locked
TMG edge firewall RRS feed

  • Question

  • I have successfully installed and configured TMG 2010 as a edge firewall. Now the problem is without the proxy settings all the client PC's and Laptops getting internet access and they are getting full internet access. Even i have created web access policy to block some websites. Please help me...
    Thursday, October 30, 2014 10:55 AM

Answers

  • Ok, I think I know the answer :)

    TMG can only apply URL filtering for certain web destinations (e.g. Domain Namespaces or URL Sets) when the web request is asked to the TMG. So, if you use a Proxy Server, the TMG will do the request on-behalf of the cient, also resolving the hostname and do URL filtering. If a client does not use a Proxy Server, it does a DNS query themselve, it will just route to that website and TMG will only see a source and destination IP Address. The following applies:

    • If you use a Proxy Server you are connected as a Web Proxy Client. URL filtering is applied properly.
    • If you do not use a Proxy Server and pass-through the Proxy Server within a hop, you are connected as an SecureNAT Client. URL filtering cannot be applied to a SecureNAT Client.

    The only way to force URL filtering, is by using a Proxy Server and require authentication. Only a Web Proxy Client can authenticate, a SecureNAT Client cannot authenticate and will be blocked.

    I hope this makes more sense.


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".


    Thursday, October 30, 2014 4:03 PM
  • Hi,

    so you are not using URL filtering.

    The reason for this is that half of what Boudewijn applies to your situation.

    When using proxy on client:

    Client sends request to proxy for www.microsoft.com (e.g. GET www.microsoft.com) and TMG resolves name to IP and requests content on behalf of client and returns said content. If site is in the blocked list, then the request from the client is denied.

    When NOT using proxy on client:

    Client resolves the name www.microsoft.com itself and makes a request for IP address (e.g GET 1.2.3.4)  through its default gateway. As you most likely list names in the destination set, the names in that list does not match the request as the request is for an IP address.

    See the difference?

    Try for yourself and add an IP address instead of a name to the list of denied sites - a site that only resolves to one address - and try to browse it from a client that has no proxy.

    Now this is not a workable way to deny traffic as sites tends to move IP address and if you are attempting to deny big sites (google, ms, fb, insta, whatever) then there's a good chance that IP addresses will change. Your options are the following in this case

    - Ensure that clients cannot resolve external names by stopping your internal DNS from resolving external names. Do this by installing DNS on TMG and configure it with a forwarder to an external DNS and a conditional forwarder for your internal namespace pointing to your current internal DNS. Clients will then have to configure a proxy in order to be able to browse.

    - Use a blacklist/whitelist software (URL filtering or any other equivalent 3rd party software) on TMG or cloud solution (like OpenDNS) that will allow or deny requests. This will require the same DNS configuration as in the above suggestion but it will have a higher chance of actually denying what want to deny. This will bring a cost since these services are not free.


    Hth, Anders Janson Enfo Zipper

    Monday, November 3, 2014 9:29 AM

All replies

  • Hard to tell without additional information.

    What rules do you have in place that allow HTTP/HTTPS? Do note that a rule that has "all outbound traffic" does include HTTP/HTTPS.

    For the users without proxy settings, is TMG their default gateway? Or is it another wayt to reach internet?


    Hth, Anders Janson Enfo Zipper

    Thursday, October 30, 2014 11:04 AM
  • hi,

    I have created one allow rule for http/https protocals from internal to external. After that i have deny rule to block some websites. TMG is my default gateway and i dnt have any other way to reach internet.

    Thursday, October 30, 2014 11:13 AM
  • If the rule order is:

    1. Allow HTTP/HTTPS anonymous

    2. Deny HTTP/HTTPS Site1, Site2 anonymous

    then all requests will be allowed, you need to have the deny rule first if you want to deny the traffic to certain sites.

    Or you create a destination set/URL set/etc. and add those entities to your first rule as exceptions on the To tab.

    A good help to troubleshoot this is to use live logging and reproduce the issue and see what rule allows or denies the request.


    Hth, Anders Janson Enfo Zipper

    Thursday, October 30, 2014 12:50 PM
  • Ok, I think I know the answer :)

    TMG can only apply URL filtering for certain web destinations (e.g. Domain Namespaces or URL Sets) when the web request is asked to the TMG. So, if you use a Proxy Server, the TMG will do the request on-behalf of the cient, also resolving the hostname and do URL filtering. If a client does not use a Proxy Server, it does a DNS query themselve, it will just route to that website and TMG will only see a source and destination IP Address. The following applies:

    • If you use a Proxy Server you are connected as a Web Proxy Client. URL filtering is applied properly.
    • If you do not use a Proxy Server and pass-through the Proxy Server within a hop, you are connected as an SecureNAT Client. URL filtering cannot be applied to a SecureNAT Client.

    The only way to force URL filtering, is by using a Proxy Server and require authentication. Only a Web Proxy Client can authenticate, a SecureNAT Client cannot authenticate and will be blocked.

    I hope this makes more sense.


    Boudewijn Plomp | BPMi Infrastructure & Security

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".


    Thursday, October 30, 2014 4:03 PM
  • Hi,

    In my TMG LAN (internal) gateway is blank and  WAN (external) DNS is blank. we are using internal DNS server.

    After completing the network setting I have installed the TMG successfully. After that

    1) We have created one allow rule from internal to internal. now my TMG is communicating with DNS server.

    2) We have created one allow all outbound traffic from DNS server to external

    3) Under this rule we have created Deny HTTP/HTTPS for blocking some websites

    4) Under this rule we have created Allow HTTP/HTTPS from internal to external

    Now all my pc's and laptop's getting internet connection without mentioning the TMG address in proxy settings.

    If I mention the proxy settings in user pc's it is blocking the websites. but, If I remove the proxy setting the able to access all the websites...

     

    Friday, October 31, 2014 4:26 AM
  • Hi,

    so you are not using URL filtering.

    The reason for this is that half of what Boudewijn applies to your situation.

    When using proxy on client:

    Client sends request to proxy for www.microsoft.com (e.g. GET www.microsoft.com) and TMG resolves name to IP and requests content on behalf of client and returns said content. If site is in the blocked list, then the request from the client is denied.

    When NOT using proxy on client:

    Client resolves the name www.microsoft.com itself and makes a request for IP address (e.g GET 1.2.3.4)  through its default gateway. As you most likely list names in the destination set, the names in that list does not match the request as the request is for an IP address.

    See the difference?

    Try for yourself and add an IP address instead of a name to the list of denied sites - a site that only resolves to one address - and try to browse it from a client that has no proxy.

    Now this is not a workable way to deny traffic as sites tends to move IP address and if you are attempting to deny big sites (google, ms, fb, insta, whatever) then there's a good chance that IP addresses will change. Your options are the following in this case

    - Ensure that clients cannot resolve external names by stopping your internal DNS from resolving external names. Do this by installing DNS on TMG and configure it with a forwarder to an external DNS and a conditional forwarder for your internal namespace pointing to your current internal DNS. Clients will then have to configure a proxy in order to be able to browse.

    - Use a blacklist/whitelist software (URL filtering or any other equivalent 3rd party software) on TMG or cloud solution (like OpenDNS) that will allow or deny requests. This will require the same DNS configuration as in the above suggestion but it will have a higher chance of actually denying what want to deny. This will bring a cost since these services are not free.


    Hth, Anders Janson Enfo Zipper

    Monday, November 3, 2014 9:29 AM