Configuring the ISAPI Filter plug-in to ignore specific traffic

Applies to:
  • Forcepoint URL Filtering, v8.5.x

You can configure the ISAPI Filter plug-in to bypass both policy enforcement and logging for certain traffic, based on the user name, hostname, or URL. This may be used for a small group of websites or users, or for machines in a complex proxy-array or proxy-chaining configuration.

To prevent policy enforcement and logging of this traffic, add the user names, hostnames, and URLs that you do not want your web protection software to handle to the isa_ignore.txt file.

  1. On the TMG machine, open the isa_ignore.txt file in a text editor. This file is located in the Windows system32 directory.
    Important:

    The default isa_ignore.txt file installed during upgrade or installation contains the following URL:

    url=http://ms_proxy_intra_array_auth_query/

    Do not delete this URL. It is used by TMG in a CARP array for communication. This URL must be ignored by web protection software to allow policy enforcement and logging to work properly when multiple TMG instances are deployed in an array.

  2. Enter each user name, hostname, or URL that you want web protection software to ignore. Enter each item on its own line in the file, using the formats below.
    • User name: Enter the name of a user whose Internet requests should be ignored:

      username=<user_name>

      Examples:

      username=jsmith

      username=domain1/jsmith

    • Hostname: Enter a destination hostname for which user requests should be ignored:

      hostname=<name>

      Example:

      hostname=yahoo.com

    • URL: Enter a URL for which user requests should be ignored:

      url=<URL>

      Example:

      url=http://mail.yahoo.com/

      url=mail.yahoo.com/

      Note: To assure that the correct format is available for all situations, it is recommended that you enter the same name in all available configurations. For example, make 2 entries for user name: one with and one without the domain. Make 2 entries for URL: one with and one without the protocol.
  3. Restart the TMG service.

Client computer configuration

Internet browsers on client computers should be configured to use TMG to handle HTTP, HTTPS, and FTP requests.

An exception to this configuration is browsers in an TMG environment using Firewall/Forefront TMG Clients or SecureNAT. These browsers must point to the same port, 8080, that TMG uses for each protocol.

See the browser online help for configuration instructions.

Firewall configuration

To prevent users from circumventing Forcepoint URL Filtering policy enforcement, configure your firewall or Internet router to allow outbound HTTP, HTTPS, and FTP requests only from TMG.

Contact your router or firewall vendor for information about configuring access lists on the router or firewall.

Important: If web protection software Internet connectivity requires authentication through a proxy server or firewall for HTTPS traffic, the proxy server or firewall must be configured to accept clear text or basic authentication to enable the Master Database download.