About system policy
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
Forefront TMG includes a system policy, which is a set of predefined firewall policy rules that control access to and from the Local Host network (the Forefront TMG computer). These rules control how the Forefront TMG firewall enables the infrastructure necessary to manage network security and connectivity. Forefront TMG is installed with a default system policy, designed to address the balance between security and connectivity.
This topic describes:
About system policy rules
Services enabled by system policy
About system policy rules
Some system policy rules are enabled upon installation. These are considered the most basic and necessary rules for effectively managing the Forefront TMG environment. You can subsequently enable the system policy rules that enable the services and tasks that you require to manage your network.
You use the System Policy Editor to configure the system policy rules. Within the System Policy Editor, the system policy is categorized into a set of configuration groups. The system policy rules are processed first, before any other rule. You cannot modify the order of these rules. Upon installation, the rules apply to specific networks, as listed in the table provided in System policy rules.
After you install Forefront TMG, you can configure the system policy. You cannot delete these rules, but from a security perspective, it is recommended that you do the following:
After installation, carefully review the system policy rules configured. After you perform major administrative tasks, review the system policy configuration again.
Identify those services and tasks that are not critical to how you manage your network, and then disable the associated system policy rules.
In addition to disabling unnecessary system policy rules, limit the applicability of the rules to required network entities only. For example, the Active Directory group is enabled by default, and applies to all computers on the internal network. You could limit this to apply only to a specific Active Directory Domain Services (AD DS) group on the internal network.
Services enabled by system policy
By default, the system policy allows the Forefront TMG firewall to access network resources that are critical to the proper functioning of the firewall. Depending on your specific deployment, you may want to lock down access to some of those services.
Depending on your specific deployment and the services that you require, you can determine which system policy configuration groups should be enabled. This section describes some of these deployment considerations.
When you disable a system policy configuration group, you are not necessarily preventing use of a particular protocol. This is because the same protocol may be specified in a different rule, which is enabled by a different configuration group.
The following services are enabled by system policy rules:
Network services
DHCP services
Authentication services
Enabling DCOM traffic
Windows and RADIUS authentication services
RSA SecurID authentication services
CRL authentication services
Remote management
Remote monitoring and logging
Diagnostic services
SMTP
Scheduled download jobs
Accessing the Microsoft Web site
For a full list of all the system policy rules, see System policy rules.
Network services
When you install Forefront TMG, basic network services are enabled. After installation, Forefront TMG can access name resolution servers on all networks and time synchronization services on the Internal network.
If the network services are available on a different network, you should modify the applicable configuration group sources (DHCP, DNS, or NTP) to apply to the specific network. For example, if the DHCP server is not located on the internal network but on a perimeter network, modify the source for the DHCP configuration group (on the From tab) to apply to the perimeter network.
You can modify the system policy, so that only specific computers on the internal network can be accessed. Alternatively, you can add additional networks if the services are found elsewhere.
Modify these configuration groups, depending on which network services you require:
DHCP
DNS
NTP
DHCP services
If your DHCP server is not located on the internal network, modify the system policy rule so that it applies to the network where the DHCP server is located.
Authentication services
One of the fundamental capabilities of Forefront TMG is the ability to apply a firewall policy to specific users. In order to authenticate users, Forefront TMG must be able to communicate with the authentication servers.
Modify these configuration groups, depending on which authentication services you require:
Active Directory
RADIUS
RSA SecurID
CRL Download
Enabling DCOM traffic
When the Microsoft Management Console (MMC) rules are enabled, remote procedure call (RPC) traffic is allowed to the Local Host network. However, by default, DCOM traffic is blocked. If you want to allow DCOM traffic, disable the “Allow remote management from selected computers using MMC” system policy rule. Then, create a rule allowing RPC traffic. After creating the rule, in the rule properties, configure the RPC protocol and clear the Enforce strict RPC compliance setting.
Windows and RADIUS authentication services
By default, Forefront TMG can communicate with AD DS servers (for Windows authentication) and with RADIUS servers located on the internal network. If you do not require Windows authentication or RADIUS authentication, disable the applicable system policy configuration groups.
Note
- When you disable the Active Directory system policy configuration group, access to all LDAP protocols is effectively disabled. If you require the LDAP protocols, create an access rule allowing use of these protocols.
- If you require only Windows authentication, make sure you configure the system policy, disabling use of all other authentication mechanisms.
RSA SecurID authentication services
Communication with RSA SecurID authentication servers is not enabled by default. If your firewall policy requires RSA SecurID authentication, make sure you enable this configuration group.
CRL authentication services
Certificate revocation lists (CRLs) cannot be downloaded by default, because the CRL Download configuration group is not enabled by default. To enable CRL download, verify that the CRL Download configuration group is enabled. Then, apply this configuration group to the network entities on which the certificate revocation lists are located.
All HTTP traffic will be allowed from the Forefront TMG firewall to network entities listed on the To tab.
Remote management
Usually, you will manage Forefront TMG from a remote computer. Carefully determine which remote computers are allowed to manage and monitor Forefront TMG.
Modify these configuration groups, depending on how you perform remote management:
Microsoft Management Console (MMC)
Terminal Server
Web Management
ICMP (Ping)
By default, the system policy rules allowing remote management of Forefront TMG are enabled. Forefront TMG can be managed by running a remote Microsoft Management Console (MMC) snap-in, or by using Terminal Services.
By default, these rules apply to the built-in Remote Management Computers computer set. When you install Forefront TMG, this empty computer set is created. Add to this empty computer set all computers that will remotely manage Forefront TMG. Until you do this, remote management is not available from any computer.
Note
Limit remote management to specific computers by configuring the system policy rules to apply only to specific IP addresses.
Remote monitoring and logging
By default, remote logging, remote performance monitoring, and remote monitoring of Microsoft Operations Manager, are disabled. The following configuration groups are disabled by default:
Remote Logging (NetBIOS)
Remote Logging (SQL)
Remote Performance Monitoring
Microsoft Operations Manager
Diagnostic services
By default, the system policy rules allowing access to diagnostics services are enabled, with the following permissions:
ICMP—This service, allowed to all networks, is important for determining connectivity to other computers.
Windows networking—Allows NetBIOS communication, by default, to computers on the Internal network.
Microsoft error reporting—Allows HTTP access to the Microsoft Error Reporting sites URL set, to allow reporting of error information. By default, this URL set includes specific Microsoft sites.
HTTP Connectivity verifiers.—Allows the Forefront TMG firewall to use HTTP and HTTPS protocols to check whether a specific computer is responsive.
SMTP
By default, the SMTP configuration group is enabled, allowing SMTP communication from Forefront TMG to computers on the Internal network. This is required, for example, when you want to send alert information in an e-mail message.
Important
It is recommended that you do not enable the SMTP configuration group, if you do not send alert information in an e-mail message.
Scheduled download jobs
By default, the scheduled download jobs feature is disabled. The Scheduled Download Jobs configuration group is disabled as long as this feature is disabled.
When you create a content download job, you will be prompted to enable this system policy rule. Forefront TMG will be able to access the sites specified in the content download job.
Accessing the Microsoft Web site
The default system policy allows HTTP and HTTPS access from the Local Host network (that is, the Forefront TMG firewall) to the Microsoft.com Web site. Access to the Microsoft.com Web site is required for a few reasons, such as, downloading antivirus and Network Inspection System signature updates, error reporting, or accessing the product documentation on the Forefront TMG Web site.
By default, the Allowed Sites configuration group is enabled, allowing Forefront TMG to access content on specific sites that belong to the System Policy Allowed Sites domain name set.
This URL set includes various Microsoft Web sites, by default. You can modify the domain name set to include additional Web sites, which Forefront TMG will be allowed to access.
HTTP and HTTPS access will be allowed to the specified Web sites.