Bing Safe Search, ISA Server and Forefront TMG

Bing Safe Search, ISA Server and Forefront TMG

  • Comments 3
  • Likes
Introduction

With the release of Microsoft’s new search portal (AKA decision engine), the Bing team has offered a couple of methods by which you can filter out unwanted content; generally classified as “explicit”.  Unfortunately, the first method outlined in the Bing blog doesn’t help ISA or TMG users. To help make this easier for firewall and proxy administrators, the Bing team created a new subdomain as explicit.bing.net. In this posting, I’ll show you how to use that new method in your ISA and TMG policies.

TMG URL Categories (TMG Beta 3 and later only)

<Update 5 Jun 2009>
At the request of the Bing team, Microsoft Reputation Services has categorized *.explicit.bing.net and explicit.bing.net as "Pornography", so the manual steps below are only required if you do not use the URL categorization provided by Microsoft Reputation Services.
</Update>

TMG Beta 3 brings with it the long-awaited URL categories feature. In concert with Microsoft Reputation Services and their many partners, TMG allows you to block content you or your organization consider inappropriate. This process will help you include the new Bing explicit sites to that set.

1.       In the TMG management console, select Firewall Policy

2.       In the right pane:

a.        select the Toolbox tab

b.       expand Network Objects, then URL Categories

3.       Right-click Pornography (or whichever category you prefer) and select Properties

4.       In the URL Categories Properties page:

a.        click Add

b.       in the URL Categories Override dialog, enter explicit.bing.net/*, click OK

c.        click Add

d.       in the URL Categories Override dialog, enter *.explicit.bing.net/*, click OK

5.       Your modified URL category should appear as shown below

 

 

 

6.       Click OK to close the URL Category Properties page

Ideally, you would have allowed TMG to build a default blocked URL category set as part of the Web Access Policy wizard. If you’ve already created your Web Access policy set using this option, your Web Access policy set will include a Blocked Web Destinations “deny” access rule as shown below:

If you don’t have this rule and you’re willing to completely rewrite your Web Access Policy, use the Configure Web Access Policy wizard to create a default Web Access policy that includes this set. Otherwise…

7.       In the TMG management console left pane, select Firewall Policy

8.       In the center pane, select the first-listed access rule (this ensures that the new rule is listed first)

9.       In the left pane, right-click Firewall Policy and select New, then Access Rule

10.    In the Welcome page, enter Deny Porn and click Next

11.    In the Rule Action page, select Deny and click Next

12.    In the Protocols page, click Add

13.    In the Add Protocols page:

a.        expand Web

b.       Select HTTP, then click Add

c.        Select HTTPS, then click Add, then click Close

14.    In the Protocols page, click Next

15.    In the Access Rule Sources page, click Add

16.    In the Add Network Entities page:

a.        expand Network Sets

b.       select All Protected Networks, click Add

c.        click Close

17.    In the Access Rule Sources page, click Next

18.    In the Access Rule Destinations page, click Add

19.    In the Add Network Entities page:

a.        expand URL Categories

b.       select Pornography, click Add

c.        click Close

20.    In the Access Rule Destinations page, click Next

21.    In the User Sets page, click Next

22.    In the Completing the New Access Rule Wizard page, verify that the summary data is correct, and then click Finish; your new rule should appear immediately above the previously-selected access rule.

TMG Beta 2 or ISA Server Domain Name Sets

If you don’t want to mess with URL Categories (or you haven’t upgraded from TMG B2 yet – fer shame on ya), or you’re still using ISA Server, then you need to use domain name sets in a deny rule.

1.       In the management console, select Firewall Policy

2.       In the right pane:

a.        Select the Toolbox tab

b.       Expand Network Objects

c.        Select New, then Domain Name Set

3.       In the New Domain Name Set Policy Element page:

a.        Enter Bing Explicit in the Name field

b.       click Add

c.        in the center pane, enter explicit.bing.net, click Add

d.       in the center pane, enter *.explicit.bing.net, click OK

4.       Your modified Domain Name Set should appear as shown below

 

 

 

5.       Click OK to close the New Domain Name Set Policy Element page

6.       In the management console left pane, select Firewall Policy

7.       In the center pane, select the first-listed access rule (this ensures that the new rule is listed first)

8.       In the left pane, right-click Firewall Policy and select New, then Access Rule

9.       In the Welcome page, enter Deny Bing Explicit and click Next

10.    In the Rule Action page, select Deny and click Next

11.    In the Protocols page, click Add

12.    In the Add Protocols page:

a.        expand Web

b.       Select HTTP, then click Add

c.        Select HTTPS, then click Add, then click Close

13.    In the Protocols page, click Next

14.    In the Access Rule Sources page, click Add

15.    In the Add Network Entities page:

a.        expand Network Sets

b.       select All Protected Networks, click Add

c.        click Close

16.    In the Access Rule Sources page, click Next

17.    In the Access Rule Destinations page, click Add

18.    In the Add Network Entities page:

a.        expand Domain Name Sets

b.       select Bing Explicit, click Add

c.        click Close

19.    In the Access Rule Destinations page, click Next

20.    In the User Sets page, click Next

21.    In the Completing the New Access Rule Wizard page, verify that the summary data is correct, and then click Finish; your new rule should appear immediately above the previously-selected access rule.

All Done

In the center pane, click Apply to enforce your new policy. When prompted, enter a description for this change (hey - the URL for this blog could work) and click OK

Jim Harrison, Program Manager, Forefront Edge CS

Tech Reviewers
Chris Rayner, Sr Program manager, Search
Mike Dean, Sr Product Mgr, Search
Yuri Diogenes, Support Engineer, Forefront Edge
Mohit Saxena, Tech Lead, Forefront Edge

Comments
  • will these features ever come to the TMG build that comes with EBS 2008?

  •  Gifts to  Chennai, Flowers to Chennai, Cakes to  Chennai,Same Day delivery all over Chennai

    vist www.chennaionlinegifts.com

  • Send Diwali Gifts to India, Deepavali Gifts to India, Online Diwali

    Gifts to India, Diwali Sweets to India, Diwali Chocolates to India,

    Diwali Dry Fruits to India,  visit www.subhdiwali.com

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment