TMG Rules (Block MSN, Allow Skype)

[Dino M]

I have two inconveniences in an implementation of TMG 2010 Standard, I'll tell you a little more. I need to allow use of Skype to a particular group of users, the problem as I have when I enable the https Inspection, skype hangs and does not connect, so I could investigate the problem comes with this inspection, you can also lei add a specific group of machines that do not perform the INSPECTION https, however I do not like to do it this way and that I would disable the scan for all https (obviously, leave me go to Skype), second (exploring some options) I have found that in the menu "Configure Https Inspection"> "Destination Exception"> "HTTPS Sites Exempt from Inspection" there I can add addresses that do not want to pass the inspection, which is me has happened is there some way to add IP's or not to validate the inspection ... I have no clear explanation is that these addresses or IP's!?? Also I need to create a rule to block MSN, but allowed for a particular group, but I have no idea where to start. So thought that I would get some ideas over here.

[Aabheer]

I encounter the same problem as you. When you enable HTTPS inspection less intrusive option is to NOT inspect the traffic, but to validate certificates used in communication http. When Skype attempts to establish secure connections with other "peer" (P2P) I guess I will be using self-signed SSL certificates (not so interested in validating the identity of the remote computer, such as ensuring secure private communication). Any self-signed certificate (not signed by a certification authority recognized top-level) will be blocked by the inspectorate TMG2010 HTTPS. The only way I've found that my users can use Skype is to completely disable HTTPS inspection. Although you can set the target exception, not to validate the certificates, the problem is that Skype uses P2P, and it is not possible to know in advance which network / computer is going to try to connect it varies with time. You can try with more or less broad ranges in the same subnet as your ISP, region or country, and go all the equipment to expand gradually to reach a compromise, but neither is a definitive solution, neither safe nor elegant.

If anyone has any idea about it, it can be helpful, I'd like to check it.

[Barsha]

You have to create (in the event that you have not already) a 'Content Type' we call 'Messenger' that include the type 'application / x-msn-messenger'. Then add a rule, which we call 'MSN Messenger HTTP' type 'deny' where you put the protocol 'HTTP' and the tab 'Content Types' spikes in the type we just created 'Messenger'. On the other hand create another rule 'reject' called 'MSN Messenger' for protocol 'MSN Messenger', if you have not created, you believe that name and TCP connection 1863 of output.

[Elijah2010]

After the installation (the problem is evident especially on systems with Exchange and Forefront Edge Protection built-in), you may experience problems in the configuration (if on 'the same, in fact TMG is structured to be put in a firewall ARRAY even the Standard version). Specifically:

Monitoring Alerts:
Description: Configuration changes saved to the configuration storage server Could Not Be Applied to Forefront TMG services. After 5 Attempts to apply the changes, Forefront TMG postpones Any new Attempts to apply These changes, and will only renew Attempts When a new configuration is saved to the configuration storage server. Recent alerts May indicated the reason for this failure.

And the configuration is displayed correctly, but not applied (the rules do not work). The problem can be derived from something that has the comic. The rules of the system (system policy) of TMG include default rules for uploading the configuration from the server "Storage Configuration" (which, in the case of a single server, it is always himself). But both the IP and DNS names pointing to the internal network adapter. HOWEVER the server to point to if 'itself, see if the IP' itself (not 127.0.0.1), but that of the first network card configured in the Advanced tab in the "network connections".

[Kalanidhi]

If I have two network cards, Internet and LAN and internet is the first order (in the window "Network Connections" -> "Advanced Settings"), under certain conditions the server will attempt to load the configuration from IP the external network, outside on the IP network .... This obviously does not work because the system's internal IP Policy provides. Changing the order of network cards, and restarting the server, it should solve.

[MaggieK]

Another possibility is that the configuration we are trying to apply (perhaps an import after a backup) has problems, such as: a rule of publication of the mail server in the firewall policy, while focus is in the "email protection" . You should not forget that if you change the system policy rules incorrectly or disabled, you will not be able to reconfigure TMG !!! It is simply recommended that private operators to develop a safe side to be the, is still an imprint on their website lead. In the ninth Broadcasting Treaty Amendment of the countries (in parallel with the new TMG will enter into force), the legal obligations of web pages designed in terms. Provider of tele-media, the personal and family purposes are not, have the following information is easily recognizable, immediately accessible while being continuously available to:

1. Name and address and
2. for legal persons name and address of the authorized representative.