Creating a firewall policy

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Using Forefront TMG, you can create a firewall policy, which includes a set of access rules and publishing rules. These rules, together with network rules, determine how clients access resources across networks. For an overview of access rules, see Planning to control network access. For an overview of publishing rules, see Planning for publishing.

Working with access rules

Access rules control access from one network to another. One of the primary functions of Forefront TMG is to connect between source and destination networks while protecting from malicious access. To facilitate this connectivity, you use Forefront TMG to create an access policy that permits clients on the source network to access specific computers on the destination network. The access policy determines how clients access other networks.

For information about creating access rules, see Creating an access rule.

For information about creating outbound Web access rules, that is, access from a client computer to the Internet, see Configuring web access.

Working with publishing rules

Publishing rules control inbound access to published servers. Forefront TMG can make servers securely accessible to clients on another network. You use Forefront TMG to create a publishing policy to securely publish servers. The publishing policy (which consists of Web publishing rules, server publishing rules, secure Web publishing rules, and mail server publishing rules) and the Web chaining rules determine how published servers are accessed.

You can use one of the following Forefront TMG rules to publish servers:

  • Web publishing rules—To publish Web server content.

  • Server publishing rules—To publish any other content.

  • Secure Web publishing servers—To publish Secure Sockets Layer (SSL) content.

  • Exchange mail publishing rules—To publish Web client mail access on an Exchange server or server farm.

When Forefront TMG processes an HTTP or HTTPS request from a client, it checks publishing rules and Web chaining rules to determine whether the request is allowed, and which server will service the request.

For non-HTTP requests, Forefront TMG checks the network rules and then checks the publishing rules to determine if the request is allowed.

For information about creating Web publishing rules, see Configuring Web Publishing.

For information about creating server publishing rules, see Configuring publishing of other protocols.

Concepts

Configuring firewall policy
Planning to control network access