Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to block traffic from an Internet-based music sharing service in Microsoft Forefront Threat Management Gateway, Medium Business Edition


View products that this article applies to.

Introduction

This article describes how to prevent traffic from an Internet-based music-sharing resource, such as Napster, from passing through Microsoft Forefront Threat Management Gateway, Medium Business Edition.

↑ Back to the top


More information

You can use several methods to help prevent users from accessing an Internet-based resource through Microsoft Forefront Threat Management Gateway, Medium Business Edition. While this article uses Napster.com as an example, you can use the methods that are described in this article to deny access to various Internet-based resources.

Method 1: Use a domain name set

Create an access rule to deny access to a specific destination that the Internet-based service requires for its initial logon process. To create an access rule, first create a domain name set policy element for the destination. Use that domain name set to deny access to the particular domain or to redirect the client request to an internal Internet access policy Web page. To create a domain name set policy element and an access rule, follow these steps:
  1. Start Microsoft Forefront Threat Management Gateway, Medium Business Edition Management, and then connect to your Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer if you are not already connected.
  2. Expand Servername, where Servername is the name of your Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer, and then click Firewall Policy.
  3. Click the Toolbox tab, click Network Objects, click New, and then click Domain Name Set.
  4. In the Name box, type a name for the domain name set policy element.
  5. Click New, and then type the domain name that you want this policy element to define. For example, type *.napster.com.
  6. Click OK.
  7. Click the Tasks tab, and then click Create New Access Rule.
  8. Type a name for the access rule, and then click Next.
  9. Leave the Deny option selected, and then click Next.
  10. Leave the All outbound traffic option selected in the This rule applies to list, and then click Next.
  11. Click Add, click the network entity that you want to prevent from accessing the particular Internet service, click Add, and then click Close. For example, if you want to prevent all users who are connected to the internal network from accessing Napster.com, expand Networks, click Internal, click Add, and then click Close.
  12. Click Next, and then click Add.
  13. Expand Domain Name Sets, click the new domain name set that you created, click Add, and then click Close.
  14. Click Next, leave the default All Users user set that is listed in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
  15. If you want to redirect the client request to an internal Internet access policy Web page, follow these steps:
    1. Right-click the new access rule that you created, and then click Properties.
    2. Click the Action tab, click to select the Redirect HTTP requests to this Web page check box, type the URL of that Web page, and then click OK.
  16. Click Apply to save your changes and to update the firewall policy, and then click OK.

    Note If you have other access rules that are listed before this rule on the Firewall Policy tab, you might have to move this rule up. This action makes sure that this rule is enforced before other "allow" rules permit access to the Internet service that you want to restrict. To move an access rule up, right-click the rule, and then click Move Up. After you have modified the rule hierarchy, click Apply to save your changes and to update the firewall policy, and then click OK.

Method 2: Use a content type

To create an access rule that denies the .mp3 content type, follow these steps:
  1. Start Microsoft Forefront Threat Management Gateway, Medium Business Edition Management, and then connect to your Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer if you are not already connected.
  2. Expand Servername, and then click Firewall Policy.
  3. Click the Toolbox tab, click Content Types, and then click New.
  4. In the Name box, type a name for the .mp3 content type.
  5. In the Available types list, click .mp3, and then click Add.
  6. Click OK.
  7. Click the Tasks tab, and then click Create New Access Rule.
  8. Type a name for the access rule, and then click Next.
  9. Leave the Deny option selected, and then click Next.
  10. Leave the All outbound traffic option selected in the This rule applies to list, and then click Next.
  11. Click Add, click the network entity that you want to prevent from accessing the particular Internet service, click Add, and then click Close. For example, if you want to prevent all users who are connected to the internal network from downloading .mp3 files, expand Networks, click Internal, click Add, and then click Close.
  12. Click Next, and then click Add.
  13. Expand Networks, click External, click Add, and then click Close.
  14. Click Next, leave the default All Users user set listed in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
  15. Right-click the new access rule that you created, and then click Properties.
  16. Click the Content Types tab, and then click Selected content types.
  17. In the Content types list, click to select the check box that corresponds to the new content type that you created for .mp3 files, and then click OK.
  18. Click Apply to save your changes and to the update firewall policy, and then click OK.
Note When you create a content filter, only HTTP traffic is filtered. Therefore, some peer-to-peer file sharing programs may not be blocked.

Method 3: Use a protocol definition

Use a protocol definition to deny access to the Internet-based resource. File sharing services use a particular port for their initial connection. For example, Napster uses TCP port 8875 for the initial connection, and then the local file sharing service port is negotiated for each connection. You can use Network Monitor to determine the ports that are used by a particular program for the initial connection.

Note Determine the correct port that the service uses for its initial connection when you configure the protocol definition. These ports may change.

After you obtain the latest information about the port or ports that are used for the outbound connection, create an access rule to deny access to the particular protocol definition. The protocol definition will have settings that are similar to the following:
Port number: 8875 (or another)
Protocol type: TCP
Direction: Outbound
To create an access rule that is based on a protocol definition, follow these steps:
  1. Start Microsoft Forefront Threat Management Gateway, Medium Business Edition Management, and then connect to your Microsoft Forefront Threat Management Gateway, Medium Business Edition Server computer if you are not already connected.
  2. Expand Servername, and then click Firewall Policy.
  3. Click the Toolbox tab, click Protocols, click New, and then click Protocol.
  4. In the Name box, type a name for the protocol definition, and then click Next.
  5. Click New, leave the TCP option selected in the Protocol type list, leave the Outbound option selected in the Direction list, type the port number that you want to define in the From box and in the To box, and then click OK.
  6. Click Next two times, and then click Finish.
  7. Click the Tasks tab, and then click Create New Access Rule.
  8. Type a name for the access rule, and then click Next.
  9. Leave the Deny option selected, and then click Next.
  10. In the This rule applies to list, click Selected protocols, and then click Add.
  11. Expand User-Defined, click the new protocol definition that you created, click Add, and then click Close.
  12. Click Next, click Add, click the network entity that you want to prevent from accessing the particular Internet service, click Add, and then click Close. For example, if you want to prevent all users who are connected to the internal network from connecting to a particular service port, expand Networks, click Internal, click Add, and then click Close.
  13. Click Next, and then click Add.
  14. Expand Networks, click External, click Add, and then click Close.
  15. Click Next, leave the default All Users user set listed in the This rule applies to requests from the following user sets box, click Next, and then click Finish.
  16. Click Apply to save your changes and to update the firewall policy, and then click OK.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

↑ Back to the top


Keywords: KB837447, kbinfo

↑ Back to the top

Article Info
Article ID : 837447
Revision : 3
Created on : 11/17/2008
Published on : 11/17/2008
Exists online : False
Views : 455