TMG post deployment checklist

  • Article

Today, more and more people deploying Forefront TMG for various business needs are approaching us, asking for a methodical post deployment sanity test checklist. Forefront TMG is packed full with new and existing features that need to be verified when deployment is completed.

In this post I’ll list Forefront TMG SWG (Secure Web Gateway) features, and how to check and validate functionality for each feature after you deploy Forefront TMG and before you put it in full production. 

 

SWG - Secure Web Gateway

Forward Web proxy

clip_image002

Figure 1 - IE proxy settings

Assumptions:

 

Test steps:

  1. Point a client browser to your proxy server (See Figure 1, for one of the methods to do this).
  2. Browse to http://www.whatismyip.com and confirm your proxy and external IP settings.
  3. Browse to http://YourIntranetWebsite.com - You should go through your proxy when the ‘bypass’ flag is turned off on the client browser.
  4. Browse to https://YourOWAwebsite.com and conduct a short OWA session.
  5. Browse to well-known websites, such as http://www.cnn.com, http://www.nba.com, http://www.bing.com and http://www.google.com. Make sure they are all responsive and with no distortions.
  6. Download a large file from two different computers. The second computer should download the file much faster as the file should be served from the cache. Check in the log-viewer that this is true.  
  7. Open an FTP connection to ftp://ftp.hp.com. You should be able to login and list/download files.
  8. If you don’t create a web-proxy session or fail on any of the above steps, go to “Logs&Reports\Logging” and initiate a query to detect and analyze the traffic from your client machine.
 
EMP – Enterprise Malware Protection

clip_image004 Figure 2 - Client browser side

Assumption:

  • You have EMP configured

 

Test steps:

  1. Browse to http://www.eicar.org/anti_virus_test_file.htm
  2. Download one of the test virus files using the standard protocol http
  3. EMP should identify the virus and send the client a blocking message, as appears in Figure 2.
  4. Validate this by running a query on the Forefront TMG Log-viewer, filtered by “Malware Inspection result = Infected File”  (see Figure 3)

          clip_image006

          Figure 3 – TMG Log-viewer side

clip_image008 Figure 4 – Forefront TMG Update Center view
  • Make sure that the EMP signature definitions are up to date, as shown in Figure 4. Install any updates listed.
 
HTTPSi – HTTPS Inspection

clip_image010 Figure 5 – Forefront TMG certificate

Assumptions:

  • You have HTTPSi and EMP configured
  • You have destination or source exemptions configured.
  • You have the latest TMGC (Forefront TMG client that supports HTTPSi notofications) deployed.

 

Test steps:

  • Eicar has SSL test signatures so that you can test HTTPSi and EMP
  1. Browse to - http://www.eicar.org/anti_virus_test_file.htm to check that EMP is working and scanning the traffic over the SSL channel.
  2. Download one of the test virus files using the secure, SSL enabled protocol https.
  3. EMP should identify the virus and send the client browser a notification.
  4. Browse to an SSL website and check that the certificate is from TMG (as shown in Figure 5).

clip_image012 Figure  6 – Website security warning for a non-trusted certificate
  • Check that the client workstation does trust the certificate that TMG is using when trying to get a secured website. This ensures that clients don’t see the Certificate Error page shown in Figure 6. If the Certificate Error page appears, the certificate is not properly deployed to the client machine.
  • Validate exceptions for HTTPS Inspection, either for the source or for the destination. Do this by browsing to a Web site that is excluded or by browsing from a computer that is excluded and verify that the certificate is not from TMG.
  • Run a query on the Forefront TMG Log-viewer filtered by “Malware Inspection result = Infected File” and the time of the request. Check that the Destination Port and Protocol are 443 & https-inspect respectively (see Figure 7).

          clip_image014

           Figure 7 – Forefront TMG Log-viewer

clip_image016 Figure 8 – Forefront TMGC HTTPSi notification
  • Check that the HTTPS Inspection client notification is being sent to the client machine (you need to have TMG client installed), as shown in Figure 8, upon requesting a non-excluded SSL website.
 
URLF - URL Filtering

clip_image018 Figure 9 – URLF blocking page

Assumptions:

  • URLF is configured
  • You have overridden a URLF Category for a specific website.

 

Test steps:

  1. Browse to sites that should be blocked by URLF depending on your configuration. Confirm that the user is getting the correct custom message (an example is shown in Figure 9) or being redirected according to the policy (or check the default message).
  2. Browse to a site that has a category override and make sure that it is allowed or blocked depending on the configuration.
  3. Check that you can run a query from the URLF UI.
  4. Check that you can query and report classification issues to Microsoft from MRS (Microsoft Reputation Service) website.
  5. TMG Log-viewer: run a query filtered using the “Blocked Web Destinations” rule and make sure the URL Category detected is correct (see Figure 10).

          clip_image020

          Figure 10 – TMG Log-viewer URLF query 
 
NIS – Network Inspection System

clip_image022 Figure 11 – NIS blocking page

Assumption:

  • You have NIS configured

 

Test steps:

  1. Enter the following test signature URL in your client web browser to test NIS. If NIS is working, the attempt to open the website should be blocked by TMG with a TMG generated message, as illustrated in Figure 11.
  2. Confirm that you get an alert on signature detection or block (see Figure 12):clip_image024

          Figure 12 -  TMG alert upon blocking signature

    3.  Run a query in the TMG Log-viewer, filtered by “NIS scan result = Blocked” and confirm detection.

         clip_image026

         Figure 13 – TMG Log-viewer query result for blocked signatures

clip_image028 Figure 14 – TMG IPS\NIS UI
  • Check that you get signature updates in TMG IPS (Intrusion Prevention System)\NIS UI, as shown in Figure 14.

 

Wrap-up

This blog post describes the post deployment checklist for SWG (Secure Web Gateway) features - It is not a deployment/troubleshooting guide.

Features covered here for sanity testing are Forward Proxy, EMP (Enterprise Malware Protection), URLF (URL Filtering), HTTPSi (HTTPS Inspection) and NIS (Network Inspection System).

With the same subject, in the next post, we’ll cover other Forefront TMG features for the sanity test checklist, such as Reverse proxy (web-publishing), VPN (both SSTP & PPTP), Setup, Upgrade, ISPR (ISP Redundancy), Reporting, ENAT (Enhanced NAT), EMS (Enterprise Management Server) and Stirling connectivity.

 

Author

Gabriel Koren

Microsoft Forefront TMG test team

 

Reviewers

Gershon Levitz, James Kilner