solowz
asked on
FTMG Standard: Access Rules are not enforced
Hello,
FTMG Standard installation, first rule Allow All Internal to Local Host network, several other access rules has been created with time schedules, allowed protocols, and URL Category Sets exceptions. Clients are manually connected to the FTMG server.
But still, users are able to access the internet even outside their time schedules, any suggestions?
In addition, how can I block a list of executables from accessing the internet?
FTMG Standard installation, first rule Allow All Internal to Local Host network, several other access rules has been created with time schedules, allowed protocols, and URL Category Sets exceptions. Clients are manually connected to the FTMG server.
But still, users are able to access the internet even outside their time schedules, any suggestions?
In addition, how can I block a list of executables from accessing the internet?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Pointed out where to look.
What FTMG installation? is this a proxuy only or a full firewall proxy installation?
you should NEVER have an allow all From anything TO anything. If you want to do this, you could have saved your company thousands of pounds and gone and bought a toy product such as the SOHO products etc. No offence intended. You have instead bought one of the top products in the world in this field and to get the best out of it, you need to understand how it works, why it works and especially how you want it to work.
FTMG, like ISA Server, operates from the top most rule downwards and will execute the very first access rule that matches traffic that it sees passing through its interfaces. It does not evaluate evry rule and decide upon the best fit or the closest match. It ONLY executes the first rule that matches the traffic.
FTMG also operates differently based upon the protocol being used. For example, http traffic is created every time a new request is made from an internal client to an external web site. Because of this behaviour, if you set a time schedule, FTMG will allow/deny that traffic immediately depending on whether the schedule allows or denies at any given time.
An https request that is made whilst the schedule says to allow https traffic will continue to operate even after the schedule blocks that access. Why? Because https uses SSL and encrypts the traffic between the client and the external web server. once the connection is established, FTMG cannot (unless you have enabled HTTPS Inspection) see inside the SSL tunnel and realise that traffic is passing through it. Once the web browser gets closed, the user would not be able to get to the site again as the new request would now be blocked due to the schedule saying deny.
Go back to basics for a moment and write down in a spreadsheet exactly what you want the firewall to achieve, for whom and when. one line in the spreadsheet per rule.
You can then walk through each visulaising what would happen when traffic arrives at the FTMG from a client etc.