Modifying network objects
The following types of network objects are used in defining rules in Microsoft Forefront Threat Management Gateway:
- Network
- Network set
- Computer
- Address range
- Subnet
- Computer set
- URL set
- Domain name set
- Web listener
- Server farm
After you create a network object in Forefront TMG, you can modify its properties for use in defining a rule. If the network object is already used to define a rule, the new policy with the changes will apply only to new connections.
For instructions for modifying networks, see Modifying internal and perimeter networks. This topic includes procedures for modifying the other network objects.
To modify a network set
In the Forefront TMG Management console tree, click Networking.
In the details pane, select the Networks tab.
Select the network set that you want to modify.
On the Tasks tab, click Edit Selected Network Set.
On the Networks tab, select or clear the networks that you want to include in the network set or exclude from the network set.
Note
Predefined network sets cannot be modified.
Click OK to close the dialog box.
To modify a computer object
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand Computers and select the applicable computer object.
On the toolbar beneath Network Objects, click Edit.
In Name, you can type a new name for the computer.
In Computer IP Address, you can type a new IP address for the computer. You can also click Browse to locate the IP address based on the name of the computer.
Click OK to close the dialog box.
To modify an address range
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand Address Ranges and select the applicable address range.
On the toolbar beneath Network Objects, click Edit.
In Name, you can type a new name for the address range.
In Start Address, you can type a new IP address for the first address in the range.
In End Address, you can type a new IP address for the last address in the range.
Click OK to close the dialog box.
To modify a subnet
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand Subnets and select the applicable subnet.
On the toolbar beneath Network Objects, click Edit.
In Name, you can type a new name for the subnet.
In Network address, you can type a new IP address for the first address in the address range comprising the subnet.
You can do one of the following:
- In the spin box, type or select a new number from 0 through 32 that specifies the number of successive ones in the binary value of the network mask.
- In Network mask, type a new network mask. The network mask is ANDed with the first address in the subnet (specified in Network address) to determine the range of IP addresses included in the subnet.
The subnet mask typically consists of zero, one, two, or three binary octets that are represented in dotted-decimal format by the decimal number 255 and one binary octet that contains a series of ones (which may be empty) followed by a series of zeros and is represented by one of the following decimal numbers:
254
252
248
240
224
192
128
0
Click OK to close the dialog box.
To modify a computer set
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand Computer Sets and select the applicable computer set.
On the toolbar beneath Network Objects, click Edit.
To add a new computer, address range, or subnet to this computer set, click Add, and select Computer, Address Range, or Subnet, depending on the object that you are adding to the computer set. Provide the required information for the object that you selected.
To modify or delete a computer, address range, or subnet in the computer set, select the applicable name, and then click Edit or Delete, accordingly.
Click OK to close the dialog box.
To modify a URL set
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand URL Sets and select the applicable URL set.
On the toolbar beneath Network Objects, click Edit.
In Name, you can type a new name for the URL set.
To add a new URL, click Add, and then type the URL to include in the URL set.
Each URL may include a host name and a path. Wildcard characters are allowed. However, URLs containing a query string that are included in a URL set are ignored. A protocol (HTTP, HTTPS, or FTP) and a port number may be included, but these are ignored.
Hosts may be specified in any of the following formats:
- FQDN (for example, www.northwindtraders.com).
- DNS suffix (for example, *.net).
- IP Address.
- Wildcard character (*).
Paths may be specified in any of the following formats:
- Full path (for example, default.htm).
- Prefix (for example, /pictures/travel/* or /*).
Forefront TMG does not support the use of International Domain Name (IDN) URLs.
To modify or delete a URL, select the applicable URL, and then click Rename or Delete, accordingly.
Click OK to close the dialog box.
To modify a domain name set
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand Domain Name Sets and select the applicable domain name set.
On the toolbar beneath Network Objects, click Edit.
To add a domain name, click Add, and then type a domain name to include in the domain name set.
When specifying a domain name, you can use an asterisk (*) to specify a set of computers. For example, to specify all computers in the fabrikam.com domain, type the domain name as *.fabrikam.com. Note that the asterisk can appear only at the start of the domain name and can be specified only once in the name.
When you specify a single computer, specify the computer name using the fully qualified domain name (FQDN). For example, type computer_name.fabrikam.com, and not //computer_name.
To modify or delete a domain name, select the applicable domain name, and then click Rename or Delete, accordingly.
Click OK to close the dialog box.
To modify a Web listener
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand Web Listeners and select the applicable Web listener.
On the toolbar beneath Network Objects, click Edit.
To configure the Web listener to listen for HTTP or SSL requests, do the following:
- On the Connections tab, select Enable HTTP connections on port if Forefront TMG should listen for HTTP requests. Type the port number on which Forefront TMG listens for HTTP requests.
- Select Enable SSL (HTTPS) connections on port if Forefront TMG should listen for Secure Sockets Layer (SSL) requests. Type the port number on which Forefront TMG listens for SSL requests.
- If you select Enable SSL (HTTPS) connections on port, click Select to select a certificate to use for SSL requests.
Most Web browsers can only use port 443 for SSL requests.
The Connections tab enables you to control the redirection of users who try to connect to your published SSL sites using HTTP. Typically, in a secure Web publishing scenario, you would choose the option Redirect all traffic from HTTP to HTTPS. This automatically redirects all HTTP requests to HTTPS.
If you are publishing both HTTP and SSL sites using a single Web listener, you may want to select Do not redirect traffic from HTTP to HTTPS, and then configure HTTP-to-HTTPS redirection on each publishing rule for your HTTP and SSL sites as appropriate. Note that this option does not result in automatic redirection but requires the user to retype the URL with the HTTPS protocol. For per-rule configuration, select Notify HTTP users to use HTTPS instead on the Traffic tab of each Web publishing rule.
The third option on the Connections tab of the Web listener is Redirect all authenticated traffic from HTTP to HTTPS, which redirects requests only when the user is required to authenticate. If you select this option, the per-rule redirection option is only available if the rule applies to the All Users user set, because all authenticated users are already automatically redirected by the Web listener.
To configure the maximum number of concurrent connections allowed, do the following:
- On the Connections tab, select Advanced.
- In Advanced Settings, select Unlimited to allow an unlimited number of clients to connect to the server at any one time, or select Maximum per server to limit the maximum number of clients that can connect to the server at any one time and type the maximum number of connections.
- In Advanced Settings in Connection timeout, type the number of seconds before the server disconnects an inactive use.
To configure settings for forms-based authentication for a Web listener that is configured for HTML form authentication, do the following:
- On the Forms tab, click Advanced.
- Under Cookie Settings, you can provide a name for the cookie that Forefront TMG provides to the client after forms-based authentication has succeeded. From the drop-down list, you can select whether the cookies are persistent (continue to exist on the client after the session ends) on all computers, only on private computers, or never.
- Leave Ignore browser IP address for cookie validation selected if you want to allow clients to use the same cookie from different IP addresses. For example, requests from a single client may appear to come from different IP addresses, such as when there is a load balancer between a client and the Forefront TMG computer.
- Under Client Security Settings, select Treat as maximum idle time to set a time-out period based on the amount of time that the client is idle, or select Treat as maximum session duration to set a time-out period based on the session length. Then provide time-outs for public and private computers, which will be used to establish the maximum idle time or maximum session length. Leave Apply session timeout to non-browser clients selected to apply the session time-out period to clients that are not browser-based (such as Outlook RPC/HTTP and ActiveSync).
When the time-out period elapses for a session, clients are required to log on to the session using their user credentials.
When you configure a time-out period for forms-based authentication, we recommend that the time-out period be shorter than that imposed by the published server. If the published server times out before Forefront TMG, the user may mistakenly think tha the session ended. This could allow attackers to use the session, which remains open until actively closed by the user or timed out by Forefront TMG as configured on the form setting.
Use persistent cookies to allow opening documents from SharePoint sites without the need to reauthenticate.
Note the following security issues related to persistent cookies:
- A malicious attacker who obtains a persistent cookie may be able to perform a brute force attack to obtain user credentials from the cookie.
- On a public computer, if the user does not log off, the session cookie can be used by the next user to access published sites. This threat can be mitigated by not enabling persistent cookies for public computers.
- Spyware may be able to access the cookie.
Click OK to close the dialog box.
To modify a server farm
In the Forefront TMG Management console tree, click Firewall Policy.
On the Toolbox tab, click Network Objects.
Expand Server Farms and select the applicable server farm.
On the toolbar beneath Network Objects, click Edit.
In Name, you can type a new name for the server farm.
To add a server, on the Servers tab, click Add, and then type the name or IP address of the server to include in the server farm.
On the Servers tab, you can select a server and do one or more of the following:
- Click Drain to cause the server to stop accepting new connections. Note that the server will stop accepting new connections only after this configuration change is applied.
- Click Resume to cause the server to start accepting new connections. Note that the server will start accepting new connections only after this configuration change is applied.
- Click Edit to change the name or IP address of the server.
- Click Remove to delete the server from the server farm. We recommend draining the server before removing it from the farm.
On the Connectivity Verification tab, you can modify the method used to monitor connectivity to the server farm and the associated time-out period.
Click OK to close the dialog box.
Important
After you finish creating your network objects, in the details pane, click the Apply button to save and update the configuration, and then click OK.