FTMG Standard: Access Rules are not enforced

Posted on 2010-03-29
Medium Priority
Last Modified: 2012-06-22
FTMG Standard installation, first rule Allow All Internal to Local Host network, several other access rules has been created with time schedules, allowed protocols, and URL Category Sets exceptions. Clients are manually connected to the FTMG server.

But still, users are able to access the internet even outside their time schedules, any suggestions?

In addition, how can I block a list of executables from accessing the internet?
Question by:solowz
LVL 51

Expert Comment

by:Keith Alabaster
ID: 29019611
You REALLY need to go on a course for FTMG or read the manual a little. If nothing else, it will guide you to the information you need to provide if you want immediate help as opposed to me asking you twenty questions to try and ascertain it.

What FTMG installation? is this a proxuy only or a full firewall proxy installation?
you should NEVER have an allow all From anything TO anything. If you want to do this, you could have saved your company thousands of pounds and gone and bought a toy product such as the SOHO products etc.    No offence intended.    You have instead bought one of the top products in the world in this field and to get the best out of it, you need to understand how it works, why it works and especially how you want it to work.

FTMG, like ISA Server, operates from the top most rule downwards and will execute the very first access rule that matches traffic that it sees passing through its interfaces. It does not evaluate evry rule and decide upon the best fit or the closest match. It ONLY executes the first rule that matches the traffic.

FTMG also operates differently based upon the protocol being used. For example, http traffic is created every time a new request is made from an internal client to an external web site. Because of this behaviour, if you set a time schedule, FTMG will allow/deny that traffic immediately depending on whether the schedule allows or denies at any given time.

An https request that is made whilst the schedule says to allow https traffic  will continue to operate even after the schedule blocks that access. Why? Because https uses SSL and encrypts the traffic between the client and the external web server. once the connection is established, FTMG cannot (unless you have enabled HTTPS Inspection) see inside the SSL tunnel and realise that traffic is passing through it. Once the web browser gets closed, the user would not be able to get to the site again as the new request would now be blocked due to the schedule saying deny.

Go back to basics for a moment and write down in a spreadsheet exactly what you want the firewall to achieve, for whom and when. one line in the spreadsheet per rule.

You can then walk through each visulaising what would happen when traffic arrives at the FTMG from a client etc.



Accepted Solution

ot earned 1500 total points
ID: 29423187
Find out which rule is allowing the traffic by monitoring the log for a client that should be blocked at a specific time


Author Closing Comment

ID: 31708619
Pointed out where to look.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
Suggested Courses
Course of the Month3 days, 19 hours left to enroll

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question