About Web Proxy Clients

A Web proxy client is a client application or computer that sends requests to the TCP port on which Forefront TMG listens for outgoing Web requests from the network in which the client computer resides. By default, Forefront TMG listens for outgoing Web requests from clients in the Internal network on port 8080. Web proxy clients are typically Web browser applications that comply with HTTP 1.1 and are configured to send Web requests to a Forefront TMG computer. Each Web browser is configured through its own user interface or obtains its configuration settings from another server.

When a user specifies the HTTP protocol or does not specify any protocol in a URL in a a CERN-compliant Web browser, the Web browser sends an HTTP GET request containing the URL to the host and port specified in its configuration settings.

When an HTTP GET request reaches a Forefront TMG computer on the listening port, the Microsoft Firewall service checks the access rules that apply to the predefined HTTP protocol definition (port 80), which is associated with the Web Proxy Filter (the Forefront TMG Web proxy), to determine whether a request may be sent from the source to the destination host (the Web server). During this check, the Firewall service performs any required forward DNS name resolution to determine whether a rule applies to the request. If the request passes this check, the Firewall service passes the request to the Web proxy, which forwards the request to the port specified in the URL or to port 80 (the default port) on the Web server. Note that the Forefront TMG policy does not limit the ports to which the Web proxy may forward requests.

Forefront TMG can perform application-layer filtering and cache responses for HTTP requests from Web proxy clients.

When a user specifies the HTTPS protocol (HTTP over SSL) in a URL in a CERN-compliant Web browser, the Web browser sends the following HTTP CONNECT request.

CONNECT host_name:port HTTP/1.1

When the CONNECT request reaches the Forefront TMG computer on the listening port, the Firewall service checks the rules to determine whether a request may be sent from the source to the destination using the HTTP protocol. If the request passes the rules check, the Firewall service forwards the request to the Web proxy, and the Web proxy determines whether the port specified in the CONNECT request is included in a tunnel port range defined in the Forefront TMG configuration. If the port number passes this test, the Web proxy allows the request to be sent to the TCP port specified on the destination host to open a connection. When this operation succeeds, the Forefront TMG computer informs the client that the connection has been established. From that point on, the client sends encrypted packets directly to the destination on the port specified in the CONNECT request without any mediation by the Web proxy.

Note that Web proxy clients can run on Firewall client computers and on SecureNAT client computers.

Settings Defined for Web Proxy Clients

If the default Internal network or a user-defined network is configured to support Web proxy clients (the EnableWebProxyClients property of its FPCNetwork object is set to True), Forefront TMG will listen for connection requests from Web proxy clients in that network. The FPCWebListenerProperties object, which can be accessed through the WebListenerProperties of the network object, contains the Web listener properties for outgoing requests from the applicable network.

Web proxy clients can download an automatic configuration script (Wpad.dat for Web browsers running on computers without Firewall Client installed and Wspad.dat for Web browsers running on Firewall client computers) from a Forefront TMG computer. The contents of the default automatic configuration script are defined by properties of the FPCClientAutoScript object, which can be accessed through the AutoScript property of the FPCWebBrowserClientConfig object for the network. For example, properties of this object specify whether Web browsers configured to use the default automatic configuration script will bypass the Web proxy for requests sent to non-dotted names, specified domain names, and destinations in specified ranges of IP addresses.

Web Proxy Clients Running on Firewall Client Computers

On Firewall client computers, the Firewall Client software can configure some settings of the Web browsers running on them using information provided by a Forefront TMG computer. These settings can be obtained using Web Proxy Automatic Discovery (WPAD) to automatically discover the location of the server from which the automatic configuration script Wspad.dat can be downloaded, or automatic configuration can be disabled altogether. You can configure the following properties for Web browsers running on Firewall client computers:

If the automatic configuration of Web browsers running on Firewall client computers is enabled, Web browsers are configured with these settings when the Firewall Client software is installed, and they are updated each time that Firewall Client is restarted, each time that Detect Now or Test Server is clicked on the Settings tab or Configure Now is clicked on the Web Browser tab in the Microsoft Firewall Client for Forefront TMG dialog box, and every six hours after the previous refresh.

If Firewall Client is not installed, the Web browser can be configured manually.


Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.