If you are using ISA 2006 as a proxy solution, you will have a very powerful URL Filtering product when you upgrade to ISA 2010.. Or if you are looking for a new URL Filtering solution, you should definitely try TMG.
TMG provides full compatibility with Active Directory on the administration screen, where it offers a similar set of rules and authorizations in all traditional firewalls, configuring and configuring URL Filtering.
Cost and ease of use are important criteria in choosing URL Filtering product, as well as the number of addresses in the product’s database.. TMG is quite ambitious in this regard.
TMG renders many SSL tunnel programs and tools useless, thanks to its HTTPS Inspection function, that provide internet access without being stuck with security products that provide filtering policies.
Let’s start our review with a sample configuration, both to convey you some basic adjustments you need to do and to show you the flexibility of using URL Filtering.
First of all, you should go to the registry settings on your TMG server and make the following adjustment. The DWORD value must be created and set to 10. (http://support.microsoft.com/kb/326040)
Next, set the User Authentication definition from the Internal Properties page to the Web Proxy tab. Go to the Require all users to authenticate option.
Here, when you perform an installation suitable for your structure with the default settings, we encounter a well-categorized Deny rule of TMG.. Thanks to this rule, access to many harmful sites is prohibited.. Let’s change its name to 1_Access_Forbidden and select All Users as the users to be defined in the Users tab for this rule. a second rule should be created and full access should be defined by selecting only authorized personnel in the Users tab. (Administrators, IT responsible)
. Name it 3_Access_Forbidden. Before defining this rule, let’s create a new Category Set to be used in the rule and name it Category_Block_Set.
Let’s add Games, Streaming Media… categories to this category group named Category_Block_Set, in addition to the categories prohibited in the first rule.. It’s time to define our third rule, 3_Access_Forbidden.. In this rule, let’s choose All Users as the users to be defined in the Users tab, and Category_Block_Set in the To tab. 4_Access_Forbidden. Here, let’s define a rule that will be valid for the sites that TMG allows access, but which you think should not be accessed.
We will create a new URL Set for this.. Let’s name it URL_Block_Set and we will write the sites that are considered inaccessible.. (Who knows, maybe you want to ban access to www.destekyeri.com.)
Location By the way, let’s just say that any deny or permit rule you will define should not create the To part of both Category Sets and URL Sets.. You must create a rule for Category Sets and a separate rule for URL Sets.. This is recommended. Let’s choose i.
Let’s create a fifth rule and call it 5_Access_allowed. Desired access can also be defined in this rule.. You can define a special rule for accessing applications or pages that do not have authentication support and that want to access the internet with an anonymous anonymous account, and you add All Users to the list of users you will allow in the Users tab in this rule. You won’t have any problems. Until recently, it was tried to ensure that internet access was secure and high-performance by using applications that provided internet access authorizations.. However, now, a third task, such as recording all internet access, is waiting to be embraced.
We all think how important logging is in order to meet the demands we receive and to ensure the function of the policies we will implement, while managing the traffic of the machines that will access the internet. it is obvious. Many times we have managed this process, we see that what we need is to be able to dominate instant traffic and define fast filters, rather than having a long access list.
TMG offers a pretty good solution in this regard.
Which of the information flowing in internet traffic you want to be logged, you can see that information on the instant traffic monitoring screen.
You must enable the information you want to be logged..
On the screen under the Logs & Report heading on the management screen, instant traffic is monitored and helps you with many filtering criteria.
You can apply many more types of filters. Below is the list of filter options that can be applied.
You will find the results of the filters you have written in a very nice way.
Microsoft’s recommended solution for recording all this traffic is the use of SQL Server.. Since the traffic information to be recorded contains too much detail, the area where the records will be kept should also be large.. This situation may bother you at first, but the easiest way to eliminate the use of excessive space is to delete the schedule with the queries to be defined on SQL.
In this regard, Problems and Solutions in Using TMG You can review my article.
Let’s take a look at TMG protection against viruses.
The TMG protection against viruses infecting our machines on sites with internet access or in downloaded files is quite successful.
TMG creates a barrier between sites containing viruses and our machines, thanks to a well-chosen Deny rule, which it has created by default during the installation phase.. If you look at the names of the categories that make up the To part of this deny rule, you will see Malicious, Botnet and Anonymizers.. Since TMG, which has a strong URL database, performs the categorization of virus-containing sites accurately, when you try to access a virus-containing site without realizing it, it will prevent your access and protect your systems from viruses thanks to the relevant rule.
TMG ‘s virus protection against downloaded files is also very successful.. TMG starts downloading the file you want to download, scans it for viruses and then delivers it to you if the file content is clean.
For example, let’s download wireshark and take a look at the screen that TMG shows up:
As you can see, TMG has taken control case. The file will be downloaded to the area we specified on the screen above, and if no virus is found after scanning, we will be expected to press the Download button to be delivered to us. >
In order to keep internet access under control, whether its function is to block (deny) or allow (permit) all web access rules, source, destination, users and of course protocol definitions must be made.. It is not possible to consider one of these definitions more important than the other; but the definition that puts you in the most trouble and struggles at the point of not fulfilling the function you aim for is the stage where the target information is created.. If you follow the methods I will tell you about in the target definitions, you will not have any problems.
It should be known that; In any deny or permit rule, both Category Sets and URL Sets must not be found together in the To section.. You must create a rule for Category Sets and a separate rule for URL Sets.. This is also recommended.
Giving examples of URL Sets you will create Let’s continue our journey.
Let’s want to prepare a white list for addresses that we do not mind our users to access.. Let’s start the configuration by creating a new URL Set for this.
One of the addresses that will create our list is www.destekyeri.com.
We must define as *.destekyeri.com/* so that access to this address is not restricted in any way.
A definition made in this way will allow you to work 99% of the time. I said 99% because -to continue with our example- after a while, the subject of a complaint to you may be the information that there is a problem in accessing the http://www.destekyeri.com/guvenlik.gbt address.
This is the case. do not squeeze; You should interpret this situation as TMG needs another address that you will define.. You should create this definition as http://www.destekyeri.com/*
As I said, for 99% of the addresses you will define, A definition like >*.destekyeri.com/* will suffice.. In cases where you have problems, you can solve your problem by adding another definition such as http://www.destekyeri.com/*. No more complaints about access.
Let’s continue with a second example. Let’s add a site that has a certificate installed and published over https to our list.. Let our address be https://webmail.Semerkand.com.tr. When you write *.webmail.Semerkand.com.tr/* to Beyaz_List, you will not be able to reach your goal.. This situation is specific to certified sites and you have two different addressing alternatives for the solution.. Your alternatives are webmail.Semerkand.com.tr:443 or https://webmail.Semerkand.com.tr.
Again, sites with certificates installed and published over https can be blocked thanks to the HTTPS Inspection feature that comes with TMG. In this case, you should add them to the Destination Exception field in the HTTPS Inspection window, which will be allowed from among the blocked addresses. In addition, these addresses have to be added to the White_List.
For example, https://www.Mostar.com.tr and the desired accesses to this address are attached to HTTPS Inspection and the certificate of the address is as follows. Let it be.
The address to be defined in the Exception field in the HTTPS Inspection window will be *.mostar.com.tr. There should be no ‘/’ or ‘*’ at the end of the relevant line.
To make this definition, a Domain Name Set should be created and the relevant definitions should be written in this set.
In this way, the relevant access will not occur again. White_List must be defined for the address https://www.Mostar.com.tr. This definition should be either https://www.Mostar.com.tr/* or www.Mostar.com.tr:443.
It’s time to define what you need to do in cases where authorizations do not work consistently even though you have defined category-based filters.. Let’s examine this subject through examples.
Let the Streaming Media category be defined in the category of blocked targets at the top of the rule sequence.. In another rule under this rule, let the News category be defined in the category of targets that can be accessed. While the access to the website is blocked, access to the news sites must be provided due to the rule below.. However, the problem is that almost all of the news sites contain thousands of videos, and in this case, your expectation from TMG is to open news sites but not watch the videos on the site.. In this case, for the solution, you should add another deny rule on top of the permission rule and edit the Content Types tab as shown in the figure below.
will bring closer. But you still need to make manual definitions to block access to videos of some news sites.. For example, for www.haberturk.com, you must add http://video.haberturk.com/* to the prohibited access address.. Or, for www.sabah.com.tr, you should add http://www.sabah.com.tr/multimedia/video/* to the same banned URL list.. You can also use TMG’s powerful logging function to detect these addresses. /> We examined the HTTPS Inspection function that comes with TMG, which is not available in ISA 2004 and ISA 2006, and we talked about what to do when some HTTPS traffic is blocked with this function.. We have explained how to write the relevant HTTPS address to the Destination Exceptions field on the HTTPS Inspection screen and to the URL Set where we have defined the list of addresses to be allowed on the Web Access Policy screen. we will examine what should be done if it serves from a port.
Let’s continue with sample addresses again. There is no difference whether http:\www.destekyeri.com or http:\www.destekyeri.com:80 is written in the address line of the browser.
In the first, the http protocol and the default http protocol use It is requested to access the relevant address using the port, port:80. Since the browser knows the default port number of the http protocol, port:80, it does not need to specify a port separately.
In the second time, by typing the port information into the browser, We are calling this way: Whether you know it or not, I am writing the port used by the http protocol, use this. But there is no need for this because browsers already have the necessary knowledge about the http protocol.
Let’s move on to the HTTPS protocol. Sites serving using this protocol mostly use the default port 443.. However, in some cases, the relevant site administrators can make definitions to serve from different ports.. That is, instead of https:\mail.destekyeri.com, which indicates that the default port, port:443, is used, service can be provided from an address such as https:\mail.destekyeri.com:4344. In this case, this means that this address will be accessed using port:4344 over the HTTPS protocol.
The definitions that must be made on TMG for accessing sites serving from different ports in Internet access are as follows:
1- One custom port must be defined.
2-This port must be defined in the Protocols field on the rule that will provide access to the relevant address
3- After these definitions, access to the relevant address should be possible, but TMG needs another definition. The easiest way for this definition is to run a 1.6 MB setup file named ISAtrpe and the relevant https port should be introduced on this tool by opening this tool.. It is possible to obtain the relevant setup on the Internet by typing its name.
The address we will access is https://mail.destekyeri.com:4344. Let’s start by introducing port 4344 to TMG. Let’s introduce port 4344 to TMG with the name Port-4344 as shown in the custom port definition screenshots below. Let’s give a name in the window that opens by selecting ü and continue with Next.
See the port we created on the page below, and continue with Next
Let’s continue with the Number on the page that opens.
br /> The first step is completed, we can see the port that we created under User Defined.. For this, let’s double-click on the relevant rule and reach the screen where we will configure the rule and open the Protocols tab.. Let’s activate Port-4344 in the relevant rule as shown in the screenshots below.
/> The second step has been completed and the rule will appear as follows.
It’s time for the third step. In this step, let’s download the tool called ISAtrpe from the internet and install it with default settings.. After the installation is complete, when we run the relevant tool, we will see a screen like the following.. To do this, fill in the required fields as shown below and click the Add Tunnel Range button. It will start and then the process will be completed.
https://mail.destekyeri.com:4344 can be accessed.
The next thing to do is to enable each port created under 443 external User Defined in the relevant rule on the Web Access Policy page and ensure that it is defined as described here.