This topic describes how to modify Web access rules. After you have created a Web access rule by using the Web Access Policy wizard or the New Access Rule wizard, you can configure the rule with even more granularity by editing its properties. You can edit an access rule’s properties by using the following procedure:

Modifying an access rule

To modify the properties of an access rule

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the details pane, right-click the rule you want to modify, and then click Properties.

  3. Complete the relevant procedures as follows to modify required values.

Configuring access rule properties

You can perform any of the following actions on an access rule:

Enable or disable a rule

If a rule is disabled, it is not evaluated by the rules engine.

To enable or disable a rule

  1. Click the General tab, and do one of the following:

    • To enable a rule, select the Enable check box.

    • To disable a rule, clear the check box.

Modify the rule action

Set the action that will be taken if all the conditions specified in the rule are met.

To modify the rule action

  1. Click the Action tab, and do one of the following:

    • To allow traffic matching the rule, select Allow.

    • To deny traffic matching the rule, select Deny.

Modify denial notification

When a Web access policy rule denies access to some Web site or set of Web sites, you can create a custom message alerting clients that they have been denied access. You can create a different denied access message for each rule in the Web access policy.

To create a custom denied access message

  1. On the Action tab of a deny access rule, under Denied URL Request Action, verify that Display denial notification to user is selected. In the box under Add custom text or HTML to notification (optional), type the message you want to show users who attempt to access blocked Web sites.

    Note:
    You can use HTML tags, such as: <a href="mailto:admin@contoso.com?subject=Access to Web site denied">Contact the system administrator</a >.
  2. If the rule blocks access to a URL category, you can expose the URL category of the blocked Web site to users by selecting Add denied request category to notification. This option is only available when URL filtering is enabled.

To redirect clients to a custom Web page

  1. Alternatively, you can direct Web clients to a custom Web page hosted on a Web server. To do so, select Redirect web client to the following URL, and type the complete URL, using the following format: http://URL.

Enable or disable logging of a rule

With logging enabled, client requests that are allowed or denied by this rule will be saved in the applicable log.

To enable or disable logging

  1. Click the Action tab, and do one of the following:

    • To enable logging on this rule, select the Log requests matching this rule check box.

    • To disable logging on this rule, clear the check box.

Modify protocols for a rule

The access rule applies to IP traffic using the protocols selected here. A rule intended to allow Web traffic will allow HTTP, and depending on your requirements, HTTPS and FTP.

To specify the protocols that apply to a rule

  1. Click the Protocols tab, and for This rule applies to, select one of the following:

    • To specify that the rule applies to Web-related protocols only, select Selected protocols, and then click Add. In the Add Protocols dialog box, click to expand Web, select FTP, HTTP, and HTTPS, clicking Add after each, and then click Close.

      Note:
      Do not select the protocols ending in "Server". These are used for Web publishing and not for outbound access.
      To remove a protocol from the rule, on the Protocols tab, select it from the Protocols list, and then click Remove.

    • To specify that the rule applies to all protocols, select All outbound traffic.

    • To specify that this rule applies to all traffic except those protocols that you select, select All outbound traffic except selected, and then click Add. In the Add Protocols dialog box, select the required protocol, click Add, and then click Close. To remove a protocol from the rule, on the Protocols tab, select it from the Protocols list, and then click Remove.

      Note:
      For information about creating and editing custom protocol definitions, see Configuring protocols.
  2. To allow traffic from a specific range of ports only, click Ports, and then select Limit access to traffic from this range of source ports. Type the range of source ports allowed in the From and To boxes.

  3. To allow traffic with specific HTTP characteristics only, click Filtering and select Configure HTTP. For information about creating HTTP filter, see Configuring HTTP filtering.

Modify rule sources

The access rule applies to requests from the network entities listed in the From tab.

To modify rule sources

  1. Click the From tab, and do one of the following:

    • To add a traffic source to the rule, click Add on the list This rule applies to traffic from these sources. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close.

    • To remove a traffic source from the rule, select it from the list, and then click Remove.

  2. To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.

Modify rule destinations

The access rule applies to requests to the network entities listed in the To tab.

To modify rule destinations

  1. Click the To tab, and do one of the following:

    • To add a traffic destination to the rule, click Add on the list This rule applies to traffic from these destinations. In the Add Network Entities dialog box, select the traffic sources to which you want this rule to apply, click Add, and then click Close.

    • To remove a traffic destination from the rule, select it from the list, and then click Remove.

  2. To specify exceptions to the rule, click Add on the Exceptions list, and then specify network entities to which this rule does not apply.

Modify authentication requirements for a rule

The access rule applies to the user sets listed in the Users tab.

To modify authentication requirements for a rule

  1. Click the Users tab.

    Note:
    To specify that the rule is anonymous and that users are not required to authenticate for the rule, ensure that All Users appears in the user sets list.
  2. To add a user set to the rule, click Add, and then select the following on the Add Users dialog box:

    • To specify that access should only be granted to users that can authenticate successfully, select All Authenticated Users.

    • To specify anonymous access, select All Users.

    • You can also select a custom user group if one has been created. For more information, see Configuring user sets.

  3. To specify exceptions to the rule, click Add on the Exceptions list, and then specify users that are exempt from the user authentication requirements for the rule.

    Note:
    • When you set a rule to require authentication, users are authenticated according to the Web proxy authentication method for the source network specified on the From tab of the rule.

    • If the Web proxy properties of the source network are set to require authentication, this setting will take precedence over authentication settings on a specific rule. For more information, see Planning Web access authentication.

    • If authentication is required on a rule, users who cannot present authentication credentials will be denied access, as well as users who present credentials that fail the authentication process.

Modify the schedule for a rule

To modify the rule schedule

  1. Click the Schedule tab.

  2. On the Schedule list, select one of the following:

    • Always, to specify that the rule is always applicable.

    • Weekends, to specify that the rule applies only on Saturday and Sunday.

    • Work hours, to specify that the rule is active from Monday to Friday, from 9.00 until 17.00.

    Note:
    • You can edit the days and times of these default schedules, or create new ones. For more information about creating and editing schedules, see Configuring schedules.

    • When you modify a rule so that it will be applied only at specific times (by configuring the schedule), the modified rule is applied only to new connections. Traffic from existing connections will continue to pass, even if it is not at an allowed time.

Modifying content types for a rule

To specify the content types that apply to a rule

  1. Click the Content Types tab.

  2. Click Selected content types and select the appropriate content type sets from the Content types list.

  3. To view the MIME and file types included in a particular content type set, do the following:

    1. Select the content type set, and then click Details.

    2. Click the Content Types tab of the Application Properties window, and review the Selected types list.

    3. To add a MIME or file type to the Selected types list, select it from the Available types list.

    4. When finished, click OK.

  4. To define a new content type, click New and then specify settings for the content type.

Note:
For more information about content types, see Configuring content types.

Modify malware inspection settings for a rule

To modify malware inspection settings for a rule

  1. Click the Malware Inspection tab.

  2. To enable malware inspection for traffic allowed by this rule, select Inspect content downloaded from Web servers to clients.

  3. While we recommend that you keep the default settings, you can set malware inspection options for this rule that are different than those set globally. To do so, click Use rule specific settings for malware inspection. Then click Rule Settings to fine-tune malware inspection block thresholds and other options for this rule. Note the following:

    • When Attempt to clean infected files is enabled, files that cannot be cleaned are purged. An HTML page is issued to notify the user that the file has been blocked.

    • The setting Block suspicious files is designed to block files that appear to be infected with unknown malware.

    • The setting Block corrupted files is turned off by default. Turning on this setting may cause a false positive and block files that are not actually harmful.

    • The setting Block files if archive depth level exceeds is designed to block malware that arrives in archives with deep nesting to avoid detection.

    • The setting Block archive files if unpacked content is larger than (MB) is designed to avoid having small archive files decompress to a large size when unpacked.

Note:
Malware inspection can only be configured on the rule if it is enabled globally. For more information, see Enabling malware inspection.
Note:
To scan HTTPS traffic for malware, you must enable HTTPS inspection. For more information, see Configuring HTTPS inspection.

Copyright © 2009 by Microsoft Corporation. All rights reserved.