User Access Rule blocking all traffic RRS feed

  • Question

  • Hello. Our issue is we setup a rule for specific users (also defined in a group) from the Domain to get full access to the internet, unfiltered except for Malware inspection. Basically, it is the first rule to allow specific users or a group access to the internet without any Content filtering, which is our second rule. We have an associated third rule, then the 4th rule is the 'default' rule to deny everything.

    Once we create the rule to allow traffic through by the specific users (or group), all internet access for all users stops. In the logs, it states the users are denied access by this rule. I saw that in the log, but did not note the field for 'user' to see if it was an anonymous or domain user that was blocked.

    If a domain user is logged in, I would expect him/her to be identified, applied to this rule, and then allowed through. If it is not one of the users I have specified or the users in the group specified, it should drop through to the second rule for all users to be content filtered. But all we get is all users are denied access by this rule.

    Our environment is: Windows 2003 Active Directory Domain Controller (Root), Windows 2008 Forefront TMG 64-bit server, that is it.

    I am wondering if the windows 2003 Active Directory Domain controller is not handshaking well with the 2008 Forefront TMG server and identifying the users in the domain for this policy? Or that all the HTTP and HTTPS requests are showing up as anonymous?

    Our desktop environment is Windows 7 Pro/Business.

    Let me know if anyone can help me identify why the first policy is blocking everyone?



    Sunday, August 29, 2010 5:29 PM

All replies

  • Hi,

    if you want to use user authentication in your Firewall rules on TMG, the clients must be Webproxy clients or have the TMG client installed. If the clients are configured as SecureNAT client, user authentication will not work. Which type of client do you use?

    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    Sunday, August 29, 2010 6:05 PM
  • Great, I wasn't sure if that that was needed, but good to know. I have purchased the client Licenses (Forefront Client Security), but have not received them yet.

    The issue then becomes why noone gains access based on that rule. In the logs, they show up as 'anonymous'. The rule is for Domain Users to get open access, and it is the first rule of 4 rules. Why would the 'anonymous' not go by the first rule, and then get to the second rule, filtering the users for content types we specified in the 'To' tab of that rule? It simply says everyone is blocked using HTTP and HTTPS because of the first rule, in the logs.

    Let me know why the first rule is blocking everyone else?



    Monday, August 30, 2010 11:45 AM
  • Hi,

    1) BTW to clarify this: You doesn't need Forefront Client Security for TMG. FCS is the Antivirus/Antimalware product from Microsoft. The TMG client is part of Forefront TMG to enhance the functionality of TMG
    2) The first user (webbrowser) request is always anonymous, the browser will then switch to send an request with authentication. If you create an allow rule for the domain users group, every member of the domain user group will flow through your first TMG rule. You have to put the rule with restricted access to specific contenttypes or anything else above the global allow rule for your domain users:

    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    Monday, August 30, 2010 4:42 PM
  • Can you use NTLM authentication to do this, without having the TMG client? Or is the client absolutely needed for the Domain users to be filtered or unfiltered appropriately?

    Also, does the Forefront Client Secrity have this ability, if you cannot do NTLM or don't want to use the TMG Client?

    Let me know. Thanks.


    Also, to clarify the situation for the rules:

    1. Currently, we want the teachers (Domain Group called Teachers or certain domain users) to get open access.

    2. We then want the rest of the Domain Users (the students) to be content filtered for various types of content.

    3. Then the Global Allow rule is defined to allow anybody to go anywhere.

    4. The last (4th) rule is deny access to everything from anywhere. (lock down the system when the prior rules are not accepted).


    It is the first rule where we specify the authentication of certain domain users (teachers) that we don't want filtering of anything on. They can go straight out. They will have the basic Malware Packet inspection, but that's about it. But we really care that if the Domain user is not a teacher, then we assume they are students, so we want all other traffic filtered appropriately for specific content types.

    Let me know.


    FYI- I installed the TMG Client on one PC, and all HTTP requests in the log still show as 'anonymous'. The web proxy client is by default turned on when you install TMG, so not sure why I can never see the domain\user show up in the logs, which would help to apply to the policy I am having issues with.


    Tuesday, August 31, 2010 2:28 PM
  • The easiest way I can think of to get this to work (and I have setup the TMG server in my test lab to confirm this works) is to use the proxy features of the TMG server to perform the Integrated Domain Authentication with an IE browser.

    1. Ensure you have a Web Access Policy established.
    2. In the outbound filter rule under the 'Web Access Policy Group' you will need to select the Users tab and make a few changes:
         - Remove 'All Users'
         - Add a user
               - Create a new group. I called mine 'Authenticated DOMAIN Users'
                    - within the edit window, click 'Add', select Windows users and groups..., change the location to your domain, type the group or list of users, save the changes
               - Select the newly created group
    3. Save the rule
    4. Apply the changes
    5. Right click on the Web Access Policy and select 'Configure (related) -> Web Proxy...
           - write down the HTTP port number used for the TMG proxy
    6. In the web browser (I used IE 8) go to Tools->Internet Options->Connections->Lan Settings
           - Check "Use a proxy sever for your..."
           - Update the Address: with the IP address of your TMG server
           - Update the Port: with the port you wrote down in step #5
           - Check Bypass proxy server for local addresses
                - if you wish to specify your local subnets or internal websites to not use the proxy, click on advanced and update the large text box at the bottom with your proxy exclusions
    7. Apply the changes
    8. Verify that under Tools->Internet Options->Advanced that under the Security option group that "Enable Integrated Windows Authentication" is checked.
    9. Apply the changes if necessary
    10. Browse the DOMAIN authenticated rules from a browser with the proxy specified.

    If this works for you and you wish to make this more wide spread, I would recommend updating your GPO policies to include these proxy settings less you will have to manually update each workstation with the values. At the very least I would suggest creating a registry file and merging it into the registry on each of these machines.

    Hope this helps.


    Wednesday, September 1, 2010 5:49 AM
  • Hi,


    Thank you for the post.


    Does the TMG server in  a single-homed environment?



    Nick Gu - MSFT
    Wednesday, September 1, 2010 8:34 AM
  • Thanks. Very detailed. I think I tried everything you had except #8. And agree, GPO settings would be the best way if this works.

    Super. Thanks. I'll try it today and get back to you on this.



    Wednesday, September 1, 2010 11:14 AM
  • This TMG Server is a single Edge-Firewall server. So, it sits at the end of the network and attaches to the cable modem. I joined it to the domain, so it is part of the domain. I added the 'Internal' network to know about our domain by selecting the domain from the domain controller.

    Let me know.



    Wednesday, September 1, 2010 11:16 AM
  • Hi,


    Thank for the update.


    “I installed the TMG Client on one PC, and all HTTP requests in the log still show as anonymous”- Firewall client and SecureNAT client will not supported in a single network adapter configuration. By default, IE always sends the first request as anonymous and since ISA requires authentication. So ISA is denying it. Then the next request with user credentials is being allowed.


    Nick Gu - MSFT
    Thursday, September 2, 2010 8:35 AM
  • No, this is not a single network adapter configuration. It is an edge firewall with 2 NIC cards.

    1 external, 1 internal.


    Friday, September 3, 2010 4:57 AM