1

Just installed Forefront TMG 2010 and set up firewall rules. My company's policy requires to block access to webmail sites, like gmail, yahoo mail, etc. So I added these webmail domain names to a domain name set, and put that domain name set in the Exception box of the web access rule (on the To tab). So now, when user types http://gmail.com, an error page shows up saying that the site is blocked by TMG. However, if the user types https://gmail.com, the gmail login page loads up and after entering username/password, he can log in! I was trying to use URL sets to define the exception, but unfortunately, the URL set only works on HTTP, not HTTPS.

I can look up the IP of the gmail servers, and block traffic to those IPs. But most webmail sites have a range of IPs, it is tedious, at least, to enumerate all of them; plus, the IPs could change all the time. Is there a better solution?

Tong Wang
  • 187
  • 1
  • 3
  • 13

2 Answers2

4

Look at enabling HTTPS inspection and push out the Forefront TMG client to set up your workstations to correctly set the browsers proxy values. A great many of Forefront's more advanced features require the web browser to be correctly configured to use the Forefront server as a proxy.

Also there is an existing web mail category you can block without having to create your own. You should have gone through a setup process that involved setting blocked URL categories. You can add the webmail as one of those categories.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115
0

There is an URL Category in TMG Tool box. But I think we don't want to create by own or by adding the site on URL Category. Just configure the HTTPS inspection or create access rule and add the Url set and then add HTTPs site fore.g https://www.facebook.com then create the rule by deny action. And Or you can also create the web access policy. Then https website are block.

89c3b1b8-b1ae-11e6-b842-48d705
  • 1,465
  • 1
  • 13
  • 22
user177015
  • 1