Planning for deny rule user override (SP1)

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Important

The information in this topic is relevant to Forefront TMG SP1.

You can configure Forefront TMG to allow users to override an access restriction and proceed to a blocked website on a per request basis. This can provide a more flexible web access policy, by allowing users to decide for themselves whether to access a site that was denied to them. This is especially useful for websites that have been incorrectly categorized.

This topic describes:

  • How user override works

  • Implementing user override

  • User override log records

  • Known issues

How user override works

User override works as follows:

  1. A user attempts to access a website that is categorized in a URL category or URL category set that is blocked by policy, and Forefront TMG presents an HTML access denied notification page.

  2. If the rule is configured to allow user override, the HTML page includes a button named Override Access Restriction.

  3. When the user clicks the Override Access Restriction button, the proxy server allocates the user's browser a cookie that accompanies all subsequent web requests to this domain, and the browser is triggered to reload the URL.

  4. The proxy server receives the web request with the cookie and effectively disables the blocking rule for this web request only.

    Note

    • The cookie remains valid for the length of the browser session, or for the configured time-out period.

    • If another web request is made is made in the same browser session to a different domain or URL category, the user will need to override the access restriction (if permitted) again.

  5. The web request is accepted by a rule that allows access to the previously blocked destination.

  6. The previously blocked web page opens in the user’s browser, and the user may continue accessing the site either for the length of the session or for the configured time-out period.

  7. If logging is enabled for this rule, the user’s request and subsequent access of the site is recorded.

Implementing user override

Two steps are required to implement user override:

  1. Create a rule that blocks access to sites based on URL categories or URL category sets.

  2. Enable Allow user override on the Action tab of the rule.

Note

For user override to work, one of the subsequent firewall policy rules must allow access to the requested destination.

For configuration details, see how to Enable user override for deny rules in Configuring web access rule properties.

Note

To enable user override for an access rule, the following conditions must be met:

  • The destination (and any destination exclusions) must include URL categories and URL category sets only. Attempting to add another kind of network entity (for example, an IP address) generates an error.

  • The protocol must be HTTP only.

  • User override is not supported for HTTPS traffic. If necessary, create a separate rule denying HTTPS traffic to these URL categories.

  • The rule must apply to all types of HTTP content. Make sure that the rule is set to apply to All content types on the Content Types tab.

User override log records

Requests to override access restrictions are recorded in the Web Proxy log, allowing you to identify:

  1. Who requested the access (source IP address or authenticated user), and when.

  2. The site that was requested and its URL category.

  3. The rules that blocked and later allowed the request.

Reviewing the logs also allows you to establish whether user override is working properly and troubleshoot problems as they arise.

The following table provides an example of a properly functioning user override rule.

Action Client IP Client Username Rule Overridden Rule URL URL Category

Denied Connection

10.10.10.1

anonymous

(URL category block rule with user override enabled)

https://www. contoso.com

Malicious

Allowed Connection

10.10.10.1

anonymous

(Rule allowing previously blocked URL categories)

(URL category block rule with user override enabled)

https://www. contoso.com

Malicious

Note

  • The rule that blocked the initial access request appears as the “Overridden Rule” in the rule that allows the connection.

  • This table shows the fields relevant for the user override feature; there are many others available in the log viewer.

Known issues

In the event that a user reports HTML pages with empty frames or frames that contain error messages, search the Web Proxy log file for requests for the specific frames. If you find that the rule that denied these connections has user override enabled, the issue is most likely related to the URL categorization of the content in the frame. If this categorization is incorrect, you can override it; for instructions see Overriding URL categorization. You can also report the URL to the Microsoft Reputation Service. For details, see Microsoft Reputation Services Feedback and Error Reporting (https://go.microsoft.com/fwlink/?LinkId=178581).

Tasks

Configuring web access rule properties

Concepts

Planning for web access