When you apply changes to the firewall policy or to network rules, Forefront TMG ensures that all existing client connections comply with the new policy or rules, and terminates connections that are not allowed.
|In the Forefront TMG Management console, configuration changes are only applied when you click the Apply button on the Apply Changes bar; the Apply Changes bar appears automatically, whenever you make configuration changes.|
Policy enforcement takes place when a connection is established, and when the following rule elements change:
- From (source) address and port.
- To (destination) addresses, names, and
- Schedule—When a firewall policy rule or a
network rule includes a schedule, Forefront TMG continuously
ensures that requests matching that rule do not expire. When a
request expires, Forefront TMG terminates the connection. Note that
this could be caused by a change in policy, or by a change in the
time on the Forefront TMG server.
- User Sets and Content Types that are used to
evaluate policy when the connection is first established are also
used for reevaluation.
|If you modify rule elements that are not going to be reevaluated, such as User Sets or Content Types that were not originally used for evaluation, and you want to ensure that no existing connections violate the new policy, then you should end client sessions manually in the Forefront TMG Management console (as described in Monitoring client sessions), or restart the firewall service.|
Note the following:
- Reevaluation of existing HTTP sessions takes
place the first time there is a traffic exchange along the
corresponding connection. Thus, it is possible that some HTTP
sessions may exist in the Session Monitoring view, even if they are
not allowed by the new policy, as long as they do not pass any
- Custom policy elements associated with
application filters are not considered in policy reevaluation. For
example, if you add an interface to an RPC definition used in a
deny rule, existing connections to that interface will not be
terminated. Similarly, if you disable an SMTP command in the SMTP
Filter, existing connections that use that command will not be
- Modifications in protocol definitions
(changes in protocol properties or the addition of new protocols)
do not affect existing connections. A connection is associated with
a specific protocol (such as, HTTP or FTP) only during connection
establishment, and this association remains unchanged through the
lifetime of the connection. For example, if a connection was
associated with FTP protocol (port 21) and later another protocol
element with the same port 21 was added, the connection will still
match policy rules containing FTP protocol, and will not match
policy rules that do not contain FTP protocol, even if they contain
the newly defined protocol.