Deny Page Customization on Forefront TMG 2010


1. Introduction


 


With the addition of the Denied URL Request Action on Forefront TMG (see Figure 1) there are many questions around the capability to customize this page to change colors, add company’s logo, etc. This can be done just like it was possible to do with the regular error pages on ISA.


 


 


Figure 1


 


On ISA Server 2006 you could use the How to Customize HTML Error Messages in ISA Server 2006 article to customize the vast majority of the errors that users could potentially receive when browsing Internet through ISA Server. Those pages are still present (now located at %programfiles%\Microsoft Forefront Threat Management Gateway\ErrorHtmls) and with the following new additions:


 








































File Name


Description


12222r.htm


The client certificate used to establish the SSL connection with the Forefront TMG Server computer is not acceptable. The client certificate restrictions not met.


12224.htm


The SSL server certificate supplied by a destination server is not yet valid.


12225.htm


The SSL server certificate supplied by a destination server expired.


12226.htm


The certification authority that issued the SSL server certificate supplied by a destination server is not trusted by the local computer.


12227.htm


The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.


12228.htm


The SSL certificate supplied by a destination server cannot be used to validate the server because it is not a server certificate.


12229.htm


The Web site requires a client certificate, but a client certificate cannot be supplied when HTTPS inspection is applied to the request.


12230.htm


The SSL server certificate supplied by a destination server has been revoked by the certification authority that issued it.


12231.htm


Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display URL category, but no custom message, [URLCATEGORY] will be replaced with the category name)


12232.htm


Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display custom message but not URL category, [ADMINMESSAGE] will be replaced with the custom message)


12233.htm


Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display both custom message and URL category, [URLCATEGORY] will be replaced with the category name, [ADMINMESSAGE] will be replaced with the custom message).


Table 1


 


The page that is used by the option showed in Figure 1 is called 12232.htm and this article will show you how to customize this page.


 


2. Customizing the 12232 Error Page


 


The first step to customize this page is to make a backup of the original page in case you need to rollback, then you can copy the 12232.htm file for another location and use a HTM Editor of your preference to customize the page. For this example I’m going to use Microsoft FrontPage. Here it is the original page:


 


 


Figure 2


 


The field between brackets [] are variables that will be replaced with information related to the access. For more information on the meaning of the fields see table 1. Figure 3 shows how this page will look like after the customization used on this example:


 


 


Figure 3


 


Notice that in this page we customized the following items:


·         Fonts (format and size)


·         Background Color and Table background


·         Company logo


·         Text description


·         Hyperlink to Helpdesk’s email


 


Note: The field [ADMINMESSAGE] will be replaced per rule based when dealing with 12232.htm page. The [ADMINMESSAGE] in this page is replaced by the text that you write on the window showed in Figure 1.


 


The only caveat while customizing this page is when you are inserting pictures. If you just insert the picture reference using the approach below it will not work:


 



<TD class=titleBorderx width=130 style=”border-style: none; border-width: medium; background-color: #FFFFFF”>


      <img border=”0″ src=”Fabrikam-logo.gif” width=”105″ height=”87″></TD>


    <TD class=titleBorder id=L_12232_2 style=”border-style: none; border-width: medium; background-color: #FF0000″>


 


The reason why it will not work is because client browser will append the picture’s name to the web site that you are trying to access and it was blocked. For example: if you blocked the access to www.contoso.com, the location for Fabrikam’s logo will show a Red X and if you open the properties of the picture the reference will be www.contoso.com/fabrikam-logo.gif. One way to overcome that is to use a full reference that can point to an internal web server, as shown below:


 



    <TD class=titleBorderx width=130 style=”border-style: none; border-width: medium; background-color: #FFFFFF”>


      <img border=”0″ src=”http://websrv/Fabrikam-logo.gif” width=”105″ height=”87″></TD>


    <TD class=titleBorder id=L_12232_2 style=”border-style: none; border-width: medium; background-color: #FF0000″>


 


This way Forefront TMG will load the picture from the internal web server and as long as the client has access to the web server that was referenced in the link. Depending on how your network is setup, the traffic might pass through TMG also, which means that TMG also needs to allow the traffic to reach the destination web server.


 


Note: Another approach instead of customizing this page is to use the option Redirect Web Client to the Following URL (as shown in Figure 1). However you need to be aware of potential issues with IE7 and higher as shown in the article Behavioral Change on IE7 can affect Outbound access through ISA Server 2006 that is using Redirect on a Deny Rule.


 


The new page should be added (with original name) at %programfiles%\Microsoft Forefront Threat Management Gateway\ErrorHtmls.


 


3. Conclusion


 


This post explained the additional HTML error pages on Forefront TMG 2010 and how to customize the 12232 error. Although this post focus on explaining how to customize 12232 error pages, the techniques used on this post can be applied to any other pages described in Table 1.


 


Author


Yuri Diogenes


Sr. Security Support Escalation Engineer


Microsoft CSS Forefront Edge Team


 


Technical Reviewers


Yury Berezansky


Sr. Software Developer Engineer


Forefront TMG Product Team


 


Avihai Dgany


Software Developer Engineer


Forefront TMG Product Team


 


Eric Detoc


Escalation Engineer


Microsoft CSS Forefront TMG Beta Team


 

Comments (8)

  1. Anonymous says:

    Thanks for your comments.

    The steps provided above sucessfully worked in our deployment. Please check if this is not a cache problem on the client side, try from multiple clients, double check if the page that was changed has the correct name (12232.htm).

    If the issue persists you can open an incident with Microsoft CSS to assist you troubleshooting that.

  2. Anonymous says:

    I was successful in creating my custom page thanks to your article. I do have a question though. I have figured out the [urlcategory] and a few others but I would also like to see the username. I have tried [user], and [username] and neither works. Can you point me in the right direction for more of these informational default fields?

  3. Anonymous says:

    Thanks for the tutorial, but I’ve made the changes but the changes aren’t being reflected when you hit the live deny page. They are just small text based changes to verify that is sucessful.

    I’ve tried restarting the services on that server but still no cigar.

    Cheers

  4. Anonymous says:

    Bubikaj, Frank – modify the 12233 file. After that modify the 12232 file. Restart the services and you should notice the changes. I had the same challenges myself and this resolved it…I hope this helps.

  5. Bubikaj says:

    one question, we saw the problem about deny page customization for HTTPS requests… there is no affect on IE 7 or 8… we always recieve blank page or default IE page with "diganostic connection"… what is the reason? we try to turn off friendly message in IE but without success 🙁

  6. TMG Newbie says:

    is there any solution to the username parameter posted by walter thompson?

  7. Frank Buc says:

    Same Issue as Bubikaj: IE7 and IE8 show always Default friendly error messages, even if disabled in advanced options. IE6 is ok. Any hints?

  8. Mike says:

    Is it possible to customize the block override website in TMG?