FTMG Standard: Access Rules are not enforced

FTMG Standard installation, first rule Allow All Internal to Local Host network, several other access rules has been created with time schedules, allowed protocols, and URL Category Sets exceptions. Clients are manually connected to the FTMG server.

But still, users are able to access the internet even outside their time schedules, any suggestions?

In addition, how can I block a list of executables from accessing the internet?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
You REALLY need to go on a course for FTMG or read the manual a little. If nothing else, it will guide you to the information you need to provide if you want immediate help as opposed to me asking you twenty questions to try and ascertain it.

What FTMG installation? is this a proxuy only or a full firewall proxy installation?
you should NEVER have an allow all From anything TO anything. If you want to do this, you could have saved your company thousands of pounds and gone and bought a toy product such as the SOHO products etc.    No offence intended.    You have instead bought one of the top products in the world in this field and to get the best out of it, you need to understand how it works, why it works and especially how you want it to work.

FTMG, like ISA Server, operates from the top most rule downwards and will execute the very first access rule that matches traffic that it sees passing through its interfaces. It does not evaluate evry rule and decide upon the best fit or the closest match. It ONLY executes the first rule that matches the traffic.

FTMG also operates differently based upon the protocol being used. For example, http traffic is created every time a new request is made from an internal client to an external web site. Because of this behaviour, if you set a time schedule, FTMG will allow/deny that traffic immediately depending on whether the schedule allows or denies at any given time.

An https request that is made whilst the schedule says to allow https traffic  will continue to operate even after the schedule blocks that access. Why? Because https uses SSL and encrypts the traffic between the client and the external web server. once the connection is established, FTMG cannot (unless you have enabled HTTPS Inspection) see inside the SSL tunnel and realise that traffic is passing through it. Once the web browser gets closed, the user would not be able to get to the site again as the new request would now be blocked due to the schedule saying deny.

Go back to basics for a moment and write down in a spreadsheet exactly what you want the firewall to achieve, for whom and when. one line in the spreadsheet per rule.

You can then walk through each visulaising what would happen when traffic arrives at the FTMG from a client etc.


Find out which rule is allowing the traffic by monitoring the log for a client that should be blocked at a specific time


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
solowzAuthor Commented:
Pointed out where to look.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.