Dec 16 2011

Creating Access Rules with TMG 2010

Ok, you just installed your TMG Server, but now non of your internal clients can access the internet or external resources. To fix this you need to create a so called Access Rule on you TMG server. For this demonstration I will create access rules so internal clients can connect to the internet. For this we need to grant access to HTTP, HTTPS, DNS, and two rules will be created, one to allow HTTP/HTTPS traffic and the other one for DNS.

Open your TMG console and go to Firewall Policy. Here on the Tasks pane click Create Access Rule.

The New Access Rule Wizard opens. Give the rule a name, like Allow HTTP/HTTPS. Click Next.

What action do you want for this rule to apply ? Off course since we are creating an allow rule click Allow, then hit Next.

On the Protocols screen click Add, and in the new window expand Common Protocols. Add the HTTP and HTTPS protocols, then click Close and Next.

On the Malware Inspection screen choose Enable malware inspection for this rule if you want TMG to check for malware on all outgoing HTTP traffic. For this example I am going to choose not to.

Here we tell TMG the source of the traffic, witch is the internal network,

so click the Add button, expand Networks and add the Internal network. Click Close and Next.

On the Rule Destination screen we tell TMG where the internal traffic is going. In this case is going to external, witch means the internet (all hosts/destinations). Click Add, expand Networks and add the External network.

In this example we permit all users to access the internet. Just leave the defaults and click Next.

Click Finish on the Summary page.

We are done with the HTTP/HTTPS rule. Now we need to create the DNS rule so clients can find websites. Go through the same steps again until you reach the Protocols screen. Here click the Add button, expand Infrastructure and add the DNS protocol. Finish the wizard using the same settings like the previous rule.

 The rules to take effect you need to click the Apply button.

After a few seconds you should have something like this.

As proof that it works I attached the TMG log activity. As you can see the traffic is allowed for the Microsoft website, witch I accessed from one of the internal clients.

Want content like this delivered right to your

email inbox?


Skip to comment form

  1. Joseph michael

    Hello Sir please how do i make exceptions for some particular IP addresses who i do not want to be filtered with the default firewall rules(by default facebook,twitter and most social sites are blocked)how do i add an IP address to the do not filter list.

    1. Adrian Costea

      Hi Joseph,
      To add an exception in a TMG firewall rule all you need to do is open the Properties of that rule and go to the From tab. Here you will see a section named Exceptions. Hit the Add button and add your IP if it is in the list, if not you will have to create the address or subnet or computer name.

      Let me know if this helps.

  2. ephraim

    sir my problem is about granting access to internet to my domain users which is using dhcp. is it allowed in forefront tmg? do the dhcp computer needs gateway and dns? thanks

    1. Adrian Costea

      Yes, you can allow internal clients to connect to the internet using TMG, just create the appropriate firewall rules. If you need help, let me know.

  3. Wafi

    Can I add DNS http https in one access rule or I should creat another access for DNS

    1. Adrian Costea

      I can put them all in one access rule but if you have your internal DNS server I will create the DNS access rule separately and filter to allow DNS only for the DNS servers. As you can see it all depends on your network. Let me know if you need any more help.

      1. Wafi

        I tried a lot but I couldn’t install TMG server please i really need your help.
        first of all my network is workgroup i don’t have any domain controller or active directory and dns
        i have one server which i iinstalled DHCP and for temporary i install Routing or Nating on it because i couldn’t install TMG
        i have one another computer which i install windows server 2008 r2 for TMG server.
        whenever I’m installing TMG server in that computer the all internet will goes down and it doesn’t give internet to the client even its self internet is not working i created rules as your instruction but it didn’t work
        note : what should i put in dns ip address of my LAN in TMG should i use the public dns IP address because i don’t have dns server in my network?

        LAN IP address

        dns ip?

        1. Adrian Costea

          Put the same IP, mask, DNS on the TMG computer as you have set up on the DHCP/Routing computer. Make sure you shut it down first so you don’t get IP conflicts. After this, follow my article on how to install TMG 2010 on server 2008R2. Let me know how it goes.

          1. Wafi

            I really appreciate Thanks a lot it’s working now but problem is that I can’t block any websites specially youtube i just able to block just facebook from Domain sets but i can’t block any another websites like youtube and some another bad sites ( porn sites ) any solution for that ??

          2. Adrian Costea

            You put as the destination one of the URL Categories or URL Categories Set already predefined. You can also create you own category and include the sites you want to block there.
            Hope this helps.

  4. Laraib

    Sir, Great work I appreciate.. I just want to know one thing, do you use proxy setting in IE to access for internet ?

    1. Adrian Costea

      No, I did not used a proxy server to access the internet, just plain simple NAT.

      1. Muhammad Laraib

        Okay, sir one more last thing.. I’m accessing internet without proxy setting in IE, every thing is seems fine.. but the question is.. how to blocked all the websites except emails, skype and our company’s main website? I’m using Active directory Domain server which is installed in another machine. all the users are joined to domain.. I can block websites using Proxy settings.. but I want to use TMG as a Transparent Proxy. is there any way to block some websites in Transparent Proxy ? Thanks in advanve!

        1. Adrian Costea

          Yes you can. On your Web Access Policy rule make sure you put the websites that you DON’T want to block in the exceptions list. I recommend you make a URL set and put that in the list. Let me know if you need further explanation about this.

          1. Laraib

            Thanks alot sir.. you saved my time.. now I can block websites without Proxy settings in IE.. Thank you very much..!

Leave a Reply

Your email address will not be published. Required fields are marked *