Blocking YouTube videos and Flash content using Forefront TMG

by Shijaz Abdulla on 13.06.2010 at 23:21

In this post, I show you how to block users from playing YouTube videos on your network. I also show you how to block Flash content embedded on web pages (although in today’s times blocking all Flash content may not be such a good idea Smile)

image

Yes you could always block the URL youtube.com but this may not be effective as YouTube videos can be embedded in other websites and there are plenty of sites *like* YouTube out there. A more effective approach would be to block by MIME type, thanks to the enhanced content filtering capabilities built into TMG.

Before I get started, two important notes:

  • I mention YouTube because it is everyone’s favorite, but the steps below will work for Vimeo, and any other video sharing sites that rely on Adobe Flash technology.
  • The steps below can be used to block YouTube and flash content on ISA Server 2004/2006 too.

Blocking YouTube videos using TMG

1. On the TMG Console, right-click Firewall Policy, choose New Access Rule and create a new “Deny” rule named “Block Youtube” as follows:

Deny

Applies to: All Outbound traffic

From: Internal

To: External

All Users

Click Finish to close the wizard.

 

2. Do not apply the changes yet! Right click on the new rule you just created and choose Properties.

3. Open the Content Types tab. Click New.

4. Create a new Content Type Set as follows:

Name: YouTube

Available types: (type each of the below and click the Add button)

  • video/mp4
  • video/x-flv
  • video/x-ms-asf

image

5. Click OK. Ensure the check box next to your new content type set is enabled:

image

6. Click OK and apply your changes. Wait for the config synchronization to complete.

Test your changes by trying to play some videos on YouTube or other video sharing websites.

 

Blocking Adobe Flash Player content using TMG

1. Follow steps 1 to 3 above.

2. While creating a new Content Type set, use the following parameters:

Name: Flash

In the available types box, type:

application/x-shockwave-flash

3. Proceed with step 5 above.

 

Blocking additional MIME types

If you need to block something else, it is easy to find what content type to block. Simply monitor the Logging (Logs & Reports > Logging) in the TMG console. Once you encounter the log entry that allowed the content you want to block, expand the “Additional Information” and you will find the MIME type that you need to block.

 

image

Blocking Skype and other IM protocols in Forefront TMG

by Shijaz Abdulla on 13.06.2010 at 18:19

It has never been easier to block instant messaging (IM) with Forefront Threat Management Gateway (TMG). If you’ve read my article that I wrote a couple of years ago on how to block IM protocols on ISA Server, you’ll definitely appreciate the ease with which you can do the same stuff more effectively with TMG.

In this post, I show you how you can block Skype, Google Talk, Yahoo Messenger, Live Messenger, etc using Forefront TMG 2010.

Before I go in to the step-by-step procedure, I want to highlight what’s happening in the background.

  • Microsoft Forefront TMG 2010 now comes with URL Filtering. URL filtering enables you to block web content belonging to a particular category such as Chat, Social Networking, or Pornography.
  • Another new feature in TMG 2010 is Outbound HTTPS inspection. This allows all HTTPS user traffic to be inspected by TMG

These are the two new features that we will leverage to block chat. Here is a summary of what we will do:

  • The only allowed traffic on your TMG server is regular web traffic (HTTP and HTTPS). I am against creating “generic” rules like “allow all” from internal to external when you have SecureNAT clients in your network as this defeats the purpose of filtering.
  • Turn on HTTPS inspection. Read my earlier post if you need help enabling HTTPS inspection.
  • In a “Deny” rule on your Web Access Policy, add the “Chat” URL category.

Why do you need HTTPS inspection?

Many IM clients and software like Skype, try to connect using dynamic UDP ports and eventually fail back using HTTPS. With HTTPS inspection turned on, TMG will be able to inspect inside HTTPS to see if the software is trying to request access from a blocked URL.

 

1. In the Forefront TMG console, locate your Web Access Policy that denies traffic. If you do not have one, right click on Web Access Policy in the left pane and choose Configure Web Access Policy.

image

2. Click on the “To” tab. Click the Add button.

image

3. Expand URL Categories. Add the “Chat” URL category to the list.

image

 

4. Click OK and Apply your changes. Wait for the changes to synchronize (Tip: you can verify this under Monitoring > Configuration)

 

Now for the best part: try connecting to Skype, or any of your favorite instant messaging software. Note that the web versions of these messengers are also blocked! Smile

image 

image

image

image

 

image

image

 

On a closing note – you can use the same technique to block P2P (peer-to-peer) and file sharing applications like eMule, Kazaa, eDonkey, BitTorrent, etc using TMG. In step 3, choose “P2P/File sharing” URL category.

Enjoy.