Compartilhar via


Bypassing Forefront TMG for Web proxy client requests

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Applications that make requests as Web proxy clients can bypass the Web proxy filter in order to directly access resources located in their local network, or to access external Web sites, without going through Forefront TMG.

You can configure Web proxy clients for direct access as follows:

  • Client browsers that do not use automatic detection by means of an automatic configuration script or a Web Proxy Automatic Discovery (WPAD) entry, must be configured manually for direct access. For more information about automatic detection, see Configuring automatic detection.

  • Client browsers configured to use a Forefront TMG automatic configuration script can obtain direct access information.

If a request that bypasses the Web proxy filter is for resources that are not in the client network, you can configure the client either as a SecureNAT client or as a Forefront TMG Client. This allows Forefront TMG to handle the request and to apply traffic inspection and filtering.

Configuring direct access for Web proxy clients not using automatic detection

This procedure assumes Windows Internet Explorer is the Web browser.

To configure Web browsers to use the automatic configuration script

  1. In Internet Explorer, click the Tools menu, and then click Internet Options.

  2. Click the Connections tab, and then click LAN Settings.

  3. Select the Bypass proxy server for localaddresses check box to configure the browser not to forward requests for host names (for example, https://contoso.com) to the Web proxy filter. This option is only available for single label names. Names or addresses with a period (.), such as IP addresses of a fully qualified domain name (FQDN), are forwarded to the Web proxy filter. These types of entries should be specified in the Exceptions box, as follows:

    • Click Advanced, and then in the Exceptions box, type in the domain name or IP address you do not want to be handled by the Web proxy filter.

Configuring direct access for Web proxy clients using automatic detection

Direct access settings configured in Forefront TMG are delivered to clients in an automatic configuration script every six hours. Internet Explorer can specify the static location of the script, or use the WPAD protocol to discover a server on which the configuration script is located. For instructions on configuring clients, see Configuring Web browsers for automatic detection. You can configure direct access settings in the Forefront TMG Management console, as follows.

To configure direct access settings

  1. In the Forefront TMG Management console, click Networking.

  2. On the details pane, click the Networks tab.

  3. Right-click the required internal or perimeter network, and then click Properties.

  4. On the Web Browser tab, do one of the following:

    • Select Bypass proxy for Web servers in this network to specify that Web proxy clients should bypass the Web proxy filter for Web servers located in the client network.

    • Select Directly access computers specified in the Domains tab to allow Web proxy clients to bypass the Web proxy filter for destinations specified on the Domains tab.

    • Select Directly access computers specified in the Addresses tab to allow Web proxy clients to bypass the Web proxy filter for destinations on the Addresses tab. By default, the Addresses tab contains the IP address range of the network.

    • Select Add to specify an IP address range, domain, or computer, to access directly. To remove an entry from the Directly access these servers or domains list, select it, and then click Remove. To modify an entry on the list, select it, and then click Edit.

    • Select Direct Access to specify that Web proxy clients should bypass the Web proxy filter if Forefront TMG is unavailable.

Configuring domains for direct access

To configure a domain for direct access

  1. In the Forefront TMG Management console, click Networking.

  2. On the details pane, click the Networks tab.

  3. Right-click the required internal or perimeter network, and then click Properties.

  4. On the Domains tab, do the following:

    • To add an entry, click Add, and then type in a domain for direct access. Repeat for each domain you want to add.

    • To remove an entry, in the Domain names list, click the entry you want to remove, and then click Remove.

    • To modify an entry, in the Domain names list, click the entry you want to modify, and then click Edit.

Concepts

Configuring Web proxy clients
Configuring automatic detection