mikerysenbry Friday, July 29, 2011 4:14 AM
    Friday, February 25, 2011 3:12 AM
  • Hi Amigo. The explanation for the authentication issues are as follows: when TMG is evaluating the rules and finds one for a specific user or group then it will request the user to send credentials because it has to know it the connection comes from that particular user. For your four rules above, there is going to be no anonymous navigation because the first rule will always ask the user for credentials. If the credentials are not sent, TMG will block the connection without evauating the remaining rules.


    // Raúl - I love this game
    Friday, February 25, 2011 9:00 PM
  • hi,

    So TMG just finds the first rule that matches a specific requests then ignores all other rules below it. so how do i make sure that TMG would be able to capture all the users in my AD without blocking anonymous requests at the same time? If I put the anonymous access rules above authenticated rules, then there would be no authenitcated navigation. Is it best practice to put both all users and all authenticated users together on one rule?

     

    Ron

    Monday, February 28, 2011 12:15 AM
  • Hi Mark,

    Dose it mean that URL categories do not block HTTPs sites? Do I need outbound HTTPs inspection to make this work? With domain name sets *.facebook.com it works great, however the redirection dosent work it just says "Page can not be displayed?.

    Any ideas on this?

    In advance thank you

    Bujar

    Wednesday, December 14, 2011 10:45 AM
  • Try blocking www.www.facebook.com as they have registered that as a domain.

    I'm sure this should resolve.

    Wednesday, December 21, 2011 9:14 AM
  • Hi There

    Can you please help me setup my tmg to block https://www.facebook.com.

    Regards

    chris


    c jefferies

    Tuesday, July 17, 2012 11:04 AM
  • I do the same thing, only I do not block them, I just redirect them to our homepage. What this means, is that on some websites that use Facebook plug-in features, you would see a "Banner ad" style box of my homepage. If you just block the site, your users will see blank space. Just be aware of that.

    Create a custom URL set, and make sure these domains are included:

    *.facebook.com

    facebook.com

    *.facebook.net

    facebook.net

    The "*." covers any URL links that have www.facebook, where as the ones without it covers http:/facebook.com. TMG treats them as 2 different domains, so be sure you add both. Facebook.net is a new part of their domain. I see this alot on other websites that try to pull your Facebook status in order to let you comment or share news articles.

    In your rule, make sure you specify HTTP, HTTPS and FTP protocols.

    I saw another person on a different forum have this in their URL set, which might be overkill:

    http://www.facebook.com/*
    http://facebook.com/*
    http://*.facebook.com/*
    https://*.facebook.com/*
    https://facebook.com/*
    http://facebook.com
    http://www.facebook.com
    https://facebook.com
    https://www.facebook.com
    https://www.facebook.com/*
    facebook.com
    *.facebook.com
    http://facebook.net
    http://*.facebook.net
    http://facebook.net/*
    http://*.facebook.net/*
    http://www.facebook.net
    http://www.facebook.net/*

    Try it out though, and see what works best for you. I still think it is absurd that TMG forces you to create duplicate entries for domains because it can't differentiate between http://website.com and http://www.website.com

    Tuesday, July 17, 2012 12:07 PM
  • please

    how i can allow https://www.facebook.com/ in Forefront TMG

    i need url set to allow facebook only and deny any traffic

    please help me


    Saturday, September 28, 2013 10:16 AM
  • I'm confused.

    Why are you not using the Content Filtering tools built into TMG.

    All I did was include Online Communities to Blocked Web Destinations.

    Monday, September 30, 2013 2:06 PM
  • hi all, 

    I am having very similar issue at the moment. 

    I have configured correctly the FTMG 2010 with one NIC serving as URL filtering and web proxy. 

    Under Web Access Policy I created 'Access Rule' for (1) for domain_set to block *.facebook.com, facebook.com and rule (2) for URL_sets http://facebook.com, https://*.facebook.com. 

    Both rules are on no#1 and no#2 respectively within WEB ACCESS POLICY, I have no policy on firewall except RDP for remote access within LAN only.

    I've read carefully the rules available at - http://technet.microsoft.com/en-us/library/cc302531.aspx 

    Results:

    1. Clients accessing http://facebook.com are blocked including many other URL and domain_sets that I have provided. 

    2. However, if clients uses https:// they will by pass the URL filtering. 

    Please help. 

    Thansk

    Rico 

    Friday, February 14, 2014 10:59 AM
  • In this case you should enable Outbound SSL Inspection, check the following article.

    http://www.isaserver.org/articles-tutorials/configuration-general/Outbound-SSL-Inspection-TMG-Firewalls-Part1.html

    b.


    Sunday, February 16, 2014 10:06 PM