In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

In the details pane, right-click the rule you want to modify, and then click Properties.

Complete the relevant procedures as follows to modify required values.

Click the General tab, and do one of the following:

• To enable a rule, select the Enable check box.
  
  
• To disable a rule, clear the check box.
  
  

Click the Action tab, and do one of the following:

• To allow traffic matching the rule, select Allow.
  
  
• To deny traffic matching the rule, select Deny.
  
  

On the Action tab of a deny access rule, under Denied URL Request Action, verify that Display denial notification to user is selected. In the box under Add custom text or HTML to notification (optional), type the message you want to show users who attempt to access blocked Web sites.

Note:
You can use HTML tags, such as: <a href="mailto:admin@contoso.com?subject=Access to Web site denied">Contact the system administrator</a >.

If the rule blocks access to a URL category, you can expose the URL category of the blocked Web site to users by selecting Add denied request category to notification. This option is only available when URL filtering is enabled.

Alternatively, you can direct Web clients to a custom Web page hosted on a Web server. To do so, select Redirect web client to the following URL, and type the complete URL, using the following format: http://URL.

Click the Action tab, and do one of the following:

• To enable logging on this rule, select the Log requests matching this rule check box.
  
  
• To disable logging on this rule, clear the check box.
  
  

Click the Protocols tab, and for This rule applies to, select one of the following:

• To specify that the rule applies to Web-related protocols only, select Selected protocols, and then click Add. In the Add Protocols dialog box, click to expand Web, select FTP, HTTP, and HTTPS, clicking Add after each, and then click Close.
  
  

  Note:
  Do not select the protocols ending in "Server". These are used for Web publishing and not for outbound access.

  To remove a protocol from the rule, on the Protocols tab, select it from the Protocols list, and then click Remove.
  
  
• To specify that the rule applies to all protocols, select All outbound traffic.
  
  
• To specify that this rule applies to all traffic except those protocols that you select, select All outbound traffic except selected, and then click Add. In the Add Protocols dialog box, select the required protocol, click Add, and then click Close. To remove a protocol from the rule, on the Protocols tab, select it from the Protocols list, and then click Remove.
  
  

  Note:
  For information about creating and editing custom protocol definitions, see Configuring protocols.

To allow traffic from a specific range of ports only, click Ports, and then select Limit access to traffic from this range of source ports. Type the range of source ports allowed in the From and To boxes.

To allow traffic with specific HTTP characteristics only, click Filtering and select Configure HTTP. For information about creating HTTP filter, see Configuring HTTP filtering.

Click the From tab, and do one of the following:

• To add a traffic source to the rule, click Add on the list This rule applies to traffic from these sources. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close.
  
  
• To remove a traffic source from the rule, select it from the list, and then click Remove.
  
  

To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.

Click the To tab, and do one of the following:

• To add a traffic destination to the rule, click Add on the list This rule applies to traffic from these destinations. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close.
  
  
• To remove a traffic destination from the rule, select it from the list, and then click Remove.
  
  

To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.

Click the Users tab.

Note:
To specify that the rule is anonymous and that users are not required to authenticate for the rule, ensure that All Users appears in the user sets list.

To add a user set to the rule, click Add, and then select the following on the Add Users dialog box:

• To specify that access should only be granted to users that can authenticate successfully, select All Authenticated Users.
  
  
• To specify anonymous access, select All Users.
  
  
• You can also select a custom user group if one has been created. For more information, see Configuring user sets.
  
  

To specify exceptions to the rule, click Add on the Exceptions list, and then specify users that are exempt from the user authentication requirements for the rule.

Note:

When you set a rule to require authentication, users are authenticated according to the Web proxy authentication method for the source network specified on the From tab of the rule. If the Web proxy properties of the source network are set to require authentication, this setting will take precedence over authentication settings on a specific rule. For more information, see Planning Web access authentication. If authentication is required on a rule, users who cannot present authentication credentials will be denied access, as well as users who present credentials that fail the authentication process.

Click the Schedule tab.

On the Schedule list, select one of the following:

• Always, to specify that the rule is always applicable.
  
  
• Weekends, to specify that the rule applies only on Saturday and Sunday.
  
  
• Work hours, to specify that the rule is active from Monday to Friday, from 9.00 until 17.00.
  
  

Note:

You can edit the days and times of these default schedules, or create new ones. For more information about creating and editing schedules, see Configuring schedules. When you modify a rule so that it will be applied only at specific times (by configuring the schedule), the modified rule is applied only to new connections. Traffic from existing connections will continue to pass, even if it is not at an allowed time.

Click the Content Types tab.

Click Selected content types and select the appropriate content type sets from the Content types list.

To view the MIME and file types included in a particular content type set, do the following:

1. Select the content type set, and then click Details.
   
   
2. Click the Content Types tab of the Application Properties window, and review the Selected types list.
   
   
3. To add a MIME or file type to the Selected types list, select it from the Available types list.
   
   
4. When finished, click OK.
   
   

To define a new content type, click New and then specify settings for the content type.

Click the Malware Inspection tab.

To enable malware inspection for traffic allowed by this rule, select Inspect content downloaded from Web servers to clients.

While we recommend that you keep the default settings, you can set malware inspection options for this rule that are different than those set globally. To do so, click Use rule specific settings for malware inspection. Then click Rule Settings to fine-tune malware inspection block thresholds and other options for this rule. Note the following:

• When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. An HTML page is issued to notify the user that the file has been blocked.
  
  
• The setting Block suspicious files is designed to block files that appear to be infected with unknown malware.
  
  
• The setting Block corrupted files is turned off by default. Turning on this setting may cause a false positive and block files that are not actually harmful.
  
  
• The setting Block files if archive depth level exceeds is designed to block malware that arrives in archives with deep nesting to avoid detection.
  
  
• The setting Block archive files if unpacked content is larger than (MB) is designed to avoid having small archive files decompress to a large size when unpacked.