New in Forefront TMG Update 1: SafeSearch Enforcement

Forefront TMG can now automatically block adult text, images, and videos from search results by major web search engines. The same SafeSearch feature that users can activate in their browsers can now be enforced on Forefront TMG, and applied to groups of users or to the entire organization.

When SafeSearch is enabled on Forefront TMG, the following happens:

· When a user submits a query to a major search engine, Forefront TMG modifies the query string, causing the search engine to treat the request as a SafeSearch request, and return filtered results.

· End-users cannot receive unfiltered content, even if they try to disable the feature in their browsers.

· SafeSearch is enforced over secure connections when HTTPS inspection is enabled on Forefront TMG. If a user establishes an HTTPS session with a search engine, Forefront TMG strictly enforces SafeSearch results.

This functionality is especially useful to schools and other organizations that want to block inappropriate web content.

Configuring SafeSearch

To enable SafeSearch, do the following:

1. In the Forefront TMG Management console, click the Web Access Policy node, and in the Tasks pane, click Configure SafeSearch.

2. On the General tab, click Enable SafeSearch.

3. If you want to disable SafeSearch enforcement for certain authenticated users, click on the Users tab and add the users or user groups.

Note: You must enable URL filtering to use the SafeSearch feature on Forefront TMG, because SafeSearch makes use of the Search Engines URL Category.

SafeSearch System Policy Rule

When SafeSearch is enabled for the first time, a system policy rule is created. This rule serves as a container for the user white list and handles authentication when the list is not empty. The rule has the following properties:

  • Protocols: HTTP/HTTPS
  • Source: Internal
  • Destination: Search Engines (URL Category)
  • Users: All Users with exclusion of users from the white list

After the rule is created for the first time, enabling or disabling SafeSearch will affect the rule state (enabled/disabled).

Enforcement is performed only for traffic matching this rule. The rule is identified by its internal ID and can only be created by enabling SafeSearch in the Management console, or by calling ConfigureSafeSearchRule in COM:

interface IFPCPolicyRules2 : IFPCEEPolicyRules


HRESULT ConfigureSafeSearchRule([out,retval] IFPCPolicyRule** ppVal);


This COM function returns a newly created or already existing SafeSearch rule, while resetting all its properties to SafeSearch rule defaults. The default setting for this rule is to enforce SafeSearch for all users, but it can be configured to exclude specific users or user groups.

Static Configuration

The feature has a configuration file “SafeSearchConfiguration.xml”, located in the installation directory:


    <provider domainPattern=".google." safeSearchSuffix="&amp;safe=active" >

        <searchQuery pattern="/search?" />

        <searchQuery pattern="/images?" />


    <provider domainPattern="" safeSearchSuffix="&amp;vm=r" >

        <searchQuery pattern="/search?" />

        <searchQuery pattern="/search;" />

        <searchQuery pattern="/search/images?" />

        <searchQuery pattern="/search/images;" />

        <searchQuery pattern="/search/video?" />

        <searchQuery pattern="/search/video;" />


    <provider domainPattern="" safeSearchSuffix="&amp;adlt=strict" >

        <searchQuery pattern="/search?" />



SafeSearchConfiguration.xml can be altered to support additional search engines (by adding a new provider) or changing a level of enforcement (e.g., from strict to moderate). If altered, the file must be manually distributed over all members of the affected array and the firewall service must be restarted.

Author: Dima Datsenko

Reviewers: Dotan Elharrar, David Strausberg

Comments (4)

  1. MicleFang says:

    One of my partner found that the google Image can't be applied to the strict safe search. From the desing <searchQuery pattern="/images?" /> , google image search should be applied the strict safe search, so is it the TMG design issue or Google Image is not compatiblity with our product, thank you for your guidance!

  2. charles says:

    I'm having a hard time adding additional sources. For example, I'm trying to add NetworkA, NetworkB, and Internal to the source, but the Add button is grayed out. Is SafeSearch only limited to just the default Internal network?

    Protocols: HTTP/HTTPS

    Source: Internal, NetworkA, NetworkB

    Destination: Search Engines (URL Category)

    Users: All Users with exclusion of users from the white list

  3. johnredd says:

    Problem is that the new rule opens access to All Users. If you limited access to Authenicated Users, now you have opened up access to anyone plugged into the network, albeit just search engines.  I had to go back and disable the function because it opened access to a group that I had limited to only a few external sites. Since I cannot specify users in the SafeSearch rule, I can't use the function.

  4. bayron correa says:

    Mi problema es que no filtra suficiente contenido de la Web, ejemplo golosa es un juego antiguo, pero si se busca en internet, me salen sinónimos pornográficos, como puedo filtrar por definiciones?, o de que forma manipulo la configuración estatica.

Skip to main content