URL filtering troubleshooting flow
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic is designed to help you troubleshoot and resolve URL filtering issues.
Issues include:
Incorrect or unknown site categorization.
Failure to prevent access to blocked sites.
Inconsistent access based on IP address.
The following sections provide:
Prerequisites
Flowchart for troubleshooting URL filtering
Procedures for troubleshooting URL filtering
Prerequisites
To troubleshoot URL filtering issues, you must be familiar with the following Forefront TMG procedures:
Querying Forefront TMG logs. For information, see Querying the Forefront TMG logs.
Adjusting the Forefront TMG firewall policy. For information, see Configuring firewall policy.
Defining URL overrides. For information, see Overriding URL categorization.
Flowchart for troubleshooting URL filtering
This flowchart guides you through the steps required for troubleshooting URL filtering.
.gif "URL filtering troubleshooting flow")
Procedures for troubleshooting URL filtering
The following procedures describe steps you might need to take when you use the flowchart to troubleshoot URL filtering:
How to query the Forefront TMG logs for MRS servers
How to obtain or renew a WSS license
How to query the Forefront TMG logs for MRS servers
- Obtain the IP addresses of the Microsoft Reputation Services (MRS) servers. At the command prompt of the Forefront TMG server, type:
for %i in (ds ts) do nslookup 10.%i.mrs.microsoft.com
This is an example of valid results:
.gif "Obtaining IP addresses of MRS servers")
Query Forefront TMG logs for the MRS servers by using the Web Proxy Logging filter and the Firewall Logging filter.
Note
Log query filters use "and" by default; searching for multiple IP addresses in a single query will produce no results.
This table lists the parameters you must select or enter when you query the logs using the Web Proxy Logging filter.
Filter by Condition Value URL
Contains
mrs.microsoft.com
Log Time
Last 24 Hours
Live (if observed while reproducing the issue)
NA
Action
Not Equal
Connection Status
This table lists the parameters you must select or enter when you query the logs using the Firewall Logging filter.
Filter by Condition Value Destination IP
Equals
IPv4 IP address obtained during name resolution troubleshooting
Log Time
Last 24 Hours
Live (if observed while reproducing the issue)
NA
Action
Not Equal
Connection Status
How to obtain or renew a WSS license
URL filtering is subscription based, and is part of the Forefront TMG Web Security Service license. For licensing information, see How to Buy (https://go.microsoft.com/fwlink/?LinkId=179848).