Forefront TMG URL filtering

I have finally loaded up Forefront TMG (Threat Management Gateway) after blogging about the passing of ISA last year – er, uh, 2009 rather.

It feels like a typical upgrade of ISA: The interface is cleaner, rule changes are processed much quicker,particularly against existing connections. They call this “Policy Reevaluation” or “Policy Enforcement”. In ISA 2004 and 2006, policy changes only applied to new connections and this was a never-ending point of frustration when troubleshooting.

There are a few additional features; one in particular I really like is an URL filtering function built into the application. TMG has an explicit URL filtering function, which can be directly applied in a rule. Microsoft has provide a categorization of URLs which they dynamically update via the Microsoft Reputation Service (MRS). Previously in ISA, one had to build all of this manually with domain name sets and VB scripting. There’s also a malware inspection feature as well. Unfortunately, both of these services are licensed separately at $22 per user/device annually.