Configuring for TMG using non-web-proxy clients

Applies to:
  • Forcepoint URL Filtering, v8.5.x

If you are using non-web-proxy clients with Forefront TMG, additional configuration is required so that your web protection software can manage Internet requests correctly. The term non-web-proxy clients refers to:

  • Firewall/Forefront TMG Client with the proxy server disabled
  • SecureNAT clients

Firewall/Forefront TMG Client

If you are using Firewall/Forefront TMG Client with Forefront TMG, and the proxy server is enabled (default setting), your web protection software handles Internet requests normally.

However, if the proxy server is disabled, web protection software cannot manage Internet requests without additional configuration.

Check the Firewall/Forefront TMG Client machine to see if the proxy server is disabled.

  1. Open the Firewall/Forefront TMG Client configuration screen, and select the Web Browser tab.
  2. View the Enable Web browser automatic configuration check box.
    • If it is marked, the proxy server is enabled. Forcepoint URL Filtering requires no additional configuration.
    • If it is cleared, the proxy server is disabled. See Configuring the ISAPI Filter plug-in for additional configuration steps.
      Note: If the proxy server is disabled, web protection software manages HTTP only; it cannot manage HTTPS.

SecureNAT clients

SecureNAT clients require that you configure the default gateway so that all traffic to the Internet is sent through TMG. If you need information about configuring and using SecureNAT clients, see your TMG documentation.

See Configuring the ISAPI Filter plug-in for additional configuration steps.

Configuring the ISAPI Filter plug-in

If you are using the TMG Firewall Client with the proxy server disabled, or SecureNAT clients, the ISAPI Filter plug-in must be configured to ignore requests going directly to the TMG and to manage only those requests going out to the Internet.

Note: If you are using the TMG Server Firewall Client with the proxy server disabled, then your web protection software handles HTTP only; not HTTPS.
  1. On the TMG machine, create a file called ignore.txt in the Windows system32 directory.
  2. Enter the hostname or IP address of the TMG machine in the text file.

    Hostnames must be entered in ALL CAPS. Entries that are not in all capital letters are not used.

  3. If the TMG machine hosts multiple websites, add the names of all the sites being hosted. For example: webmail.rcd.com.

    If only one website is hosted, do not add it to this file.

  4. Restart the TMG machine.