locked
TMG 2010 how to enforce URL filtering in Browsers other than IE etc..Chrome, Firefox, Opera...

    Question

  • I have seen how the client automatically configures IE and i was wondering how will i be enforcing the use and automating the configuration on other Browsres
    Sunday, September 05, 2010 10:13 AM

Answers

  • Hi,

    enforcing URL filtering is independant from the Browser you use. Every browser I know supports configuring the browser to use Forefront TMG as a Web Proxy and when you create a Firewall rule which allows or denies specific URL categories from the TMG URL filtering, it should work.
    Is this your question or do you have specific problems?


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    Tuesday, September 07, 2010 8:17 AM

All replies

  • Hi,

    use WPAD with DHCP or DNS:
    http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    Sunday, September 05, 2010 3:33 PM
  • Dear Marc Thanks for the reply but that is for discovery i needed a way of enforcing these configuration
    Tuesday, September 07, 2010 7:53 AM
  • Hi,

    enforcing URL filtering is independant from the Browser you use. Every browser I know supports configuring the browser to use Forefront TMG as a Web Proxy and when you create a Firewall rule which allows or denies specific URL categories from the TMG URL filtering, it should work.
    Is this your question or do you have specific problems?


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    Tuesday, September 07, 2010 8:17 AM
  • As per Marc's great comments above regarding automating the assignment of the web proxy settings, you can use additional FTMG rules for enforcing the web proxy use. Normally this is done by ensuring that users have to connect to the proxy service on whatever port you have specified in the FTMG configuration as opposed to being allowed out over the native TCP port 80.

    For example, in your web policy - after the deny rule used for categories...

    You could create a new protocol for TCP outbound on port 80 - port 80. Call it something like non-proxy-port-80.

    Add a new deny rule from internal to external and select the new protocol from the used defined list of protocols.

    You will find that users who try to get to the internet through your FTMG server without using the proxy service will be blocked whereas users who try and access the web via the proxy settings will succeed (assuming they meet any additional rule criteria you may have set of course).

     


    Keith Alabaster - MVP/Forum Moderator
    Wednesday, September 08, 2010 12:56 PM
  • Keith, Secure-NAT users will also be intercepted and subject to all the rules too.  So I don't follow why you are trying to block "native TCP port 80"?

    Unless what you mean to do is reject non-authenticated users, but that can be more elegantly done by removing the "all users" item from the access rule and replacing with "authenticated users".

    Unless of course you have unhooked the Web Proxy Filter from the HTTP protocol.  In that case, your SNAT traffic will be un-intercepted and uninspected.  But this configuration is usually a mistake or the result of bad advice, so it's not really a valid state to run in.

    Or have I missed your point?

    Saturday, October 02, 2010 12:35 AM