I recently had a chance to look at the Web Access Policy capability that has been added to Threat Management Gateway (TMG), which is the latest version of ISA Server.

In this post, I will explain:

• The Web Access Policy Wizard
• The URL Categories feature
• The HTTPS inspection feature

The Web Access Policy wizard lets you create all the rules you need to enable, block and cache web access with just one wizard. Here’s how you can use this feature in a web access policy in TMG.

A great new addition is URL Categories, which provide a dynamically updated list of websites based on content. This lets the administrator block websites featuring specific categories content like pornography, violence, politics, etc.

This has been a much-awaited feature, and one that is already available in products like Websense and I’m happy to see this included in the new release.

1. In the Forefront TMG console, click on Web Access Policy in the left pane.
2. Click on Configure Web Access Policy in the Tasks tab (right pane).

   

3. In the wizard, hit Next
4. Click Yes, create a rule blocking the minimum recommended URL categories. This will automatically block access to a list potentially malicious websites.

   

5. In the next screen, you can choose which URL categories you  want to block. Note that some categories like Anonymizers, gambling, porn etc, are already selected to make things easier. However, you can add more URL categories to block or remove some.

   

6. To add another URL category, click Add. You can select more URL categories here. Hit Next.

   

7. In the next step, you can create exceptions to this rule, by choosing to allow unrestricted access to some users/groups. Hit Next.

   

8. You can choose whether you want to perform malware inspection on the website content. The block encrypted archives option blocks all compressed files that have a password set on them. Hit Next.

   

9. Another cool new feature in TMG is the ability to inspect HTTPS traffic for malware. Yes, you can now look inside HTTPS – this is done by using a certificate that lets TMG pose as the client machine to the website, to see what happens – this is similar to a man-in-the-middle attack, but it’s a “good man” in the middle. . You can also choose not to inspect HTTPS, but block the traffic if the certificate of the web server is not valid. This avoids having to let the user make that choice on his browser.

    

   If you enable this option, you need to specify what kind of certificate you need TMG to use. You also have the option of informing users that HTTPS content is being inspected, which might be required for legal disclosure. However, only users with a TMG Client installed on their computers will see this notification.

   

10. Depending on what certificate option you selected, you need to provide additional information. I chose to use the certificate automatically generated by Forefront TMG.

    

11. In the next step, you can choose to enable caching and configure it. Hit Next.
12. That completes the Web Access Policy Wizard!
    
13. Click Apply to save your changes to the configuration.

    

When you return to the TMG console you will see that a set of Web Access rules have been created automatically based on your selections in the wizard. It couldn’t get easier than this!

Check out HTTPS inspection in the logs:

• While trying to access an HTTPS website that has an untrusted/expired certificate:

  

• HTTPS inspection allowing a legitimate website
  
• User notification when file being downloaded contains a virus.

  

This technology is SO exciting! Sometimes I miss being ISA Server MVP.

Microsoft Forefront Threat Management Gateway has been released to market on November 16, 2009 after completing three beta releases and receiving extensive customer feedback.

You can download the trial version of Threat Management Gateway here.

From the Forefront TMG team’s blog:

“Forefront TMG is a Secure Web Gateway (SWG) that improves security enforcement by integrating multiple detection technologies such as URL filtering, Anti Malware, and intrusion prevention into a single, easy-to-manage solution. We have seen a lot of interest in the features that comprise this solution, so here is some information on what they do and how:

• URL Filtering: URL Filtering allows controlling end-user access to Web sites, protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or nonproductive materials, based on URL categories. TMG features over 80 URL categories including security-oriented categories, productivity-oriented and liability-oriented categories. Forefront TMG uses Microsoft Reputation Services (MRS), a cloud-based categorization system hosted in Microsoft data center. To ensure the best bandwidth utilization and low latency, Forefront TMG has implemented a local URL cache. There is a lot more on URL Filtering available in an earlier URL Filtering post (on the TMG blog).
• Anti Malware: Stopping malware on the edge significantly decreases the possibility that a virus will hit a computer with anti-virus signatures that are not up-to-date or a test computer without an anti-virus to protect it. TMG has integrated the Microsoft Anti Malware engine to provide world class scanning and blocking capability on the edge.
• Network Inspection System (NIS): NIS is a generic application protocol decode-based traffic inspection system that uses signatures of known vulnerabilities, to detect and potentially block attacks on network resources. NIS provides comprehensive protection for Microsoft network vulnerabilities, researched and developed by the Microsoft Malware Protection Center – NIS Response Team, as well as an operational signature distribution channel which enables dynamic signature snapshot distribution. NIS closes the vulnerability window between vulnerability disclosures and patch deployment from weeks to few hours.
• In addition, HTTPS scanning has been introduced to enable inspection of encrypted sessions, eased the deployment and management with a set of easy to use wizards and significantly improved logging and reporting to provide full visibility into how your organization is accessing the web and whether it’s compliant with your organization’s policy.
• VPN, Firewall, Email Protection and Infrastructure.
  Significant investments have been made to ensure that we keep delivering top notch VPN and Firewall functionality. We made quality improvements in Web Caching and made sure it works well with the new Windows 7 BranchCache feature. We have added several new features, among them: Email Protection, ISP redundancy, NAP integration with VPN role, SSTP, VoIP traversal (SIP support), Enhanced NAT, SQL logging and Updated TMG Client (previously known as the Firewall Client). In addition TMG was built as a native 64bit product that supports Windows Server 2008 R2, and Windows Server 2008 SP2, allowing better scalability and increased reliability.”

Some file extensions are blocked by Microsoft Outlook for the potential damage that they may cause. File types blocked include EXE, COM, MDB and many others.

Outlook displays a message that it has blocked the attachment:

Sometimes it becomes necessary to “unblock” a particular file extension. One of the most common requests is to unblock Access database files (*.mdb). Let’s see how this can be done:

1. On the desktop running Outlook, open Registry Editor.
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\xx.x \Outlook\Security where xx.x is your Outlook version number (9.0, 10.0, or 11.0)
3. Add a new string named Level1Remove
4. Add value to this string with all the extensions that you want to unblock, separated by a semicolon. (For example: .mdb;.url ) Remember to put the dot before the extension.

It should, however, be kept in mind that unblocking a particular file type introduces new risk, as the user can also receive a malicious file of the same type from another user or the internet and he/she might inadvertently open it.

For Outlook 2007, you need to insert the string in the following key HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security. If the key path doesn’t exist, you can create it.

I’ve just realized that Orkut is blocked inside the UAE. I don’t know why, but there’s probably a good reason as to why they blocked Orkut and Hi5, while they still allow Facebook!

I’m gonna miss scrapping my buddies!

See also: Why Facebook is not blocked by Etisalat