Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Articles Authors Blogs Books Events FAQs Free Tools Hardware Links Message Boards Newsletter RSS Software

Site Search Advanced Search

Configuring the Forefront TMG HTTP Filter

In this article I will show you how to configure and use the HTTP Filter of Forefront TMG to filter HTTP traffic in Firewall policy rules.

Published: May 17, 2011 Updated: May 17, 2011 Section: Tutorials :: Configuration - General Author: Marc Grote Printable Version Adjust font size: Rating: 5/5 - 2 Votes 1 2 3 4 5

1 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Let's begin
A simple Firewall only allows or denies access for the HTTP protocol based on source and destination IP addresses and doesnt looks deeper into the HTTP protocol to filter HTTP traffic. The HTTP protocol is often called the Universal Firewall Bypass protocol because many Firewall admins allows users from the internal network to access to the outside for the HTTP protocol. The HTTP protocol can be used by applications to encapsulate their specific protocols into the HTTP or HTTPS protocol. Some examples for those applications are Outlook Anywhere, the Remote Desktop Gateway service and applications like Skype, Windows Live Messenger and many more which encapsulates their native protocols into the HTTP/HTTPS protocol, which allows the traffic to bypass the Firewall. With Forefront TMG it is possible to filter HTTP traffic with the HTTP filter for incoming and outgoing access and when you use the new HTTPS inspection feature of Forefront TMG you can also filter outgoing HTTPS traffic. Incoming HTTPS traffic can be filtered by Forefront TMG in Webserver publishing scenarios where the HTTPS bridging feature of Forefront TMG is used. Lets start with some basics about the Web filters in Forefront TMG.

Get your copy of the German language Microsoft ISA Server 2006 - Das Handbuch" "

What is a Web filter?

A Web filter in Forefront TMG is a set of Dynamic Link Libraries (DLLs) which are based on the IIS ISAPI (Internet Server Application Programming Interface) Model A Web filter in Forefront TMG will be loaded from the Webproxy Filter. If the Webfilter is loaded all informations will be forwarded to the Webproxy Filter. The Webproxy Filter is responsible to determine which type of events should be monitored. Every time such events occurs the Webproxy Filter will be notified. The following figure shows the HTTP Filter Add in of Forefront TMG.

2 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Figure 1: Forefront TMG HTTP filter Add in

Web filter functionality

a dve r tis e me nt

The Web filter in Forefront TMG is responsible for the following tasks: Scanning and modifying HTTP requests Analyzing and protocol network traffic Scanning and modifying HTTP responses Blocking of specific HTTP responses Data encryption and compression And many more. Important: The HTTP Filter in Forefront TMG is rule specific except the Maximum Header length setting. The Maximum Header length in Forefront TMG is the same for all Firewall rules with HTTP protocol definitions. Attention: The HTTP Filter in Forefront TMG is also capable to filter HTTPS traffic used in reverse web server publishing scenarios where HTTPS Bridging is used and for outgoing HTTPS requests when the HTTPS inspection feature of Forefront TMG is activated.

HTTP Filter configuration

If you want to start configuring the HTTP filter, right click a rule that contains a HTTP protocol definition and
3 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

select Configure HTTP from the context menu.

Figure 2: Forefront TMG HTTP filter general settings On the General tab of the HTTP filter it is possible to configure the following settings: Request Header: Maximum Headers length (bytes): The maximum Header length specifies the maximum number of bytes in the URL and HTTP Header for a HTTP request until Forefront TMG blocks the request. Request Payload: Maximum payload length (bytes): With this option it is possible to restrict the maximum length in bytes a user can send via a HTTP POST in a Web server publishing scenario. URL Protection: Maximum URL Length (Bytes): The maximum length of an allowed URL Maximum Query length (Bytes): The maximum length of an URL in the HTTP request Verify normalization You can select this checkbox to specify that requests with URLs containing escaped characters after
4 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

normalization will be blocked. Normalization is the process where URL coded requests will be decoded. After decoding the URL the URL will be normalized again to be sure that no process is using the % character to encode a URL. If the HTTP Filter finds a difference in the URL after the second normalization the requests will be rejected. Block high bit characters URLs that contain Double Byte Character (DBCS) or Latin1 will be blocked if this setting is active. An active setting regulary blocks languages that require more than eight bit to display all language specific characters. Executables Block responses containing Windows executable content This option blocks the download and executing of executable content like EXE files. As a next step we should configure the allowed or blocked HTTP methods

Figure 3: HTTP Methods In this example we are blocking the HTTP POST command so that nobody can upload content on external websites.

5 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Figure 4: Block the HTTP POST method Block executables With this option it is possible to block or allow some specific file extensions in the specific firewall rule.

Figure 5: Using Forefront TMG to block downloading files with the EXE extension Block requests containing ambiguous extensions This option instructs the HTTP filter to block all file extensions which Forefront TMG cannot determine. In this example we are blocking access to the .EXE file extension.

6 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Figure 6: Blocking the .EXE file extension

HTTP Header handling

When a webclient sends requests to a web server or the web server is answering queries the first part of an answer is a HTTP request or a HTTP response. After the HTTP request or HTTP response, the client or Server sends a HTTP Header. The request Header field allows the client to send additional information to the server. HTTP Header contains information about the Browser, operating system information, and authorization details and more, the client Header uses the attribute User-Agent which determines which application is responsible for the request. With the help of the HTTP filter it is possible to block specific HTTP Header.

Figure 7: HTTP filter Header section

7 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

The settings in the Server Header field give Administrators the control to remove the HTTP header from the response or to modify the HTTP Header in the response and some more settings. In the following example we are using the HTTP Header feature in Forefront TMG to block Kazaa which information resides in the request header.

Figure 8: Blocking Kazaa

HTTP Filter signatures

An HTTP signature can exist in the HTTP body or HTTP header. You can use HTTP signatures to deny the execution from specific applications. To find a specific HTTP signature you must know which signature the application is using. There are some documents on the Internet that can give you some information about specific HTTP signature but it is also possible to use a network sniffer to determine HTTP signatures. I will show you how to use a network sniffer later in this article. Important: Filtering HTTP signatures in Forefront TMG only works when the requests and responses are UTF-8 coded.

8 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Figure 9: Blocking HTTP signatures In the following example we are blocking the access for the Windows Live Messenger protocol.

Figure 10: Windows Live Messenger Block If you want to know more about application signatures click here.
9 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Important: Forefront TMG inspects only the first 100 Bytes of the request and response body. It is possible to expand the maximum number of bytes but this could result in some server performance degradation.

HTTP error message if the HTTP filter blocks some content

Figure 11: HTTP Filter access message

How to discover specific HTTP Header

To determine HTTP signatures that are unknown to you, it is possible to use a network sniffer like Microsoft Network Monitor (Netmon) 3.4 to trace the HTTP network traffic. The following figure shows a sample network trace output from Microsoft Netmon 3.4, but you can use any other Network monitor like Wireshark (former Ethereal).

Figure 12: Netmon HTTP trace This example shows User-Agent (Mozilla/5.0) and the signature (MSIE 9.0).

10 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

HTTPFILTERCONFIG.VBS
You can use HTTPFILTERCONFIG.VBS from the directory C:\Program Files<x86>\Microsoft Forefront TMG Tools\SDK\Samples\Admin from the Forefront TMG SDK to import and export HTTP-Filter configurations.

Figure 13: HTTPFILTERCONFIG.VBS from the Forefront TMG SDK

Conclusion
In this article I tried to show you how the Forefront TMG HTTP filter works. The HTTP filter in Forefront TMG is a great tool to block some dangerous content to protect against malicious code or Trojans and worms. You can also use the HTTP filter to block specific HTTP signatures, Blocking these signatures helps administrator to block some type of applications like Windows Live Messenger that can be tunnelled through HTTP if the associated standard protocol for the application is blocked through firewall restrictions. Related Links ISA Server 2006 HTTP filter Forefront TMG SDK Common Application signatures More about the HTTP protocol

About Marc Grote

Marc Grote is an MCSA/MCSE Messaging & Security, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance IT Trainer and Consultant in the north of Germany near Hanover. He works with Invenate GmbH on special projects. You can find more information about Invenate

11 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

at ttp://www.invenate.de. He specializes in ISA Server, Exchange, Security for Windows 2000/2003 and Windows Server 2008 designs, migrations and implementations, and Citrix Metaframe implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004. You can visit his homepage at http://www.it-training-grote.de. Click here for Marc Grote's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by Enterprise Security MVP Debra Littlejohn Shinder, containing news, the hottest tips, Forefront TMG / UAG links of the month and much more. Subscribe today and don't miss a thing! Real-Time Article Update (click for sample) Monthly Article Update (click for sample) Monthly Newsletter (click for sample)

Latest articles by Marc Grote

Configuring Forefront TMG client VPN access with NAP Customizing error messages and forms based authentication in Forefront TMG Forefront TMG - Scripting with VBScript and Powershell Microsoft Forefront TMG - How to configure Forefront TMG as a DirectAccess Server Microsoft Forefront TMG - How to use SQL Server 2008 Express Reporting Services

Related links
Configuring the ISA Firewall to Support TZO Dynamic DNS Services ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration Post Installation T DNS for ISA Server. Implementing Checkpoint NG R55 Firewall and Microsoft ISA 2004 Firewall IPSec Site-to-Site VPN Tom Shinder Lab Series

Featured Links*
IP Binder - Outbound One-to-One NAT support for ISA/TMG Server - Static NAT With IP Binder you can select which external IP address to use for traffic going out your access rules. Works with outbound HTTP, SMTP, and all TCP protocols.

12 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Web Security, Internet Monitoring and Internet Access Control for ISA/TMG Gear up ISA/TMG with advanced web security (AV scans on dlds and anti-spyware on browsing), internet monitoring and control internet access through flexible user policies. Web monitoring and multi-layered anti-virus protection for ISA Server Control your Internet users' browsing habits, monitor downloads in real-time and protect your network from viruses, spyware, malware & phishing attacks. Portcullis Systems - TMG & UAG Appliances World-class provider of Forefront Security appliances offering global 24 x 7 onsite support in over 200 countries.

Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below! Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Community Area
Log in | Register My Account | Log out Articles & Tutorials Certification Configuration - Alt. Products & Platforms Configuration - General Configuration - Security General General Guides and Articles Installation & Planning Miscellaneous Non-ISAserver.org Tutorials Product Reviews Publishing Authors Deb Shinder Richard Hicks Thomas Shinder Marc Grote Blogs Books Hardware

13 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

ISA Appliances SSL Acceleration TMG Appliances UAG Appliances Links Message Boards Newsletter Signup RSS Feed Software Access Control Anti Virus Authentication Backup & Recovery Bandwidth Control Caching Content Security Free Tools Intrusion Detection Misc. ISA server software Monitoring & Admin Reporting Security Services

Featured Products
Need Strong Two-Factor Logon? Add Security. Save Money.

Featured Book

Order today Amazon.com

Readers' Choice
Which is your preferred Anti Virus solution? avast! ISA Server Edition BitDefender Security for ISA Server Content Security for MS ISA Server GFI WebMonitor for ISA/TMG InterScan WebProtect for ISA Kaspersky Anti-Virus for Microsoft ISA Server Panda Security for ISA Servers

14 of 15

5/31/2011 1:44 PM

Configuring the Forefront TMG HTTP Filter

http://www.isaserver.org/tutorials/Configuring-Forefront-TMG-HTTP-Fil...

Other

TechGenix Sites
MSExchange.org The leading Microsoft Exchange Server 2010 / 2007 / 2003 resource site. WindowSecurity.com Network Security & Information Security resource for IT administrators. WindowsNetworking.com Windows Server 2008 / 2003 & Windows 7 networking resource site. VirtualizationAdmin.com The essential Virtualization resource site for administrators.

Articles Authors Blogs Books Events FAQs Free Tools Hardware Links Message Boards Newsletter RSS Software About Us : Email us : Product Submission Form : Advertising Information ISAserver.org is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers. Copyright 2011 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms & Conditions.

15 of 15

5/31/2011 1:44 PM