One of the features introduced in Forefront TMG SP1 (available here) is User Override for Blocked URL Categories. This feature warns the user about attempts to browse to a Web site that is blocked by the firewall policy, but still allow this user to explicitly override the restriction and access the site.
This allows administrators to evaluate a URL filtering policy before actually enforcing it as well as use the override pages to educate the organization about what is the acceptable Web usage policy without forcefully preventing access.
Forefront TMG administrators should keep in mind that User Override restriction is controlled by the end-users and shouldn't be considered a security feature.
Administering User Override
User Override option is enabled per deny rule.
Assume the following firewall policy:
To enable user override option in the first deny rule, the administrator needs to open its properties on the General page and select Allow user override.
The secondary checkbox allows applying time constraints to the User Override. It defines how long the user may browse the overridden site until he's requested to override the block again.
Note that the feature is based on a deny rule, which blocks the request unless overridden and is ignored otherwise. So by no means does this rule grant access to the Web. In order for the request to be allowed through there must be an additional access rule allowing it after the overridden rule.
When the user browses to a site that is blocked by a rule with User Override option enabled (e.g. hotmail.com in our case), the user sees the following webpage:
Override is done per domain and category, so if there are sites with different blocked categories under the same domain, the user will have to override access restriction for each category separately.
Consider the following example, where the firewall blocks sites categorized Sport and News. The blocking rule has the User Override option enabled. Let's assume that sites contoso.com and contoso.com/news are categorized as News; and contoso.com/sport is categorized as Sport. When user first accesses contoso.com/news, he'll override access restriction. After that when he accesses contoso.com – he won't be required to override, since he already has access to News on contoso.com. However, if he tries to access contoso.com/sport, he'll be required to override again. As a result he'll then have override access for Sport and News categories on contoso.com domain.
Each time a user overrides access restriction, this action is logged and enters the statistics shown in reports.
After a user acquired access by means of User Override, he can re-enter the site and its sub-sites (as long as they have the same category), until one of the following happens:
1. User closes the browser
2. The time period defined in the rule expires
In either of these cases, the next time the user tries to enter this site he'll receive the error page with override option.
User Override feature has following restrictions:
· The protocol must be HTTP – unfortunately, HTTPS is not supported in SP1. This is because of a security feature in many of the browsers which prevents the browser from showing any pages (such as the user override HTML page) before the SSL tunnel was established. This means the administrator needs to create two Deny rules – one for HTTP with User Override option and another for HTTPS with strict deny.
· Destinations must contain only URL categories or categories sets. User Override option doesn't support other types of destinations.
· Content-types must be set to "All content types" (default option)
A rule with User Override option cannot be created if any of these restrictions are violated.
Let's continue to use the policy example that blocks the Web E-mail category.
When user accesses the site and performs User Override, the following entries will appear in the log:
The first line indicates the blocked requested, which triggered the error page.
The second line shows the User Override request that was served without being evaluated by the firewall, so it doesn't have a matching rule.
The third line shows the same request as in the first line, but now it is allowed due to the User Override. Here, the log column Overridden Rule (new column introduced in SP1) shows the rule that initially blocked the request but was overridden.
Among the brand new reports delivered with Forefront TMG SP1, there are two reports dedicated to the User Override feature:
These reports allow the administrator to analyze whether the overridden URLs are miscategorized and who are the users that used the feature the most.
Author: Dima Datsenko
Reviewers: Ori Yosefi, Nathan Bigman