URL Categories, HTTPS inspection and Web Access Policy in TMG

by Shijaz Abdulla on 22.12.2009 at 06:57

I recently had a chance to look at the Web Access Policy capability that has been added to Threat Management Gateway (TMG), which is the latest version of ISA Server.

In this post, I will explain:

  • The Web Access Policy Wizard
  • The URL Categories feature
  • The HTTPS inspection feature

The Web Access Policy wizard lets you create all the rules you need to enable, block and cache web access with just one wizard. Here’s how you can use this feature in a web access policy in TMG.

A great new addition is URL Categories, which provide a dynamically updated list of websites based on content. This lets the administrator block websites featuring specific categories content like pornography, violence, politics, etc.

This has been a much-awaited feature, and one that is already available in products like Websense and I’m happy to see this included in the new release.


  1. In the Forefront TMG console, click on Web Access Policy in the left pane.
  2. Click on Configure Web Access Policy in the Tasks tab (right pane).

    Web Access Policy Wizard

  3. In the wizard, hit Next
  4. Click Yes, create a rule blocking the minimum recommended URL categories. This will automatically block access to a list potentially malicious websites.


  5. In the next screen, you can choose which URL categories you  want to block. Note that some categories like Anonymizers, gambling, porn etc, are already selected to make things easier. However, you can add more URL categories to block or remove some.

  6. To add another URL category, click Add. You can select more URL categories here. Hit Next.


  7. In the next step, you can create exceptions to this rule, by choosing to allow unrestricted access to some users/groups. Hit Next.


  8. You can choose whether you want to perform malware inspection on the website content. The block encrypted archives option blocks all compressed files that have a password set on them. Hit Next.


  9. Another cool new feature in TMG is the ability to inspect HTTPS traffic for malware. Yes, you can now look inside HTTPS – this is done by using a certificate that lets TMG pose as the client machine to the website, to see what happens – this is similar to a man-in-the-middle attack, but it’s a “good man” in the middle. :). You can also choose not to inspect HTTPS, but block the traffic if the certificate of the web server is not valid. This avoids having to let the user make that choice on his browser.


    If you enable this option, you need to specify what kind of certificate you need TMG to use. You also have the option of informing users that HTTPS content is being inspected, which might be required for legal disclosure. However, only users with a TMG Client installed on their computers will see this notification.


  10. Depending on what certificate option you selected, you need to provide additional information. I chose to use the certificate automatically generated by Forefront TMG.


  11. In the next step, you can choose to enable caching and configure it. Hit Next.
  12. That completes the Web Access Policy Wizard!
  13. Click Apply to save your changes to the configuration.


When you return to the TMG console you will see that a set of Web Access rules have been created automatically based on your selections in the wizard. It couldn’t get easier than this!


Check out HTTPS inspection in the logs:

  • While trying to access an HTTPS website that has an untrusted/expired certificate:


  • HTTPS inspection allowing a legitimate website
  • User notification when file being downloaded contains a virus.


This technology is SO exciting! Sometimes I miss being ISA Server MVP. 🙂

Trackback Permanent Link

2 Responses to URL Categories, HTTPS inspection and Web Access Policy in TMG

Leave a Reply