Controlling Web Access with URL Filtering in TMG 2010
Overview of URL Filtering
URL filtering is the new features of the Forefront TMG 2010. It allows you to control end-user access to Web sites based on pre-defined URL categories. URL categories save you time figuring out what to block and what not to block. It’s because new websites spring into operation every minute or second. So its very difficult traditional protection based on domain name sets or URL sets and key words aren’t effective. It’s a big bad Internet. So we should consider cloud computing. The security world calls it a bad idea, while industry is rushing it. Forefront TMG uses Microsoft Reputation Service (MRS), is a cloud-based new service, hosted by Microsoft to categorize URLs that is helping to provide better level of web security to an end users.
The MRS team wanted to confront an inherent problem with traditional URL filtering solutions: the problem domain is simply too large for any single vendor to provide a complete solution in all categories. As a result, MRS aggregates reputation data from multiple vendors who each specialize in a specific area of the solution and uses telemetry to improve data accuracy.
Benefits of URL Filtering:
- Prevents users access to malicious and phishing sites
- Reduce liability risks by blocking access to sites that distribute illegal content such as hate, criminal activities, or pornography sites.
- Reduce the risk of sensitive information leaking by restricting access to Web e-mail or blogging sites.
- Improve the productivity of the organization by restricting time spent on social networking sites such as Facebook.
Implementing URL Filtering:
From TMG 2010, we can create access rule to allow or block access to Web sites based on URL categorization in the URL filtering database. When a request to access a Web site is received, TMG queries MRS to determine the categorization of the Web sites. If the Web site has been categorized as a blocked URL category set, TMG blocks the request and user gets a denial notification that includes the denied request category.
URL Filtering requires that you make choices for TMG globally and on a per-rule basis.
Use the following steps to configure global URL Filtering in TMG:
1. In the Forefront TMG Management console, in the tree, click Web Access Policy.
2. In the right pane, click Configure URL Filtering.
4. In the URL Filtering Settings dialog box, click the URL Category Override tab, make sure this list should empty.
5. Click OK to close the URL Filtering Settings dialog box.
Here, we will configure TMG to use URL Filtering to block access to certain categories of URLs, such as Facebook site.
Forefront TMG uses Microsoft Reputation Service (MRS), a cloud-based new service to find the categorization of a particular URL. So we have to query for URL Category first before we check URL Categories. For example Facebook web site.
1. In the TMG console, in the left pane, expand Forefront TMG(KTM-TMGSRV), and then select Web Access Policy.
2. In the right pane, on the Toolbox tab, in the Network Objects section, In the Toolbox , click New and then click URL Category Set.
3. On the Welcome to the New URL Category Set Wizard page, type Block Facebook Category and click Next.
4. On the URL Category Selection page, accept the default option Includes all selected URL categories, in the URL Category list select Blogs/Wiki and Online Communities, then click Next.
5. On the Completing the New URL Category Set Wizard page, click Finish
6. Click Apply To save changes and update the configuration, Apply and then click OK to Saving Configuration Changes.
Now Configure the Blocked Web Site Destination Access Rule:
1. In the TMG console, in the left pane, expand Forefront TMG(KTM-TMGSRV), and then select Web Access Policy. In the right pane, on the Tasks tab, click Create Access Rule.
2. 2. On Welcome to the New Access Rule Wizard page, in the Access rule name box, type Blocked Facebook Sites and click Next.
3. On the Rule Action page, select Deny radio button and click Next.
4. On the Protocols page, select HTTP,HTTPS under Protocols and click Next.
5. On the Access Rule Sources page, Add Internal Networks and click Next.
6. On the Access Rule Destinations page, click Add, then expand URL Category Sets and select Block Facebook Category, click Add and click Close.
7. On the Access Rule Destinations, click Next.
8. On the User Sets page, click Next.
9. On the Completing the New Access Rule Wizard page, click Finish.
10. Click Apply ,Click Apply and then click OK to save changes and update the configuration.
11. Double-click the Blocked Facebook Sites Properties deny rule, click Action Tab, Click Advanced Tab.
12. In the Action Advanced Properties dialog box, select Display denial notification to user, type Access to Facebook Site is blocked by Msserverpro IT Security Policy in the Add custom text or HTML to notification (optional) text field. Then select Add denied request category to notification. This option is only available when URL filtering is enabled. Click OK to close the Action Advanced Properties dialog box.
13. In the Blocked Facebook Sites Properties dialog box, click Apply and then click OK to save the configuration.
Now Testing URL Filtering (Facebook Site):
1. Log On to the Client Computer, Open the Internet Explorer and type http://www.facebook.com in the address bar and press Enter.
Internet Explore displays an Access Denied page, in addition to the customized text, and the category “Online Communities”
After TMG 2010 SP2 installed,Internet Explore displays new improved an Access Denied page.
In the current network, manully adding the URL sets and domain names are very difficult to block the web sites and domains. We have to use Cloud-based service to block web sites and domains. Microsoft Forefront TMG 2010 is the perfect solution for URL filtering . URL filtering is the new feature of the Forefront TMG 2010, which uses Microsoft Reputation Service(MRS) is a cloud-based new service. I hope this helps.