This topic describes how to exclude network entities from malware inspection scans.
You can exclude sources and destinations, as follows:
- Excluding sources—The main reason for
excluding sources from malware inspection is to avoid scanning
content more than once, which has a performance cost and is
problematic in some scenarios. A typical scenario is when content
is scanned for malware by a downstream proxy. In such a case, you
should configure the upstream proxy to exclude from scanning all
requests coming from the downstream proxy.
- Excluding destinations—The two main reasons
for excluding destinations from malware inspection are to improve
performance by the exclusion of trusted sites, and to solve
compatibility issues.
The following procedure describes how to exempt destinations and sources from malware inspection.
To specify destinations and
sources exempt from malware inspection
-
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
-
On the Tasks tab, click Configure Malware Inspection.
-
Click the Destination Exceptions tab or the Source Exemptions tab, and then click Add.
-
In the Add Network Entities dialog box, click New, and then select the exempted network objects. You can specify an entire network, computers or IP addresses, or domain name sets and URL sets. If you select domain names, ensure they can be resolved by Domain Name System (DNS).
-
To modify the default domain set (destination exemptions only) or other exempted network objects, select the appropriate entry, and then click Edit.
-
To remove sites from the exemption list, select the appropriate entry, and then click Remove.
-
When you have finished, click OK, and then on the Apply Changes bar, click Apply.
Configuring malware inspection with
Web proxy chaining
In a Web proxy chaining deployment, enabling malware inspection on both an upstream and a downstream Forefront TMG server is not supported. If you have such a deployment, you must make sure malware inspection is enabled only on the upstream or downstream server, as follows:
- Configuration required when malware
inspection is enabled on the upstream server:
Perform the following two steps:
- When using Web proxy chaining, the identity of each client is
known to the downstream server, but not propagated to the upstream
server. As a result, all requests from users behind the downstream
server share the same temporary storage limit on the upstream
server. To prevent downstream users from consuming all of this
relatively small temporary storage limit, add the downstream server
to the computer set on the upstream server. To do this, open the
Forefront TMG Management console on the upstream server. In the
tree, click the Intrusion Prevention System node, and on the
Behavioral Intrusion Detection tab, click Configure Flood
Mitigation Settings. On the IP Exceptions tab, click
Add, and add the downstream server to the list.
- Disable malware inspection on the downstream server, or on the
Web chaining rule.
- When using Web proxy chaining, the identity of each client is
known to the downstream server, but not propagated to the upstream
server. As a result, all requests from users behind the downstream
server share the same temporary storage limit on the upstream
server. To prevent downstream users from consuming all of this
relatively small temporary storage limit, add the downstream server
to the computer set on the upstream server. To do this, open the
Forefront TMG Management console on the upstream server. In the
tree, click the Intrusion Prevention System node, and on the
Behavioral Intrusion Detection tab, click Configure Flood
Mitigation Settings. On the IP Exceptions tab, click
Add, and add the downstream server to the list.
- Configuration required when malware
inspection is enabled on the downstream server
Do one of the following:
- Disable malware inspection on the upstream
server.
- Exclude traffic originating behind the
downstream server from inspection by the upstream server. To do
this, open the Forefront TMG Management console on the upstream
server. In the tree, click the Web Access Policy node, and
on the Tasks tab, click Configure Malware Inspection.
On the Source Exceptions tab, click Add, and exclude
the downstream server from malware inspection.
- Disable malware inspection on the upstream
server.
Related Topics
Copyright © 2009 by Microsoft Corporation. All rights reserved.