Log on to Forefront TMG server as an administrator. Start menu>All Program>Click Forefront TMG management console>Expand Forefront Server>Click on Web Access Policy>in the right hand side Click on Task Pan >Scroll Down to Web Protection Tasks. In Web Protection Tasks, You will find Configure Malware Inspection, Configure HTTPS Inspection, Configure URL Filtering, Configure URL Category. Now follow these steps to define/create these policies.
1. Click Configure HTTPS Inspection.
2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection
3. Click the Generate button and the Generate Certificate dialog box will appear
4. Select the Trusted Certificate Authority (CA) name text field and replace the existing text with Edge Firewall
5. Leave the Issuer Statement field blank and click Generate Certificate Now. You will see a certificate. Click OK to close the Certificate display and click Close to close the Generate Certificate window.
6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options. You will see the Certificate Deployment Options dialog box,
7. Click Automatic Deployment. You will see an authentication dialog box
8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store. Click OK. A command window will appear briefly and if the procedure succeeds, the dialog box
9. Click OK to close this dialog box.
10. Click OK to close the Certificate Deployment options dialog box.
11. In the HTTPS Outbound Inspection dialog box, click the Destination Exceptions tab to display the HTTPS inspection exceptions list
12. Click Add to open the Add Network Entities dialog box
13. In the Add Network Entities dialog box, click New and then click Domain Name Set. You will see the New Domain Name Set Policy Element dialog box
14. In the Name field, type Excluded Sites. Click Add. When New Domain appears in the Domain names included in this list, change it to display http://www.wolverine.com.au. Click Add again and change New Domain to display http://www.wordpress.com. In the Description field, type Sites approved by NetSec for HTTPS inspection exclusion. The page should now appear
15. Click OK to close the window. In the Add Network Entities window expand Domain Name Sets, highlight Excluded Sites, click Add, and then click Close. The HTTPS Outbound Inspection dialog box will appear
16. In the HTTPS Outbound Inspection dialog box, click the Certificate Validation tab.
17. In the Block Expired Certificate After (Days) text box, type 7
18. In the HTTPS Outbound Inspection dialog box, click the Client notification tab.
19. Select Notify Users That Their HTTPS Traffic Is Being Inspected
20. Click the Source Exceptions tab to add the computers that you want to exempt from HTTPS inspection. By default this list is empty. For the purpose of this example we will leave this option empty.
21. Click OK to close the HTTPS Outbound Inspection dialog box.
22. Click Apply in the TMG management centre pane, type the appropriate notes in the Configuration Change Description window and click Apply to save your changes. The centre pane feature display will change
23. Click the Monitoring tab in the left pane, and then click the Alerts tab in the centre pane. You should find an informational alert indicating successful CA certificate import,
Configuring the HTTP Filter
1. On the TMG Server computer (or using remote management console), open the TMG Management Console.
2. Click TMG (Array Name) in the left pane.
3. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP
4. When you choose Configure HTTP, the Configure HTTP Policy For Rule dialog box will appear. In this dialog box you have four options to choose- HTTP methods, Extensions, Headers and Signature. Follow the steps to do accomplish these methods. You can do all these at once or do later by repeating these steps.
General
In general option, you can mention Header length, Allow any payload, Block high bit characters and block windows executable content. Accept default and go next steps or modify as your desired config.
HTTP Methods
1. Open the drop-down list in the option Specify The Action Taken For HTTP Methods and select Block Specified Methods (Allow All Others).
2. The Add button will became available. Click Add and type PUT
3. Click OK and your Methods tab will appear
4. Type the appropriate notes in the Configuration Change Description window and click Apply to commit this change.
Extensions
1. Open the drop-down list in the option Specify The Action Taken For File Extensions and select Block Specified Methods (Allow All Others)
2. The Add button will become available. Click Add and type MP3
3. Click OK. The Methods tab will appear.
4. Click OK and then, in the main TMG console, click Apply to commit this change.
Headers
1. Click Firewall Policy, right-click the http://www.wolverine.com.auWeb Publishing rule and choose Configure HTTP.
2. Click the Headers tab and the window will appear
3. In the Server Header drop-down list, choose Modify Header In Response
4. Type the name with which you want to substitute the Server’s name
5. Click OK and then click Apply in the main TMG console to commit the changes.
Blocking Signature
1. Click Web Access Policy, right-click your main Internet Access policy, and choose Configure HTTP
2. When you click Configure HTTP the Configure HTTP Policy For Rule dialog box will appear. Click the Signatures tab and the window will appear
3. Click Add and the do the following in the Signature window:
· Type Block MSN Messenger in the Name field.
· Select Request Headers from the Search In drop-down list.
· Type Description as Block MSN Messenger signature
· In Signature Type, type MSN Messenger
4. Click OK and your Signature tab will appear
5. Click OK to close this window and then click Apply in the main TMG console to apply the changes.
6. Repeat step 1 to 6 if you want block more signature
Important! blocking signature using Request URL my block entire web sites containing that specific signature.
Relevant Articles:
Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010
0 comments:
Post a Comment