TMG New Features - Policy Enforcement

1. Introduction

 

Throughout the years ISA Server suffered many improvements in the way that handles firewall policy, if you remember, on ISA Serve 2000 we have to stop the service so the policy could take effect immediately, which improved a lot on ISA Server 2004. However even with ISA Server 2006 there is still a common complaint from customers, which was: I applied a new ISA Server policy but I see that my user still accessing the web site. He has to close it and open a new connection in order to take effect. The answer up to now was: well, that’s expected in ISA Server. The connection that is already established will not be affect, only the new one. In TMG we have a new feature called Policy Enforcement that can address this need and this post will give you an overview on that.

 

2. Compliance Enforcement

 

The key feature of TMG in this area is the fact that it enforces the new policy for compliance purpose. In other words: if the company security policy changes and those changes need to rapidly reflect in the edge then you can just make the changes and re-apply to the TMG Server. In summary, the process works like this:

 

Figure 1 – Policy Enforcement.

 

The re-evaluation of the existing HTTP session happens right after the policy takes effect for the first traffic within the session. Therefore you could potentially see an open session for the site that you just prohibited because no traffic was exchange within that session yet.

 

On step two, when the administrator applies the change, the Saving Configuration Change window shows the following warning about this new feature:

 

 

Figure 2 – New configuration change window.

 

3. Conclusion

This is just one more improvement that you will see in TMG and it is an improvement that bring more control and security enforcement to the network administrator. For more information about policy enforcement review the official TMG documentation at TMG TechNet Library Page.