Filter Types

You can develop a wide range of application filters by using the Forefront TMG Software Development Kit (SDK). Examples of filter types are:

• Protocol-enabling filters. These application filters enable the usage of complicated protocols that require more than a single TCP connection to traverse the Microsoft Firewall service. These filters dynamically configure the Firewall service computer to allow future secondary connections, and edit secure network address translation (SecureNAT) addresses. The FTP access filter and the H.323 filter, which are provided with Forefront TMG, are examples of protocol-enabling filters. The FTP access filter handles all aspects of configuring the Forefront TMG computer to automatically allow an FTP secondary data channel.
• Protocol-scanning filters. These filters scan data from specific protocols for items such as an intrusion or virus. Examples of protocol-scanning filters are the POP intrusion detection filter and the DNS intrusion detection filter that are based on technology from Internet Security Systems (ISS), and are provided with Forefront TMG.
• Redirection filters. A redirection filter may cause specific connections to be redirected into its control. The filter can then act as a server.
• NAT-supporting filters. Many protocols pass IP addresses of internal servers as part of their data. In a network address translation (NAT) environment, these internal IP addresses are hidden, and need to be translated to externally visible addresses. An application filter can monitor the traffic and modify the relevant fields within a message to include the correct external addresses according to existing publishing rules, or according to some other criteria. Using the FTP access filter, an FTP client behind the Forefront TMG computer may direct an FTP server to connect to it, passing its address and port information as part of the protocol. The FTP access filter translates this information to an externally visible listening socket, enabling the file transfer to take place without disclosing the internal address.
• Intrusion-detection filters. Application filters can examine traffic going through the Forefront TMG computer and look for known attack signatures. Firewall service provides two such filters, which detect known intrusion signatures for DNS and POP3.
• Content-filtering filters. Application filters can parse high-level application protocols, look for actual data (the payload), and apply rules and processing based on the content. Examples include applying protocol-level syntax validation, antivirus scanning on file transfers, SOAP or XML filtering, and content categorization. The Firewall service HTTP and SMTP filters demonstrate this capability. In these scenarios, the overall structure of the application filter is the same. It typically attaches itself to each connection, and implements the specifications and RFCs relevant to the protocols it represents to handle the traffic and apply rules to it. The filter should keep a session state and use it to control the data transfer through the Forefront TMG computer. It may modify the data flow, change the session payload, stop sessions that seem to violate the policy, or call Forefront TMG APIs to automatically configure allow/deny rules for expected future traffic. Content filtering for HTTP traffic is accomplished by developing an ISAPI filter, called a Web filter in the context of Forefront TMG and the Firewall service.
• Other filters. The Forefront TMG architecture allows you to create a wide range of other filters.

Send comments about this topic to Microsoft

Build date: 11/30/2009