Share via


Enterprise Policies

In a centrally managed Forefront TMG deployment, an enterprise administrator can define an access policy on the enterprise level and apply it to any array in the organization. An enterprise policy is represented by an FPCPolicy object and can be augmented by policy rules that are defined on the array level and are specific to an array to which the enterprise policy is applied. An enterprise policy contains an ordered set of policy rules, which may include access rules and a placeholder that specifies the ordinal position (Order) of the set of array policy rules within the set of enterprise policy rules when the enterprise policy is applied to an array. Note that an enterprise policy cannot contain publishing rules.

The enterprise policy that is applied to an array is specified by the EnterprisePolicyUsed property of the FPCPolicyAssignment object for the array.

When an enterprise policy is applied to an array, each rule in the enterprise policy can be configured so that it applies either before or after the rules defined in the array policy. The enterprise policy rules with values of the Order property smaller than the value of the Order property for the placeholder are applied before the array policy rules, and the enterprise policy rules with values of the Order property larger than the value of the Order property for the placeholder are applied after the array policy rules.

Forefront TMG provides one predefined enterprise policy, called Default Policy, which contains a single access rule that denies all traffic and is assigned to each array when it is created. Default Policy cannot be modified or deleted. In particular, additional policy rules cannot be added to it.

Effective Array Policy

In a centrally managed Forefront TMG deployment, an enterprise policy is applied to each array created in the organization. By default, Default Policy is applied to each array when it is created, but an enterprise administrator can create a custom enterprise policy using the Add method of the FPCPolicies collection, and then apply it to an array using the SetEnterprisePolicy method of the FPCPolicyAssignment object for the array.

After an enterprise policy is applied to an array, an enterprise administrator can configure additional policy settings that restrict the types of policy rules that may be created in the array policy along with the access rules defined in the enterprise policy. These settings can prevent the creation of any policy rules at the array level, or can allow the creation of any combination of the following types of rules at the array level.

  • Access rules that deny access.
  • Access rules that allow access.
  • Server publishing rules and Web publishing rules.

The effective array policy is the combination of array-level and enterprise-level policy rules that are in effect in an array. The rules are applied in the following order:

  • System policy rules.
  • Enterprise policy rules that are applied before the array policy rules.
  • Array policy rules.
  • Enterprise policy rules that are applied after the array policy rules.

System policy rules are configured only at the array level. Because system policy rules are applied first, the array administrator can override even enterprise policy rules that are applied before the array policy rules by configuring the system policy.

Send comments about this topic to Microsoft

Build date: 6/30/2010