Deny Page Customization on Forefront TMG 2010

Deny Page Customization on Forefront TMG 2010

  • Comments 8
  • Likes

1. Introduction

 

With the addition of the Denied URL Request Action on Forefront TMG (see Figure 1) there are many questions around the capability to customize this page to change colors, add company’s logo, etc. This can be done just like it was possible to do with the regular error pages on ISA.

 

 

Figure 1

 

On ISA Server 2006 you could use the How to Customize HTML Error Messages in ISA Server 2006 article to customize the vast majority of the errors that users could potentially receive when browsing Internet through ISA Server. Those pages are still present (now located at %programfiles%\Microsoft Forefront Threat Management Gateway\ErrorHtmls) and with the following new additions:

 

File Name

Description

12222r.htm

The client certificate used to establish the SSL connection with the Forefront TMG Server computer is not acceptable. The client certificate restrictions not met.

12224.htm

The SSL server certificate supplied by a destination server is not yet valid.

12225.htm

The SSL server certificate supplied by a destination server expired.

12226.htm

The certification authority that issued the SSL server certificate supplied by a destination server is not trusted by the local computer.

12227.htm

The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.

12228.htm

The SSL certificate supplied by a destination server cannot be used to validate the server because it is not a server certificate.

12229.htm

The Web site requires a client certificate, but a client certificate cannot be supplied when HTTPS inspection is applied to the request.

12230.htm

The SSL server certificate supplied by a destination server has been revoked by the certification authority that issued it.

12231.htm

Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display URL category, but no custom message, [URLCATEGORY] will be replaced with the category name)

12232.htm

Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display custom message but not URL category, [ADMINMESSAGE] will be replaced with the custom message)

12233.htm

Forefront TMG denied the specified Uniform Resource Locator (URL). (This page is used when the deny rule is set to display both custom message and URL category, [URLCATEGORY] will be replaced with the category name, [ADMINMESSAGE] will be replaced with the custom message).

Table 1

 

The page that is used by the option showed in Figure 1 is called 12232.htm and this article will show you how to customize this page.

 

2. Customizing the 12232 Error Page

 

The first step to customize this page is to make a backup of the original page in case you need to rollback, then you can copy the 12232.htm file for another location and use a HTM Editor of your preference to customize the page. For this example I’m going to use Microsoft FrontPage. Here it is the original page:

 

 

Figure 2

 

The field between brackets [] are variables that will be replaced with information related to the access. For more information on the meaning of the fields see table 1. Figure 3 shows how this page will look like after the customization used on this example:

 

 

Figure 3

 

Notice that in this page we customized the following items:

·         Fonts (format and size)

·         Background Color and Table background

·         Company logo

·         Text description

·         Hyperlink to Helpdesk’s email

 

Note: The field [ADMINMESSAGE] will be replaced per rule based when dealing with 12232.htm page. The [ADMINMESSAGE] in this page is replaced by the text that you write on the window showed in Figure 1.

 

The only caveat while customizing this page is when you are inserting pictures. If you just insert the picture reference using the approach below it will not work:

 

<TD class=titleBorderx width=130 style="border-style: none; border-width: medium; background-color: #FFFFFF">

      <img border="0" src="Fabrikam-logo.gif" width="105" height="87"></TD>

    <TD class=titleBorder id=L_12232_2 style="border-style: none; border-width: medium; background-color: #FF0000">

 

The reason why it will not work is because client browser will append the picture’s name to the web site that you are trying to access and it was blocked. For example: if you blocked the access to www.contoso.com, the location for Fabrikam’s logo will show a Red X and if you open the properties of the picture the reference will be www.contoso.com/fabrikam-logo.gif. One way to overcome that is to use a full reference that can point to an internal web server, as shown below:

 

    <TD class=titleBorderx width=130 style="border-style: none; border-width: medium; background-color: #FFFFFF">

      <img border="0" src="http://websrv/Fabrikam-logo.gif" width="105" height="87"></TD>

    <TD class=titleBorder id=L_12232_2 style="border-style: none; border-width: medium; background-color: #FF0000">

 

This way Forefront TMG will load the picture from the internal web server and as long as the client has access to the web server that was referenced in the link. Depending on how your network is setup, the traffic might pass through TMG also, which means that TMG also needs to allow the traffic to reach the destination web server.

 

Note: Another approach instead of customizing this page is to use the option Redirect Web Client to the Following URL (as shown in Figure 1). However you need to be aware of potential issues with IE7 and higher as shown in the article Behavioral Change on IE7 can affect Outbound access through ISA Server 2006 that is using Redirect on a Deny Rule.

 

The new page should be added (with original name) at %programfiles%\Microsoft Forefront Threat Management Gateway\ErrorHtmls.

 

3. Conclusion

 

This post explained the additional HTML error pages on Forefront TMG 2010 and how to customize the 12232 error. Although this post focus on explaining how to customize 12232 error pages, the techniques used on this post can be applied to any other pages described in Table 1.

 

Author

Yuri Diogenes

Sr. Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team

 

Technical Reviewers

Yury Berezansky

Sr. Software Developer Engineer

Forefront TMG Product Team

 

Avihai Dgany

Software Developer Engineer

Forefront TMG Product Team

 

Eric Detoc

Escalation Engineer

Microsoft CSS Forefront TMG Beta Team

 

Comments
  • Thanks for the tutorial, but I've made the changes but the changes aren't being reflected when you hit the live deny page. They are just small text based changes to verify that is sucessful.

    I've tried restarting the services on that server but still no cigar.

    Cheers

  • Thanks for your comments.

    The steps provided above sucessfully worked in our deployment. Please check if this is not a cache problem on the client side, try from multiple clients, double check if the page that was changed has the correct name (12232.htm).

    If the issue persists you can open an incident with Microsoft CSS to assist you troubleshooting that.

  • I was successful in creating my custom page thanks to your article. I do have a question though. I have figured out the [urlcategory] and a few others but I would also like to see the username. I have tried [user], and [username] and neither works. Can you point me in the right direction for more of these informational default fields?

  • one question, we saw the problem about deny page customization for HTTPS requests... there is no affect on IE 7 or 8... we always recieve blank page or default IE page with "diganostic connection"... what is the reason? we try to turn off friendly message in IE but without success :(

  • is there any solution to the username parameter posted by walter thompson?

  • Same Issue as Bubikaj: IE7 and IE8 show always Default friendly error messages, even if disabled in advanced options. IE6 is ok. Any hints?

  • Bubikaj, Frank - modify the 12233 file. After that modify the 12232 file. Restart the services and you should notice the changes. I had the same challenges myself and this resolved it...I hope this helps.

  • Is it possible to customize the block override website in TMG?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment