61.3 Creating a Forefront TMG Policy and Rules

After you install Forefront TMG 2010, other computers cannot ping the computer hosting Forefront because the default firewall policy denies all the traffic from and to the host.

This section provides the information you need for:

• Creating a Custom Policy for Forefront TMG

• Creating a Forefront TMG Firewall Policy Rule

• Verifying Forefront TMG Proxy Configuration

61.3.1 Creating a Custom Policy for Forefront TMG

You can create a custom Forefront firewall policy.

Prerequisites:

Install Forefront TMG 2010 using documentation from your vendor.

To create a custom policy to over ride the default firewall policy

1. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
2. From the left pane, click Firewall Policy.
3. From the right pane, click Create Access Rule to create a custom policy,
4. Create a rule with the following attributes and values assigned:

   • Name: Name for custom policy

   • Action =Allow

   • Protocol =All Outbound

   • Malware Inspection = Don not enable Malware Inspection for this rule

   • From =External,Internal,Local Host

   • To= External,Internal,Local Host

   • Condition =All Users

5. Click Next to create the Access Rule, then click Apply.
6. Restart Forefront TMG to have changes take affect:

   • Stop Firewall Service use the command net stop fwsrv

   • Start Firewall Service use the command net start fwsrv

7. Proceed to "Creating a Forefront TMG Firewall Policy Rule"

61.3.2 Creating a Forefront TMG Firewall Policy Rule

To protect the resource, you must create a firewall policy rule using the Forefront TMG console.

When you create a listener for Authentication Preferences, be sure to check Allow client authentication over HTTP and Require All users to authenticate. Otherwise, you will not be able to access the published Web site using the TMG proxy.

Authentication Delegation is used by the TMG server to authenticate to the published Web server.

Note:

You can have IIS and Forefront TMG installed on the same (or a different) computer. Here, both reside on same host.

To create a custom policy to override the default firewall policy

1. Open the Forefront TMG console: Start, Programs, Microsoft Forefront TMG, Forefront TMG Management.
2. From the left pane, click Firewall Policy.
3. From the Tasks tab, click Publish Web Sites.
4. In the Web publishing rule name field, type a descriptive name for the rule, and then click Next.
5. On the Select Rule Action page, confirm that the Allow option is selected, and then click Next.
6. In the Publishing type, confirm that the Publish a single Web site or load balancer option is selected, and then click Next.

   Step 7 describes configuration with an open (non-secured) connection with the Web server. If you are using a secured connection, see your Forefront TMG Server documentation.

7. On the Server Connection Security page, click Use non-secured connections to connect the published Web server or server farm, and then click Next.
8. Perform the following steps to set internal publishing details:

   • In the Internal site name field, type the internally-accessible name of the IIS/apache Web server host: iis_host.us.example.com, for example.

   • Check the box beside Use a computer name or IP address to connect to the published serve (or enter the IP address of the IIS Web server host).

   • Click Next.

9. Protecting Resources: Perform following steps to protect resources within a particular folder in the Web site (or a single resource):

   Note:

   The folder must reside within htdocs/wwwroot of the corresponding Web server.

   • Folder Containing Resources: In the Path field, type the folder name to display the full path of the published Web site in the Web site field (Res/* for example).

   • Single Resource: Type the resource name (test.html for example).

   • Click Next.

10. In the Accept requests for list:

    • Click your domain name (for example: myhost.example.com).

    • In the Public name field, type the publicly-accessible fully-qualified Web site domain name of the host where Forefront TMG will be installed (for example: myhost.example.com).

    • Click Next.

11. In the Web listener list, either click the Web listener to use for this Web publishing rule, or create a new Web listener as follows:

    Note:

    Listener can also be configured in SSL mode if required; see your Forefront TMG documentation.

    • Click New, type a descriptive name for the new Web listener, and then click Next.

    • Click Do not require SSL secured connections with clients, and then click Next.

    • In the Listen for requests from these networks list, click the required networks (External, Internal, and Localhost) then click Next.

    • Click No on the message that appears.

    • In the Select how clients will provide credentials to Forefront TMG Server list, click No Authentication, and then click Next.

    • On the Single Sign On Settings page, click Next, and then click Finish.

12. On the Select Web Listener page:

    • Click Edit.

    • Click connections tab.

    • Provide any unused port for Enable HTTP connections on port attribute (This will act as Forefront TMG port.)

    • Click Apply; click Ok.

    • Click Next.

    • On the Single Sign On Settings page, click Next, and then click Finish.

13. Authentication Delegation: Perform the following steps to choose the method used by Forefront TMG to authenticate to the published Web server list.

    • Click No Delegation, and Client Cannot Authenticate Directly.

    • Click Next.

14. On the User Sets page:

    • Choose All (the default user setting - All Users) to set the rule that applies to requests from the user sets field.

    • Click Next, and then click Finish.

15. Click Apply to update the firewall policy, and then click OK.
16. Double-click the recently created Firewall Policy.
17. Bridging:

    • Open the Bridging tab.

    • Provide suitable unused port for Redirect request to HTTP port attribute (which will act as the IIS or Apache Web server port).

18. Click Apply to update the firewall policy, and then click OK.
19. IIS or Apache Web server.
20. Restart Forefront TMG to have changes take affect:

    • Stop Firewall Service use the command net stop fwsrv

    • Start Firewall Service use the command net start fwsrv

21. Double-click the rule just created:

    • Open the Link Translation tab.

    • Confirm that Apply Link Translation to this rule is checked.

    • Click the Mapping button to see the mapping created between Forefront TMG and IIS or Apache

22. Proceed to "Verifying Forefront TMG Proxy Configuration"

61.3.3 Verifying Forefront TMG Proxy Configuration

You can validate the Forefront TMG proxy configuration, you can simply access the protected resource using the TMG port.

To verify Forefront TMG proxy configuration:

1. Protected Single Resource: Enter the URL to the TMG host and port where the protected resource resides. For example:

     http://TMG_hostname:TMG_port/resource_name
   

2. Protected Folder: Enter the URL to the TMG host and port where the folder containing the resource resides. For example:

      http://TMG_hostname:TMG_port/folder-name/resource_name
   

3. Confirm there are no issues accessing the protected resource.