System policy rules
Applies To: Forefront Threat Management Gateway (TMG)
Forefront TMG system policy rules are a set of predefined access rules that control access between the Local Host network (the Forefront TMG server) and other networks. Some system policy rules are enabled by default to allow traffic that is necessary for managing the Forefront TMG environment. For more information, see About system policy. The following table lists the default system policy rules.
| List order | Name | System policy group | Protocols | Source | Destination | Details |
|---|---|---|---|---|---|---|
1 |
Allow access to directory services for authentication purposes |
Authentication Services |
LDAP LDAP (UDP) LDAP GC (Global Catalog) LDAPS LDAPS GC (Global Catalog) |
Local Host |
Internal |
If Forefront TMG is not a domain member, this rule can be disabled. |
2 |
Allow remote management from selected computers using MMC |
Remote Management |
Microsoft Firewall Control NetBIOS datagram NetBIOS Name Service NetBIOS Session RPC (all interfaces) |
Array Servers Enterprise Remote Management Computers Remote Management Computers |
Local Host |
If you do not need a remote MMC connection to the Forefront TMG computer, this rule can be disabled. When this rule is enabled, RPC traffic is allowed to the Local Host network. However, by default, DCOM traffic is blocked by the RPC filter. Remote management computers must be added to the predefined Remote Management Computers computer set. |
3 |
Allow remote management from selected computers using Terminal Server |
Remote Management |
RDP (Terminal Services) |
Enterprise Remote Management Computers Remote Management Computers |
Local Host |
If you do not need remote desktop management of the Forefront TMG computer, disable this rule. Remote management computers must be added to the predefined Remote Management Computers computer set. |
4 |
Allow remote management from selected computers using a Web application |
Remote Management |
Forefront TMG Web Management |
Enterprise Remote Management Computers Remote Management Computers |
Local Host |
If you do not need remote management from a Web application, disable this rule. Remote management computers must be added to the predefined Remote Management Computers computer set. |
5 |
Allow remote logging to trusted servers using NetBIOS (disabled by default) |
Remote Logging |
NetBIOS Datagram NetBIOS Name Service NetBIOS Session |
Local Host |
Internal |
Enable this rule if you are logging on to a remote SQL server. |
6 |
Allow RADIUS authentication from Forefront TMG to trusted RADIUS servers |
Authentication Services |
RADIUS RADIUS Accounting |
Local Host |
Internal |
If you are not using RADIUS authentication, disable this rule. If you are, limit the destination to the IP address of the RADIUS server. |
7 |
Allow Kerberos authentication from Forefront TMG to trusted servers |
Authentication Services |
Kerberos-Sec (TCP) Kerberos-Sec (UDP) |
Local Host |
Internal |
If you are not authenticating clients, disable this rule. |
8 |
Allow DNS from Forefront TMG to selected servers |
Network Services |
DNS |
Local Host |
All Networks (and Local Host) |
This rule must be enabled for Forefront TMG to perform DNS queries. |
9 |
Allow DHCP requests from Forefront TMG to all networks |
Network Services |
DHCP (request) |
Local Host |
Anywhere |
If the Forefront TMG computer does not need to be a DHCP client, disable this rule. |
10 |
Allow DHCP replies from DHCP servers to Forefront TMG |
Network Services |
DHCP (reply) |
Internal |
Local Host |
If the Forefront TMG computer does not need to be a DHCP client, disable this rule. If the DHCP server is not in the Internal network, change the Source property. |
11 |
Allow ICMP (PING) requests from selected computers to Forefront TMG |
Diagnostic Services |
PING |
Enterprise Remote Management Computers Remote Management Computers |
Local Host |
Any computer that must ping the Forefront TMG computer must be included in the Remote Management Computers computer set. |
12 |
Allow ICMP requests from Forefront TMG to selected servers |
Diagnostic Services |
ICMP Information Request ICMP Timestamp PING |
Local Host |
All Networks (and Local Host) |
This rule must be enabled to allow Forefront TMG to perform network management tasks. |
13 |
Allow VPN client traffic to Forefront TMG (disabled by default) |
This system policy rule is not modified through the system policy editor. |
PPTP |
External |
Local Host |
This rule is enabled automatically by Forefront TMG when you enable VPN traffic in Forefront TMG Management. |
14 |
Allow VPN site-to-site traffic to Forefront TMG (disabled by default). |
This system policy rule is not modified through the system policy editor. |
None |
External IPSec Remote Gateways |
Local Host |
This rule is enabled automatically by Forefront TMG when you create a site-to-site network in Forefront TMG Management. |
15 |
Allow VPN site to site traffic from Forefront TMG (disabled by default) |
This system policy rule is not modified through the system policy editor. |
None |
Local Host |
External IPSec Remote Gateways |
This rule is enabled automatically by Forefront TMG when you create a site-to-site network in Forefront TMG Management. |
16 |
Allow Microsoft CIFS from Forefront TMG to trusted servers |
Authentication Services |
Microsoft CIFS (TCP) Microsoft CIFS (UDP) |
Local Host |
Internal |
If you do not need to access file shares from the Forefront TMG computer, disable this rule. |
17 |
Allow remote SQL logging from Forefront TMG to selected servers (disabled by default) |
Remote Logging |
Microsoft SQL (TCP) Microsoft SQL (UDP) |
Local Host |
Internal |
Enable this rule if you are logging to a remote SQL server |
18 |
Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads) (disabled by default) |
Authentication Services |
HTTP |
Local Host |
All Networks (and Local Host) |
Enable this rule to allow the Forefront TMG to access certificate revocation lists. This is required if you are bridging the SSL connection on the Forefront TMG computer. Configure the destination to specify only the network from which the CRL is downloaded. |
19 |
Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers (disabled by default) |
Diagnostic Services |
HTTP HTTPS |
Local Host |
All Networks (and Local Host) |
This rule is enabled automatically when you create a connectivity verifier. |
20 |
Allow remote performance monitoring of Forefront TMG from trusted servers (disabled by default) |
Remote Monitoring |
NetBIOS Datagram NetBIOS Name Service NetBIOS Session |
Enterprise Remote Management Computers Remote Management Computers |
Local Host |
Enable this rule to allow remote performing monitoring of Forefront TMG. |
21 |
Allow NetBIOS from Forefront TMG to trusted servers |
Diagnostic Services |
NetBIOS datagram NetBIOS Name Service NetBIOS Sessions |
Local Host |
Internal |
If you do not plan to access file shares from the Forefront TMG computer, disable this rule. |
22 |
Allow RPC from Forefront TMG to trusted servers |
Authentication Services |
RPC (all interfaces) |
Local Host |
Internal |
If you do not need to connect from the Forefront TMG computer to other servers using the RPC protocol, disable this rule. |
23 |
Allow HTTP/HTTPS from Forefront TMG to specified Microsoft error reporting sites |
Diagnostic Services |
HTTP HTTPS |
Local Host |
Microsoft Error Reporting Sites |
This rule allows error reports to be sent to Microsoft. |
24 |
Allow SecurID authentication from Forefront TMG to trusted servers (disabled by default) |
Authentication Services |
SecurID |
Local Host |
Internal |
If you are not using SecurID authentication, disable this rule. If you are, limit the destination to the IP address of the RADIUS server. |
25 |
Allow remote monitoring from Forefront TMG to trusted servers, using Microsoft Operations Manager (MOM) agent (disabled by default) |
Remote Monitoring |
Microsoft Operations Manager Agent System Center Operation Manager Agent |
Local Host |
|
Enable this rule if you are using MOM to monitor the Forefront TMG computer. |
26 |
Allow installation of System Center Operations Manager Agent |
Remote Monitoring |
System Center Operation Manager Agent Installation |
Local Host |
Protection Manager gateway |
This rule is required to allow the installation of System Center Operations Manager Agent. |
27 |
Allow HTTP/HTTPS requests from Forefront TMG to specified sites |
Various |
HTTP HTTPS |
Local Host |
System Policy Allowed Sites URL Filtering Update Sites |
This rule is required to allow the Forefront TMG computer to communicate with site in the System Policy Allowed Sites domain name set. |
28 |
Allow HTTP/HTTPS requests from Forefront TMG to specified Microsoft Updates sites |
Various |
HTTP HTTPS |
Local Host |
Microsoft Update Sites |
This rule is required to allow the Forefront TMG computer to communicate with Microsoft Updates sites listed in the Microsoft Update Domain Name Set. |
29 |
Allow NTP from Forefront TMG to trusted NTP servers |
Network Services |
NTP (UDP) |
Local Host |
Internal |
This rule allows Forefront TMG to contact NTP servers in the Internal network. Limit the destination to the IP address of the NTP server. |
30 |
Allow SMTP from Forefront TMG to trusted servers |
Remote Monitoring |
SMTP |
Local Host |
Internal |
If you do not intend to send SMTP alerts, disable this rule. Otherwise, limit the destination to the IP address of the SMTP server, instead of the Internal network. |
31 |
Allow HTTP from Forefront TMG to selected computers for Content Download Jobs (disabled by default) |
Various |
HTTP |
Local Host |
All Networks (and Local Host) |
This rule is automatically enabled when you create a Content Download Job in Forefront TMG Management. |
32 |
Allow MS Firewall Control communication to selected computers |
Remote Management |
MS Firewall Control MS Firewall Storage |
Local Host |
Enterprise Remote Management Computers Remote Management Computers |
If you are not using remote MMC, disable this rule. |
33 |
Allow remote access to Configuration Storage server |
Configuration Storage Servers |
MS Firewall Control MS Firewall Storage |
Local Host |
All Networks (and Local Host) Enterprise Configuration Storage Servers |
This rule is not relevant for Forefront TMG in the Essential Business Server scenario. |
34 |
Allow access from trusted servers to the local Configuration Storage server |
Configuration Storage Servers |
Microsoft CIFS (TCP) Microsoft CIFS (UDP) MS Firewall Control MS Firewall Storage |
Local Host Array Servers Enterprise Remote Management Computers Managed Forefront TMG Computers Remote Management Computers Replicate Configuration Storage Servers |
Local Host |
This rule is not relevant for Forefront TMG in the Essential Business Server scenario. |
35 |
Allow replication between Configuration Storage servers |
Configuration Storage Servers |
MS Firewall Storage Replication RPC (all interfaces) |
Local Host Replicate Configuration Storage Servers |
Local Host Replicate Configuration Storage Servers |
This rule is not relevant for Forefront TMG in the Essential Business Server scenario. |
36 |
Allow intra-array communication |
Intra-array Communication |
Microsoft CIFS (TCP) Microsoft CIFS (UDP) Microsoft SQL (TCP) MS Firewall Control RPC (all interfaces) |
Array Servers |
Array Servers |
This rule is not relevant for Forefront TMG in the Essential Business Server scenario. |
37 |
Allow IPv6 infrastructure traffic from local-host to IPv6 networks rule |
Various |
ICMPv6 Listener Done ICMPv6 Listener Query ICMPv6 Listener Report ICMPv6 Listener Report v2 ICMPv6 Multicast Router Advertisement ICMPv6 Multicast Router Solicitation ICMPv6 Multicast Router Termination ICMPv6 Neighbor Advertisement ICMPv6 Neighbor Solicitation ICMPv6 Router Advertisement ICMPv6 Router Solicitation |
Local Host |
Internal |
This rule allows IPv6 infrastructure traffic from local-host to IPv6 networks. |
38 |
Allow IPv6 infrastructure traffic from IPv6 networks to local-host rule |
Various |
ICMPv6 Listener Done ICMPv6 Listener Query ICMPv6 Listener Report ICMPv6 Listener Report v2 ICMPv6 Multicast Router Advertisement ICMPv6 Multicast Router Solicitation ICMPv6 Multicast Router Termination ICMPv6 Neighbor Advertisement ICMPv6 Neighbor Solicitation ICMPv6 Router Advertisement ICMPv6 Router Solicitation Link-local multicast name resolution |
Internal |
Loacl Host |
This rule allows IPv6 infrastructure traffic from IPv6 networks to local-host rule. |
39 |
Blocks access from Protection Manager Blocked Access Computers to the External network |
Network Services |
All Outbound Traffic |
Protection Manager Blocked Access Computers Protection Manager Exempt Computers |
All Networks (and Local Host) |
This rule blocks access from the computers in the Protection Manager Blocked Access Computers computer set to the External network. |
40 |
Restricts access from Protection Manager Limited Access Computers to the External network |
Network Services |
All Outbound Traffic |
Protection Manager Blocked Access Computers Protection Manager Exempt Computers |
All Networks (and Local Host) Approved URLs for Protection Manager policies |
This rule allows access from the computers in the Protection Manager Limited Access Computers to URLs approved for Protection Manager policies. |
41 |
Allow access between local host and the Protection Manager gateway |
Network Services |
Forefront codename Stirling WS |
Internal Local Host |
Local Host Forefront codename Stirling gateway |
This rule allows traffic between the Forefront TMG server and the Protection Manager gateway. |
42 |
Allow Notifications to Forefront TMG Client |
Various |
Allow Notifications to Forefront TMG Client |
Local Host |
Internal Quarantined VPN Clients VPN Clients |
This rule allows notifications from Forefront TMG to the Forefront TMG Client software on client computers. |
43 |
Allow access from local host to Forefront codename Stirling core server |
Network Services |
WCF |
Local Host |
Forefront codename Stirling core servers |
This rule allows access from the Forefront TMG server to the Forefront codename Stirling core server. |
44 |
Allow SMTP traffic to the local host for mail protection and filtering |
Various |
SMTP |
All Networks (and Local Host) |
Local Host |
This rule allows SMTP traffic from the internet to the local host for advanced Antispam and Content filtering and Malware protection. |
45 |
Allow SMTP traffic to the internet for mail protection and filtering |
Various |
SMTP |
Local Host |
All Networks (and Local Host) |
This rule allows SMTP traffic to from the local host to the internet for advanced Antispam and Content filtering and Malware protection. |
46 |
SSTP Publishing |
Network Services |
None |
None |
Local Host |
SSTP publishing rule for allowing VPN roaming clients connections using SSTP protocol. |
47 |
Allow LDAP/LDAPS traffic to the local host for the Exchange Server EdgeSync synchronization process |
Network Services |
LDAP(EdgeSync) LDAPS(EdgeSync) |
Internal |
Local Host |
This rule allows LDAP/LDAPS traffic to the local host for the Exchange Server EdgeSync synchronization process. |
48 |
Direct Access mode: Allow restricted set of protocols over IPv6 to local-host rule |
Various |
DHCPv6 ICMPv6 Echo ICMPv6 Listener Done ICMPv6 Listener Query ICMPv6 Listener Report ICMPv6 Listener Report v2 ICMPv6 Multicast Router Advertisement ICMPv6 Multicast Router Solicitation ICMPv6 Multicast Router Termination ICMPv6 Neighbor Advertisement ICMPv6 Neighbor Solicitation ICMPv6 Router Advertisement ICMPv6 Router Solicitation IKE Server Link-local multicast name resolution |
Anywhere (IPv6) |
Local Host |
This rule allows restricted set of protocols over IPv6 in DirectAccess mode to local-host rule. |
49 |
Direct Access mode: Allow IPv6 transition technologies traffic to local-host rule |
Various |
HTTPS IPv6 Over IPv4 Tunnel Teredo Server |
All Networks (and Local Host) |
Local Host |
This rule allows IPv6 transition technologies traffic in DirectAccess mode to local-host rule. |
50 |
Direct Access mode: Allow IPv6 traffic from local-host rule |
Various |
All Outbound Traffic |
Local Host |
Anywhere (IPv6) |
This rule allows IPv6 traffic in DirectAccess mode from local-host rule. |