Share via

Network Firewall Configuration

  • Article

This section provides informations about the default configuration of Forefront TMG in Windows EBS.

For additional details about configuring firewall settings, see Forefront TMG Help: On the Security Server, in the Threat Management Gateway console, press F1.

For a list of ports and protocols that are used by several Microsoft server technologies, see article 832017 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=127873).

System policy rules

The system policy rules in Forefront TMG are documented at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=127992).

The following table shows if the system policy rules are enabled or disabled by default in Windows EBS:

Name Policy Group Status

Allow access to directory services for authentication purposes

Authentication Services

Enabled

Allow remote management from selected computers using MMC

Remote Management

Enabled

Note

In Windows EBS, the Management Server and the Security Server are members of the Remote Management Computers set by default.

Allow remote management from selected computers using Terminal Server

Remote Management

Enabled

Allow remote management from selected computers using a Web application

Remote Management

Enabled

Allow remote logging to trusted servers using NetBIOS

Remote Logging

Disabled

Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers

Authentication Services

Disabled

Allow Kerberos authentication from Forefront TMG to trusted servers

Authentication Services

Enabled

Allow DNS from Forefront TMG to selected servers

Network Services

Enabled

Note

This rule must be enabled before Forefront TMG can perform DNS queries.

Allow DHCP requests from Forefront TMG to all networks

Network Services

Enabled

Allow DHCP replies from DHCP servers to Forefront TMG

Network Services

Enabled

Allow ICMP (PING) requests from selected computers to Forefront TMG

Diagnostic Services

Enabled

Allow ICMP (PING) requests from Forefront TMG to selected servers

Diagnostic Services

Enabled

Allow VPN client traffic to Forefront TMG

This system policy rule is not modified through the system policy editor.

This rule is enabled automatically by Forefront TMG when you enable VPN traffic.

Allow VPN site-to-site traffic to Forefront TMG

This system policy rule is not modified through the system policy editor.

This rule is enabled automatically by Forefront TMG when you create a site-to-site network.

Allow VPN site-to-site traffic from Forefront TMG

This system policy rule is not modified through the system policy editor.

This rule is enabled automatically by Forefront TMG when you create a site-to-site network.

Allow Microsoft CIFS from Forefront TMG to trusted servers

Authentication Services

Enabled

Allow remote SQL Server® logging from Forefront TMG to selected servers

Remote Logging

Disabled

Note

Enable this rule if you configure Forefront TMG to write log data to a remote SQL Server.

Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)

Authentication Services

Enabled

Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers

Diagnostic Services

Disabled

Allow remote performance monitoring of Forefront TMG from trusted servers

Remote Monitoring

Enabled

Allow NetBIOS from Forefront TMG to trusted servers

Diagnostic Services

Disabled

Allow RPC from Forefront TMG to trusted servers

Authentication Services

Enabled

Allow HTTP/HTTPS from Forefront TMG to specified Microsoft error reporting sites

Diagnostic Services

Enabled

Allow SecurID authentication from Forefront TMG to trusted servers

Authentication Services

Disabled

Allow remote monitoring from Forefront TMG to trusted servers, using Microsoft Operations Manager (MOM) agent

Remote Monitoring

Enabled

Allow HTTP/HTTPS requests from Forefront TMG to specified sites

Various

Enabled

Note

This rule allows Forefront TMG to communicate with sites in the System Policy Allowed Sites domain name set.

Allow HTTP/HTTPS requests from Forefront TMG to specified Microsoft Update sites

Various

Enabled

Note

This rule allows Forefront TMG to communicate with sites in the Microsoft Update domain name set.

Allow NTP from Forefront TMG to trusted NTP servers

Network Services

Enabled

Allow SMTP from Forefront TMG to trusted servers

Remote Monitoring

Disabled

Allow HTTP from Forefront TMG to selected computers for Content Download Jobs

Various

Disabled

Allow MS Firewall Control communication to selected computers

Remote Management

Enabled

Allow remote access to Configuration Storage server

Configuration Storage Servers

Enabled

Allow access from trusted servers to the local Configuration Storage server

Configuration Storage Servers

Enabled

Allow replication between Configuration Storage servers

Configuration Storage Servers

Enabled

Allow intra-array communication

Intra-array Communication

Enabled

Allow Remote Access to Forefront TMG Reporting

Network Services

Enabled

Firewall policy rules

The following table lists the firewall policy rules that are configured by default in Forefront TMG in Windows EBS. These rules apply to all users in your network. The rules are processed in the order that they are listed in the table.

Name Type Action Protocol Listening Port, Protocol Type, and Direction

Allow incoming e-mail by publishing SMTP mail server

Server publishing rule

Allow traffic from anywhere to Security Server

SMTP server

25, TCP, inbound

Microsoft Exchange Server publishing: Outlook Web Access

Web publishing rule

Allow traffic from the external Web listener to the remote Web site on Messaging Server

HTTP

HTTPS

80, TCP, outbound

443, TCP, outbound

Microsoft Exchange Outlook Anywhere and Terminal Services Gateway publishing rule (RPC over HTTPS)

Web publishing rule

Allow traffic from the external Web listener to the remote Web site on Messaging Server

HTTP

HTTPS

80, TCP, outbound

443, TCP, outbound

Microsoft Exchange Active Sync Web publishing rule

Web publishing rule

Allow traffic from the external Web listener to the remote Web site on Messaging Server

HTTP

HTTPS

80, TCP, outbound

443, TCP, outbound

Server publishing rule to redirect to Remote Web Workplace

Web publishing rule

Redirect HTTP requests to https://<RemoteName>/remote

HTTP

HTTPS

80, TCP, outbound

443, TCP, outbound

Remote Web Workplace Robots.txt Publishing Rule

Web publishing rule

Allow traffic from the external Web listener to the robots.txt file on the remote Web site on Messaging Server

HTTP

HTTPS

80, TCP, outbound

443, TCP, outbound

Remote Web Workplace Publishing Rule

Web publishing rule

Allow traffic from the external Web listener to the remote Web site on Messaging Server

HTTP

HTTPS

80, TCP, outbound

443, TCP, outbound

Allow DNS traffic from internal DNS Servers to external Forwarders or Root Hints

Access rule

Allow traffic from Management Server and Messaging Server to external networks

DNS

53, TCP, outbound

53, UDP, send receive

Allow SMTP Mail Traffic from Security Server

Access rule

Allow traffic from Security Server to Messaging Server and to external networks

SMTP

25, TCP, outbound

Allow Outbound SMTP Mail Traffic to Security Server

Access rule

Allow traffic from Messaging Server to Security Server

SMTP

25, TCP, outbound

Allow Internet Access to All Users

Access rule

Allow traffic from all protected networks to external networks

HTTP

HTTPS

80, TCP, outbound

443, TCP, outbound

Allow Microsoft Exchange EdgeSync traffic from Messaging Server

Access rule

Allow traffic from Messaging Server to Security Server

Microsoft Exchange EdgeSync

50636, TCP, outbound

Allow SCE Management Traffic from SCE Agent to Management Server

Access rule

Allow traffic from Security Server to Management Server

HTTPS

SCE AEM Agent

SCE Agent

SCE Health

443, TCP, outbound

51906, TCP, outbound

5723, TCP, outbound

8530-8531, TCP, outbound

Allow Time Synchronization of Internal Time Servers with Internet

Access rule

Allow traffic from Management Server and Messaging Server to external networks

NTP (UDP)

123, UDP, send receive

Allow RDP (Terminal Services) from Messaging Server

Access rule

Allow traffic from the Messaging Server to the Security Server

RDP (Terminal Services)

3389, TCP, outbound

Allow Windows Communication Foundation-based remote execution traffic between servers

Access rule

Allow traffic from Management Server and Messaging Server to the Security Server

Windows Communication Foundation Net.TCP

808, TCP, outbound

Default rule

Access rule

Deny requests from all networks to all networks

All traffic
noteNote
This predefined access rule helps protect your networks by blocking all traffic that is not explicitly allowed by other, user-defined, access rules. This rule is always processed last.

External Web listener settings

The following table lists properties of the default external Web listener that are associated with the Web publishing rules in Forefront TMG in Windows EBS.

Setting Value

Selected networks

External

Client connections
  • HTTP connections on port 80

  • HTTPS connections on port 443

  • Redirect all traffic from HTTP to HTTPS

Certificate

Single certificate, issued by the certification authority in Windows EBS

Note

For most organizations, it is recommended that you configure a public certificate instead of the private certificate that is issued by Windows EBS. This allows users to connect to Web services such as Remote Web Workplace with a Secure Sockets Layer (SSL) connection that is verified with a publically trusted certificate. For more information, see Certificates in Windows Essential Business Server.

Authentication
  • Clients authenticate by using HTML Form Authentication

  • Credentials validated by using Windows (Active Directory®)

Web filtering rules

The following table lists the Web filtering rules that are configured in Forefront TMG in Windows EBS:

Rule Status

DiffServ Filter

Disabled

Web Publishing Load Balancing Filter

Enabled

Compression Filter

Enabled

Authentication Delegation Filter

Enabled

Forms-Based Authentication Filter

Enabled

RADIUS Authentication Filter

Enabled

LDAP Authentication Filter

Enabled

Link Translation Filter

Enabled

Malware Inspection Filter

Enabled

HTTP Filter

Enabled

Note

For more information about the default HTTP filter settings, see the following section.

Caching Compressed Content Filter

Enabled

HTTP filter settings

The following table shows several settings for the default HTTP filter for Web publishing rules that are configured in Forefront TMG, such as rules that are configured for Outlook Web Access and Remote Web Workplace. This filter blocks HTTP requests that might be considered attacks because they are large or contain specific characters.

Setting Value

Maximum headers length (bytes)

32768

Allow any payload length

Enabled

Maximum URL length (bytes)

10240

Maximum query length (bytes)

10240

Verify normalization

Enabled

Block high-bit characters

Enabled

For detailed information about the settings for HTTP filtering in Forefront TMG, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=127993).

Note

When Verify normalization is enabled, Forefront TMG decodes URL-encoded HTTP requests to determine that the decoded request is valid. (URL-encoded requests contain a percent sign (%) followed by a particular number in place of certain characters. For example, %20 corresponds to a space.) Normalization helps prevent attacks that rely on double-encoded requests. Web services such as Outlook Web Access may use double encoding for particular requests, but these requests are filtered by Forefront TMG by default. To allow these requests, you need to disable Verify normalization for the Web publishing rule. To modify an HTTP filter setting, see Modify HTTP Filtering for Web Traffic.

Web proxy settings

The following table lists several of the default Web proxy configuration and cache settings.

Setting Value

Web Proxy client connections

Enabled on HTTP port 8080

Concurrent client connections

Unlimited

Connection timeout

1800 seconds

Firewall client support

Enabled

Bypass settings
  • Bypass proxy for Web servers in the network

  • Directly access computers in the domain

Publish autodiscovery information for this network

Enabled

Cache size

Maximum of 20 GB or 10 GB

Note

The cache size is initially configured to allow at least 30% free space on the data storage volume for Security Server.

Intrusion detection settings

In Windows EBS, Forefront TMG is configured by default to detect the following attacks:

  • Windows out-of-band (WinNuke)

  • Land

  • Ping of death

  • IP half scan

  • UDP bomb

  • DNS host name overflow

  • DNS length overflow