Best practices for configuring ISA/TMG to allow SQM data

  • Article

Consider a scenario where you have an Access Rule in ISA/TMG that uses a Domain Name Set for non web traffic (other than HTTP and HTTPS ) especially like selecting “All Outbound Traffic” then ISA will perform a reverse lookup to check whether destination IP is same as in the defined Domain set. Depending on how busy this ISA / TMG is you can face an issue described in article ISA Server 2006 stops answering requests.

Note:

I’m covering Domain Name Set since URL Set is for HTTP/HTTPs only, for more information see Tips and Tricks: Using URL and Domain Name Sets .

In this type of scenario, the best practice is to use the Domain sets based access rules only for HTTP and HTTPS traffic. In the case of sending SQM data through Proxy you can use the following suggestion:

· The SQM clients send the data using Winhttp protocol.

· Set a Proxy setting for this Winhttp clients by using the following command: Netsh winhttp import proxy source=ie

Note:

1. The manual winhttp proxy setting is needed only if customers don’t have an auto proxy detection mechanism in their infrastructure. Auto proxy mechanism involves setting up WPAD entry in DNS or option 252 in DHCP Scope and enabling Auto proxy detection in TMG/ISA. (To setup auto proxy detection Refer this TechNet article ) If customers have a mechanism to detect Proxy automatically for thro client browsers, then winhttp auto proxy detection will also work in the same way.

2. The Netsh command to set proxy setting for winhttp clients will work for Windows Vista, Windows Server 2008 and Win 7. For Win XP and windows 2003 server use proxycfg –u command to import browser proxy settings to winhttp clients

This will import the current user’s IE proxy settings and apply them to WinHTTP clients. This way when the SQM client sends the data the URL name will be in the Proxy request and if the Domain name set (SQM.microsoft.com) is in the allowed rule only for HTTP and HTTPs then the request will be allowed.

If the Client is not set to use a Proxy server, and the auto detection of proxy also fails then the client will first try to resolve the name to an IP address and then the HTTP request from client will go to ISA/TMG . At this time ISA/TMG sees only the IP address and so it will try to do a reverse look up to see whether the destination is in the allowed URL/Domain set before it allows the request. In this case the recommendation will be:

· Use Domain set based access rules only for HTTP and HTTPS traffic

· Make sure the SQM Client use a Winhttp proxy setting

· Make sure the SQM.microsoft.com is in the allowed destination

Author

Bala Natarajan

Security Support Engineer – Microsoft CSS Forefront Edge TMG Beta Team

Technical Reviewers

Mohit Saxena

Technical Lead - Microsoft CSS Forefront Edge Team

Yuri Diogenes

Security Support Engineer – Microsoft CSS Forefront Edge Team