TMG: Block internet access outside web proxy(force web proxy)

[Graimer]

Hey. I'm trying to setup a Forefront TMG server that will be the firewall and gateway for 2 networks(one through vpn and one locally connected). At this time I'm ignoring the vpn network, and just focusing on setting up web proxy with the rules I want(block flash video, youtube). Now I'm stuck and I could really need some help on the following questions:

- What does web proxy block? I know what it does, but if it is disabled, will it just ignore some of the web access rules or? Because the default web rules from the wizard that uses Web proxy filter still works even if the proxy is disabled or you have not specified proxy settings on the client.

- How do you force all clients to use the web proxy? I've disabled the "If Forefront TMG is unavailable, use this backup route to connect to the internet:" under Web Browser in Internal Properties. I've tried to disable the web proxy, and have it enabled while clients are not configured to use it. They are still being allowed.

I just have the default web access rules atm:

-deny all users internal -> external botnet++ sites

-allow all uesrs internal -> external web (how do I make these rules web proxy only?)

-deny all users all networks -> all networks everything

Thanks :)

[Graimer]

At a high level only the TMG server(s) must be able to access the internet. for that you will need 2 ethernet adapters per TMG server. specifically, TMG connects to the internet via adapter A and to the rest of the network with adapter B. You can obviously force the proxy in IE/Outlook using GPO to all clients. The proxy will scan for threads such as infected files and bad web sites. How many users is this for? Have you considered clustering it? I had a single TMG deployment myself and when it was down we had to go through hell to allow remote users back in the network (mostly moaning really).

Thanks. I actually think I found a way. Seems it's not possible to force a rule to only work for proxy connections, and you have to use 2 firewalls as you say. The solution I think I'm going for is a single adapter TMG as proxy for the clients. then on the firewall that connects to the internet we block all access for the whole network, and allow all access for the tmg-server only. Found out we had to do this because of the rest of the setup(including internal dns that needs external dns access). It's only 20 users anyways: 14 local and 6 users connected through site-2-site vpn on the firewall(the firewall that blocks all internet access). :)