Planning for web access

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Forefront TMG provides web access control and protection for internal users accessing the Internet, by providing authentication, packet filtering, stateful inspection, and application layer filtering.

This topic is designed to help you plan for access from your organization’s internal network to the Internet. It provides information on the following:

  • Authenticating internal users

  • Controlling Web access

  • Inspecting and filtering Web traffic

  • Accelerating Web access

Authenticating internal users

Forefront TMG can require internal users to authenticate before they are allowed to access the Internet. For information, see Planning for web access authentication.

Controlling web access

Access to the web through Forefront TMG is controlled by a web access policy. A web access policy determines who can access which resources on the Internet, and which protection and other technologies are enabled to help provide a fast and secure browsing experience.

To control web access, a web access policy enables you to define:

  • Web destinations to which access is allowed or blocked. You can control access to URL categories, category sets, and specific web sites. For example, you can block access to a specific site for everyone. Alternatively, you may want to allow managers to access a set of URL categories and deny access to other employees.

    Note

    In Forefront TMG SP1, you can notify users that they have accessed a web site that is blocked by policy, and allow them to override the access restriction and proceed to the site, on a per session basis. For more information, see Planning for deny rule user override (SP1).

  • Which computers or users can access the web. For example, you can specify that a set of computers has no access to the Internet, or you can allow one set of users to access the Internet, and block others.

  • Which content types are allowed, based on the MIME type and file name extension. For example, you can block access to content containing audio files, such as MP3 and WAV files.

For information about Forefront TMG policies, see Planning to control network access.

Inspecting and filtering web traffic

A web access policy also enables you to configure various protections from malicious web content. Forefront TMG uses several protection technologies to scan web traffic, to help protect your network from malicious web content:

  • Malware inspection—Inspects downloaded web pages and files for malware. For information, see Planning to protect against malicious web content.

  • URL filtering—Allows or blocks access to web sites based on their categorization in the URL filtering database. For information, see Planning for URL filtering.

  • HTTP filtering—Application-layer HTTP filtering that examines HTTP commands and data. For information, see Planning for HTTP filtering.

  • HTTPS inspection—Scans traffic to secure web sites for viruses and other malicious content that could utilize Secure Sockets Layer (SSL) tunnels, in order to infiltrate the organization undetected. For information, see Planning for HTTPS inspection.

Accelerating web access

You can use Forefront TMG to cache frequently requested web content to improve web access speed and network performance. For information, see Planning to cache Web content.

Concepts

Configuring web access
Access design guide for Forefront TMG