Announcement

Collapse
No announcement yet.

Web Filtering/Blocking Using ForeFront TMG

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Web Filtering/Blocking Using ForeFront TMG

    Hi all,

    I'm sure this has been asked an answered a thousand times before. And I have read a great deal of posts here as well as resources all over the web.

    But I must be doing some things wrong because I cannot get this working.

    We are a school using ForeFront TMG as our proxy server. This was implemented over the summer by contractors. I have a very basic knowledge of how it works, but I'm no expert... Bottom line is that I need to block a great deal of websites that we notice the kids using...

    Here's what I have under Firewall Policy:

    Rule #1:
    Name - Allow Web Access for All Users
    Action - Allow
    Protocols - HTTP and HTTPS
    From - Internal
    To - Internal and External
    Users - All Users



    Rule #2:
    Name - Blocked Web Destinations
    Action - Deny
    Protocols - HTTP and HTTPS
    From - Internal
    To - From URL Categories: Alcohol, Anonymizers, Botnet, Chat, Criminal Activities, Gambling, Games, Hate/Discrimination, Humor/Comics, Illegal Drugs, Malicious, Mature Content, Nudity, Obscene/Tasteless, Online Communities, Phishing, Pornography, Shareware/Freeware, Social Opinion, Spyware/Adware, Violence
    Users - All Users EXCEPTION: Chris (that's me for test purposes)


    Nine additional rules unrelated to internet access...

    The last "Default Rule" which denies everything... It's the FF default and was never edited.

    So here's the problem... All of the students here log on to the domain as grade-level users. What I mean is that I have AD users called "grade1, grade2, grade3, etc"... So all 60 kids in the eighth grade login as "grade8". Make sense? Well, when I login to the domain as grade8, I can go anywhere I want. Playboy.com, facebook.com, you name it, I can go there...

    Shouldn't Rule #2 be denying that stuff? What am I doing wrong?? Very, very bad...

    I need to be CIPA-compliant here, and as of right now, the kids have free-reign to go wherever they want. I have to get this buttoned down and fast.

    Please tell me what I'm doing wrong and how to fix it. Like I said, I'm no expert in such things, but I have a reasonable grasp of this stuff. I've read a zillion articles on ForeFront andit's just not helping. Plain English help would be greatly appreciated because I'm obviously not understand something...

    THANKS!

    Chris

  • #2
    Re: Web Filtering/Blocking Using ForeFront TMG

    Are your client PCs SecureNAT or Web Proxy clients? They MUST be Web Proxy for the URL blocking to work.

    To explain that simply, your browsers should be set to use the TMG server as a proxy E.g. in IE you would set this in tools->Internet Options->Connections->LAN Settings. If this has not been configured it is a simple matter to create a GPO enforcing the proxy and also you should deny access to the Connections Tab in IE to prevent anyone changing it.

    If the proxy is not enforced then your clients are SecureNAT and TMG is not proxying the web traffic, so the URL filtering will fail.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Web Filtering/Blocking Using ForeFront TMG

      They are Web Proxy clients. But let me clarify what I have so I can make sure I'm not inadvertently lying due to ignorance.

      In Tools->Internet Options->Connections->LAN Settings of every PC, the following is set:

      Proxy Server Address - 10.34.0.42 (my FF TMG box)
      Port 8080
      Bypass for local address is checked, as is "Use the same proxy server for all protocols".

      This is already set via GPO from my DC. I have the following set in the GP Management Editor:

      User Configuration --> Policies --> Windows Settings --> Internet Explorer Maintenance --> Connection --> All the settings handed out as outlined above.


      So the proxy IS being applied to all domain users when they login.

      What I DON'T have, though, is a GPO that would deny a user the ability to change the proxy settings in Tools->Internet Options->Connections->LAN Settings of their PCs. So I suppose it's possible that they went in and turned it off, therefore allowing them unrestricted web access.

      So first of all, how can I do that? I can't seem to find it in Group Policy...

      BUT secondly, bear in mind that I am testing this on my own laptop, just logged in as grade8. The proxy settings are on in Tools->Internet Options->Connections->LAN Settings but I can still go anywhere on the web. If, in fact the kids circumvented the proxy, I am not in my test, yet I am still getting out.

      In looking at my Firewall Rules, it all looks OK to you?

      THANKS!

      Chris

      Comment


      • #4
        Re: Web Filtering/Blocking Using ForeFront TMG

        What's the rule ordering? Is the standard web access rule higher in the list (I.e. a lower number) than the blocking rule? If so, that's the issue as rules are evaluated top down and when one matches evaluation stops.

        In ISA/TMG rules should be ordered from most to least restrictive to ensure expected operation.

        To disable access to the connections tab user configuration > administrative templates > internet control panel > disable connection page.
        Last edited by cruachan; 21st October 2010, 20:35. Reason: Added more info
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Web Filtering/Blocking Using ForeFront TMG

          Hi again!

          Thanks for the info. Sorry, I have to duck out for a quick while and am under a time gun... Quickly, I attached a screenshot of my Web Access rules list...

          Do I have this right or wrong?

          Will post back in a few hours... Thanks!

          Chris
          Attached Files

          Comment


          • #6
            Re: Web Filtering/Blocking Using ForeFront TMG

            That's the wrong order, move the Deny rule up one to above the allow rule and that should fix it.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: Web Filtering/Blocking Using ForeFront TMG

              OK, order changed. Will test first thing tomorrow morning and let you know. Good advice about the rule ordering. Being new to this, I did not know that. Thank you.

              I'll also look at denying access to change the proxy settings. On that note, is there a way to set that option ONLY for certain AD users? Or a group? Of so, how?

              Thanks!

              Chris

              Comment


              • #8
                Re: Web Filtering/Blocking Using ForeFront TMG

                Originally posted by WorldBuilder View Post
                OK, order changed. Will test first thing tomorrow morning and let you know. Good advice about the rule ordering. Being new to this, I did not know that. Thank you.

                I'll also look at denying access to change the proxy settings. On that note, is there a way to set that option ONLY for certain AD users? Or a group? Of so, how?

                Thanks!

                Chris
                As far as I remember it's a User GPO, so you can link it to an OU if all of the student accounts are in one OU. Or you can use GPO security settings so that only a certain AD group (if that's what the students are in) is allowed to apply the GPO.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: Web Filtering/Blocking Using ForeFront TMG

                  We're a pretty small school so I don't have any self-made OUs. Everything is in AD Users and Computers. I could add the student users to a group and do the "Or you can use GPO security settings so that only a certain AD group (if that's what the students are in) is allowed to apply the GPO" suggestion.

                  How do I do that? Sorry if that's a silly question, but I'm not sure about the "GPO security settings" part...

                  THANK YOU.

                  Chris

                  Comment


                  • #10
                    Re: Web Filtering/Blocking Using ForeFront TMG

                    Hi Cruachan,

                    The reversing of the rule order worked perfectly. Thanks so much! I'll play with the GPO now. Man, this is a great forum resource. You guys are all fantastic.

                    Chris

                    Comment


                    • #11
                      Re: Web Filtering/Blocking Using ForeFront TMG

                      Oooooooh, one last question on he denial of access...

                      As you know, the goal of this rule is to prevent students from visiting undesirable websites. This means everything in the gamut from something truly grotesque to something rather mundane like social media.

                      But we really have no desire to block, say, facebook, linkedin, or web-based e-mail for teachers and staff. It's not a problem if they have access so they can do it on breaks, etc.

                      Currently, the deny rule applies to "All Users". I (my AD user) am the lone Exception. Could I simply replace "All Users" with the AD grade users and remove any Exceptions?

                      It seems to me that that would accomplish limiting the students while allowing FULL web access to everyone else... BUT that means that even truly awful things like pornography could get in when users other than students are surfing...

                      So then, I would create another rule for all remaining users (staff, faculty, etc) that limits only the truly awful (porn, crime, hate, etc).

                      Is what I am proposing sensible? Will it work?

                      Thanks!

                      Chris

                      Comment


                      • #12
                        Re: Web Filtering/Blocking Using ForeFront TMG

                        Glad you got it sorted.

                        You can indeed replace All Users with a different AD group to only fully restrict the Students group. Then add a second rule to deny a subset of what you deny students for the staff inbetween the existing deny rule and the allow Internet Access rule. As I said, rules are evaluated top down, so always place the most restrictive rules higher in the list, as evaluation will continue until a rule is found that matches or the last Deny All rule is reached.
                        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                        sigpic
                        Cruachan's Blog

                        Comment


                        • #13
                          Re: Web Filtering/Blocking Using ForeFront TMG

                          Thanks, man. I'm gonna give it a go on Monday. Will post back. In the meantime, it's weekend kids/soccer/gymnastics time!



                          Chris

                          Comment


                          • #14
                            Re: Web Filtering/Blocking Using ForeFront TMG

                            Workin' to perfection. ForeFront = Pretty Sweet

                            Hell, if I can work with this with some help, anyone can.



                            Thanks!

                            Chris

                            Comment


                            • #15
                              Re: Web Filtering/Blocking Using ForeFront TMG

                              Don't say it to hard Otherwise I might loose my job.
                              I mainly work with ISA, implementing, and configuring where others fail.

                              At the moment I implementing an ISA 2006 cluster where 5 other engineers failed. Right now, there are 2 citrix servers fully operational behind the ISA cluster
                              It's an multicast with IGMP NLB cluster currently with just 2nodes and 2 remote SQL servers.
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X