What's New in Forefront TMG Software Development Kit
Microsoft Forefront Threat Management Gateway (TMG) 2010 introduces numerous new features and functionalities. Some of the most notable advancements are described on this page.
For links to the new administration COM elements introduced in Forefront TMG to support the features described on this page, see New COM Elements in Forefront TMG.
Web traffic may contain malware (such as viruses, worms, and spyware). Forefront TMG introduces a Web filter named Malware Inspection Filter for scanning, cleaning, and blocking harmful content and files. When malware inspection is enabled, HTTP content (Web content) allowed by access rules is inspected for malware.
Malware inspection applies only to traffic that uses the HTTP protocol and does not involve the Forefront TMG Client or Firewall Client software. The body of all HTTP requests and responses is inspected, regardless of the HTTP verb in the header and the encoding scheme used to compress the body. If the encoding scheme is not recognized, Forefront TMG blocks the content. HTTP content compressed with gzip encoding can be decoded and encoded in both directions.
When a virus is detected in a file or an archive (for example, a .zip, .tar, or .cab file), Forefront TMG attempts to clean the file, rebuild the archive, and send a cleaned file to the client instead of the infected one. In cases where cleaning is not possible, the infected file is replaced with a text file containing a notification.
Because malware inspection may cause some delay in the delivery of content from the server to the client, Forefront TMG can trickle portions of the content as files are inspected to improve the user experience during malware inspection. As an alternative, Forefront TMG can send progress notifications for specified types of files to reassure the user during this delay.
The Network Inspection System (NIS) uses signatures of known vulnerabilities to detect and potentially block attacks based on exploits of such vulnerabilities in network traffic that uses specific application-level protocols, preventing protocol abuse. By providing signature-based protection against vulnerabilities, NIS closes the window between the disclosure of vulnerabilities and the development and deployment of patches from serveral weeks to a few hours.
URL filtering controls the access of users within an organization to Web sites based on URL categories, protecting the organization by denying access to known malicious sites and to sites displaying inappropriate or nonproductive content. Forefront TMG features over 80 URL categories, including security-oriented, productivity-oriented, and liability-oriented categories. Forefront TMG queries the Microsoft Reputation Service (MRS), a cloud-based categorization system, to obtain a URL category for every uncategorized URL to which client requests are directed and caches the results returned. This way, bandwidth is used for new queries only when necessary.
URL categories returned by the MRS can be overriden by mapping specific URLs to different URL categories. Such mappings can be defined in an array policy, and Forefront TMG 2010 SP 1 introduces support for defining them in on the enterprise level.
Forefront TMG 2010 SP 1 introduces user override, which allows users to override an access restriction and proceed to a blocked Web site on a per request basis. When a user attempts to access a Web site with a URL category that is blocked by policy, Forefront TMG presents an HTML access denied notification page. If the rule is configured to allow user override, the HTML page includes a button named Override Access Restriction. When the user clicks this button, this rule is disabled temporarily, and the access request re-evaluated using the remaining policy rules. The request can be accepted by an allow access rule that allows access to the same URL category that was previously blocked. The previously blocked Web page opens in the user’s browser, and the user may continue accessing the site either for the length of the session or for a specified time-out period.
Comprehensive email protection is provided when both the Exchange Edge Transport server role and Forefront Protection for Exchange Server are installed and enabled. These two components work in concert to provide anti-spam and antivirus protection, as well as content filtering that searches for specific words or phrases within email messages and for attachments with a specific name and type. When email protection is enabled, SMTP routes are defined to direct the flow of mail traffic to and from the internal SMTP servers in your organization. The Exchange Edge Transport server installed on your Forefront TMG server forwards mail between the internal SMTP servers and those outside your organization, and applies the email policy to all incoming and outgoing mail.
ISP redundancy provides a way to use two links to Internet service providers (ISPs) with a standalone Forefront TMG server or a Forefront TMG array for failover or load balancing. The failover option uses a primary ISP link and a backup ISP link. If connectivity over the primary ISP link is lost, Forefront TMG switches to the backup ISP link. When connectivity over the primary ISP link is restored, Forefront TMG goes back to using the primary ISP link. The load balancing option uses two ISP links simultaneously and automatically balances connections between the two ISP links based on the load balancing factor assigned to each link. In addition, when load balancing is used, explicit routes can be defined to create a list of destination IP address ranges that are excluded from load balancing and will always use a specific link.
Outbound HTTPS inspection can applly all of the Forefront TMG application-layer inspection features to content hidden inside SSL tunnels, enabling the disclosure of encrypted malware.
SIP support for VoIP provides protection for an Internet Protocol Private Branch Exchange (IP PBX) that uses the SIP protocol. Three primary scenarios are supported.
- External IP PBX.
- Internal IP PBX connected to a PSTN gateway.
- Internal IP PBX connected to an external IP PBX server.
When SIP filtering is enabled, quotas can be configured for flood mitigation.
Forefront TMG 2010 SP 1 introduces support for using BranchCache in Hosted Cache mode on Forefront TMG servers running on the Windows Server 2008 R2 operating system. BranchCache enables content from file and Web servers on a wide area network (WAN) to be cached locally in branch offices, allowing client computers at branch offices to access the content locally rather than over the WAN. BranchCache can improve application response time and reduce WAN traffic.
When BranchCache in Hosted Cache mode is enabled, content arriving in a branch office from the main office is cached locally on a Forefront TMG server in the branch office for local retrieval by clients in the same branch office. After a client computer requests and receives content from the main office and the content is cached at the branch office, other computers at the same branch office can obtain the content locally rather than contacting the main office over the WAN link.
Forefront TMG uses definitions of known viruses, worms, and other malware for malware inspection. These definitions can be downloaded from the Microsoft Update Center over the Internet. Forefront TMG automatically checks for and downloads new and updated definitions for malware inspection and other protection mechanisms according to a user-defined updating schedule.
Forefront TMG now includes support for large files (files larger than 4 gigabytes (GB)). Web filters that can handle large files must declare themselves as large size aware. Filters that do not do this are considered legacy filters that do not support large files. If such a Web filter is registered, a warning alert is issued during configuration reload, and large files are blocked by the Web proxy. All Forefront TMG built-in filters are large size aware.
Forefront TMG adds built-in support for SQL Reporting Services and enables you to use the Report Definition Language (RDL) to define custom reports when logs are recorded to a local Microsoft SQL Server Express 2008 database.
Build date: 7/12/2010