This topic is designed to help you plan to control access to and from your internal network. Forefront TMG controls and protects internal network access by inspecting and filtering traffic between the internal network and the Internet, between networks, and between the Forefront TMG server and services with which it communicates.
The following sections describe:
Policies and rule sets
Forefront TMG controls internal network access by enforcing policies that determine whether or not connections between networks are allowed. These policies may be of the following types:
- Firewall policy—Inspects and filters
connections between the internal network and the Internet. The
firewall policy is made up of the following rule sets:
- Access rules—Control outbound Web access,
that is, access from internal computer to the Internet.
- Web publishing rules—Control inbound access
to published Web servers.
- Server publishing rules—Control inbound
access to published non-Web servers.
- Access rules—Control outbound Web access, that is, access from internal computer to the Internet.
- System policy—Controls traffic to and from
the Local Host network (the Forefront TMG server) to allow traffic
and protocols necessary for Forefront TMG to perform
authentication, domain membership, network diagnostics, logging,
and remote management. Forefront TMG provides a predefined rule
set, which is created during system installation. You can enable or
disable individual rules, and modify rule destinations; you cannot
delete existing rules or create new rules. For more information,
see About system
Note: In the Forefront TMG Management console, you can view and edit system policy rules in the Firewall Policy node.
- Network rules—Specify that resources in one
network are allowed to communicate with resources in other
networks, and what type of relationship (either routing or NAT)
exists between the source and destination. For more information,
Before you edit and create policy rules, read the following information about how Forefront TMG processes requests:
- About access
- About publishing
- Processing names and
- Handling rules that
For information about how Forefront TMG enforces policies, see About policy enforcement.
Request process flow
Forefront TMG processes requests as follows:
- Checks the request against the network rules to verify that the
required network relationship exists between the request’s source
Note: Traffic that is handled by the Web proxy filter is not checked against the network rules.
- Checks the request against the system policy to determine
whether one of system rules allows or denies the request.
- Checks the request against the firewall policy in the order in
which the rules appear in the list.
- After matching the request with a rule, Forefront TMG checks
the network rules again (except for traffic handled by the Web
proxy filter) to determine whether to route or apply NAT to the
About access rules
Usually, requests from internal clients are handled by access rules. Access rules can only be configured with outbound protocol definitions. When a request is received, Forefront TMG matches an access rule with the request, by checking the rule elements in this order:
- Protocol—Rule defines one or more protocols
with an outbound direction.
- From—Source address is defined in the rule.
The source can be an entire network, a set of networks, a computer
or set of computers, an IP address range, or a subnet.
- Schedule—Rule schedule controls when the rule
- To—Destination is defined in the rule. The
destination can be an entire network, a set of networks, a computer
or set of computers, an IP address range, a subnet, a domain name
set, or a URL set. In some cases, a DNS lookup may be required to
check that the request matches. For more information, see Processing domain name sets and URL sets
- Users—Rule applies to all users (for
anonymous access), to all authenticated users (applied to any user
who can authenticate successfully), or to a specific user
- Content groups—Rule applies to specific
If the request matches an allow rule, the request is allowed. After finding a matching rule, Forefront TMG does not evaluate further rules. Access rules that deny traffic are processed before publishing rules. If a request matches an access rule, the request is denied, even if a publishing rule allows the request.
About publishing rules
Forefront TMG uses the following publishing rule sets to enable access from the external network to published servers on the internal network:
- Web publishing rules—Enable access to
published Web servers. For HTTP or HTTPS requests to a Web
listener, Forefront TMG checks publishing rules and then Web
chaining rules to determine whether the request is allowed and how
it should be handled.
- Server publishing rules—Enable access to
published non-Web servers. For non-HTTP requests, Forefront TMG
checks network rules, and then checks publishing rules to determine
if requests are allowed.
Processing names and addresses
HTTP requests may contain a name, a fully qualified domain name (FQDN), or an IP address. Forefront TMG handles the name or address as follows:
- If an HTTP request uses a site name, such as
http://www.fabrikam.com, Forefront TMG performs a forward name
resolution to a DNS server to obtain the associated FQDN, aliases,
and the IP addresses. Then Forefront TMG attempts to match these
elements to a rule.
- If an HTTP request uses an IP address,
Forefront TMG first checks whether a rule matches that address.
During this process, if Forefront TMG encounters a rule that
requires a name, it performs reverse name resolution to obtain the
FQDN for that IP address. Forefront TMG can then compare the FQDN
to the access rule definitions.
- If the reverse name resolution fails, only
the original IP address in the request is used in comparison to the
|When a SecureNAT client requests a site by name, Forefront TMG first verifies that the host header content is not masking an unrelated IP address requested by the client. If this verification succeeds, the process continues as it would for a Web Proxy client.|
Handling rules that require authentication
When a rule specifies that authentication is required, Forefront TMG requests the client to present credentials. If the client cannot provide credentials, the request is dropped before the rule is evaluated. SecureNAT clients cannot provide credentials, and if a request from a SecureNAT client matches a rule that requires authentication, the request is dropped.
Network rules specify how traffic is sent between source and destination networks. One of the following relationships can be used in each network rule:
Route relationships are bidirectional. For example, if a network rule defines a route relationship from network A to network B, then a relationship also exists from network B to network A. Client requests from the source or destination network are forwarded directly to the other network, with the source and destination IP addresses unchanged. Use a route relationship where IP addresses do not need to be hidden between networks. This is a common configuration between two networks with public IP addresses or between two networks with private addresses. In either case, hosts in each network must define the Forefront TMG IP address in their local network as the route to the other network. In many cases, defining the Forefront TMG IP address as the default gateway is sufficient. When you create access rules or server publishing rules, a route relationship affects traffic as follows:
- When using access rules, Forefront TMG
forwards the traffic with the source and destination IP addresses
- When using server publishing rules, Forefront
TMG forwards the traffic as it does for access rules, but it uses
application filters directly. For example, the Single Mail Transfer
Protocol (SMTP) filter is not used for SMTP traffic handled by an
access rule, but it is used with traffic handled by a server
Network Address Translation (NAT) relationships between networks are unidirectional. The traffic is handled according to the source or destination of the traffic. Forefront TMG performs NAT as follows:
- In access rules, Forefront TMG replaces the
client IP address on the source network with the Forefront TMG
default IP address for the destination network. For example, if you
create a NAT relationship in a network rule between the internal
network and the external network, the source IP address of a
request from the internal network is replaced with the default IP
address of the Forefront TMG network adapter connected to the
external network. Access rules that handle traffic between networks
defined with a NAT relationship can only use the source network
specified on the From tab, and the destination network
specified on the To tab of the rule.
- In server publishing rules, the client in the
destination network makes a connection to the Forefront TMG IP
address on which the publishing rule is listening for requests.
When Forefront TMG forwards the traffic to the published server, it
replaces the Forefront TMG IP address with the IP address of the
internal server that it is publishing, but it does not modify the
source IP address. Note that in a NAT relationship, server
publishing rules can only access the network specified as the
destination network. In addition, because server publishing across
networks with NAT leaves the source IP address intact when
forwarding traffic to the published server, the published server
must use the Forefront TMG computer as the last hop in the routing
structure to the destination network. If this is not possible,
configure server publishing rules to use the setting Requests
appear to come from the Forefront TMG computer. This
causes Forefront TMG to perform full NAT on the traffic handled by