Block in Forefront TMG


  • Hi,

    We have Forefront TMG deployed on our office and I'm trying to create an access rule to block certain social networking sites such as facebook. I was able to block facebook using a deny rule on a URL set i created with* within it. however, users are still ables to access facebook through https inpection is disabled and enabling it was not an option for me. I have tried creating a set of deny rules using domain name sets, ip address range, but still i was able to access facebook thru https.

    Here's my setup:

    Domain Name Set (FB Domain):*;*

    IP Address Range (FB address): (https ip address used by fb)

    URL Set (Social Net):*; (plus other blocked sites)


    So I created the 3 deny rules separately and i also added redirection to somewhere for me to see which deny rule matches/applies.


         Action              Name                                   Condition      From            To          

    1    allow               VPN                                     all users        -------           -----

    2    deny               deny Domain Name Set         all users        internal         FB Domain

    3    deny               deny Address range              all users        internal         FB Address  

    4    deny               deny Social Net Sites             all users        internal        Social Net

    .....other rules

    n    allow              internet access                      all users         internal        external


    We also have a group policy that sets the FTMG as the default proxy for IE browsers. I don't know if i have configured the rules incorrectly because facebook can still be accessed. Enabling HTTPS inspection must be the best way to address this problem but still I would like it to be the last resort.

    Can someone please tell me any detail I missed out or any setting configured incorrectly. It's just not working. All the rules would mean nothing if users are still able to access facebook.









    Thursday, February 03, 2011 5:03 AM


All replies

  • Hi,

    to block HTTPS websites follow the instructions in this guide:
    The URL does not have a path specified

    regards Marc Grote aka Jens Baier - - -
    • Marked as answer by bertongbadtrip Friday, February 04, 2011 12:15 AM
    Thursday, February 03, 2011 6:21 AM
  • Thanks Marc. I'll double check my entries and put in the correct URL set and domain name for the sites i want to block. Would it be correct to say that to completely block access to, all i have to do is to deny all internal traffic/requests to the domain *

    Thanks again.

    Thursday, February 03, 2011 8:02 AM
  • Do you have the HTTPS protocoll in your deny rule as well?
    There should not be a problem to deny HTTP and HTTPS trafic to "Online Communities" and by doing that block
    Thursday, February 03, 2011 3:51 PM
  • Hi,

    yes this should be the correct way. Create a Firewall rule which denis requests to for your users and place this rule above the allow rule for HTTP/HTTPS.
    You should also have a look into the realtime logging of TMG to see which Firewall Policy rule matches this traffic

    regards Marc Grote aka Jens Baier - - -
    Thursday, February 03, 2011 3:57 PM
  • Hi,

    Yes, it's a deny rule for http/https. I also placed it above the allow rule for http/https. I finally got it working. I had to put in the right entries in the domain name set also in the URL set. Once configured properly, FTMG was able to block even https requests. Thank you so much for all the help. I'll go take a look at the logs and study it. 


    Friday, February 04, 2011 12:29 AM
  • Hi

    unfortunately my rule to redirect requests for still not working. Whar where the right entries for your "Domain name set" and "url set" that worket for you? the http requests to facebook are redirected to a custom deny page, the https request are getting the standard "page cannot be displayed" page.

    Wednesday, February 16, 2011 9:55 AM
  • hi,

    Actually I'm experiencing the same thing myself. I could redirect all http requests but when it comes to https, I'm just getting the "page cannot be displayed" page. I'm practically blocking domains that are against our IT policy so I did not include url sets anymore since i think it's redundant.


    Thursday, February 17, 2011 7:35 AM
  • Hi Marc,

    I'm trying to find a way to optimize my firewall rules so that later on I'd be sure that no rules would would be in conflict with any other rules. Also I'd like to make sure that TMG would be able to log user credentials (authenticated users) properly but will not affect anonymous traffic like for example windows updates etc. So I'm thinking of arranging the web access rules this way:


    allow authenticated users from computer to external --------->(for VIP's)

    deny authenticated users from internal to restricted sites/domains

    allow authenticated users from internal to external---->(allow internet)

    allow all users from internal to external ---------->(anonymous traffic)


    deny all users from all networks to all networks---->(default firewall rule)


    Am I setting these rules correctly? I'm also having problems when using authenticated users. Users are always asked to authenticate with the server. This happens to windows 7 workstations. I have set defualt settings for IE. I'm also using GPO to set IE proxy settings and the "use HTTP 1.1 over proxy" is enabled. On the firewall settings, I've set authentication to integrated.

    One user for example, is using yahoo messenger. Everytime he opens ym, the user is being asked for his credentials and it justs keeps popping up. So for now, I'm using all users and not the all authenticated users for my rules. In the TMG logs, all client usernames are anonymous. I'm not sure what I missed in my configurations. Your help is greatly appreciated.



    • Proposed as answer by mikerysenbry Friday, July 29, 2011 4:14 AM
    Friday, February 25, 2011 3:12 AM
  • Hi Amigo. The explanation for the authentication issues are as follows: when TMG is evaluating the rules and finds one for a specific user or group then it will request the user to send credentials because it has to know it the connection comes from that particular user. For your four rules above, there is going to be no anonymous navigation because the first rule will always ask the user for credentials. If the credentials are not sent, TMG will block the connection without evauating the remaining rules.

    // Raúl - I love this game
    Friday, February 25, 2011 9:00 PM
  • hi,

    So TMG just finds the first rule that matches a specific requests then ignores all other rules below it. so how do i make sure that TMG would be able to capture all the users in my AD without blocking anonymous requests at the same time? If I put the anonymous access rules above authenticated rules, then there would be no authenitcated navigation. Is it best practice to put both all users and all authenticated users together on one rule?



    Monday, February 28, 2011 12:15 AM
  • Hi Mark,

    Dose it mean that URL categories do not block HTTPs sites? Do I need outbound HTTPs inspection to make this work? With domain name sets * it works great, however the redirection dosent work it just says "Page can not be displayed?.

    Any ideas on this?

    In advance thank you


    Wednesday, December 14, 2011 10:45 AM
  • Try blocking as they have registered that as a domain.

    I'm sure this should resolve.

    Wednesday, December 21, 2011 9:14 AM
  • Hi There

    Can you please help me setup my tmg to block



    c jefferies

    Tuesday, July 17, 2012 11:04 AM
  • I do the same thing, only I do not block them, I just redirect them to our homepage. What this means, is that on some websites that use Facebook plug-in features, you would see a "Banner ad" style box of my homepage. If you just block the site, your users will see blank space. Just be aware of that.

    Create a custom URL set, and make sure these domains are included:



    The "*." covers any URL links that have www.facebook, where as the ones without it covers http:/ TMG treats them as 2 different domains, so be sure you add both. is a new part of their domain. I see this alot on other websites that try to pull your Facebook status in order to let you comment or share news articles.

    In your rule, make sure you specify HTTP, HTTPS and FTP protocols.

    I saw another person on a different forum have this in their URL set, which might be overkill:**

    Try it out though, and see what works best for you. I still think it is absurd that TMG forces you to create duplicate entries for domains because it can't differentiate between and

    Tuesday, July 17, 2012 12:07 PM
  • please

    how i can allow in Forefront TMG

    i need url set to allow facebook only and deny any traffic

    please help me

    Saturday, September 28, 2013 10:16 AM
  • I'm confused.

    Why are you not using the Content Filtering tools built into TMG.

    All I did was include Online Communities to Blocked Web Destinations.

    Monday, September 30, 2013 2:06 PM
  • hi all, 

    I am having very similar issue at the moment. 

    I have configured correctly the FTMG 2010 with one NIC serving as URL filtering and web proxy. 

    Under Web Access Policy I created 'Access Rule' for (1) for domain_set to block *, and rule (2) for URL_sets, https://* 

    Both rules are on no#1 and no#2 respectively within WEB ACCESS POLICY, I have no policy on firewall except RDP for remote access within LAN only.

    I've read carefully the rules available at - 


    1. Clients accessing are blocked including many other URL and domain_sets that I have provided. 

    2. However, if clients uses https:// they will by pass the URL filtering. 

    Please help. 



    Friday, February 14, 2014 10:59 AM
  • In this case you should enable Outbound SSL Inspection, check the following article.


    Sunday, February 16, 2014 10:06 PM