When Forefront TMG queries MRS for a URL categorization, the result may include multiple categories (for example, a site can be categorized as both a Portal and Web Mail site). By default Forefront TMG uses the most significant category (otherwise known as the primary category) according to the category precedence list. In Forefront TMG Update 1, we have added the ability to configure Forefront TMG to use the non-primary categories as well. This ability applies to the following elements that utilize URL categories:
· Destination list (the To: tab) in access rules (per rule)
· Destination Exceptions in malware inspection (per array)
· Destination Exceptions in HTTPS outbound inspection (per array)
There is a checkbox in the designated property page, called "For URL filtering, apply to non-primary categorizations". When checked, all categories returned for the queried URL will be considered by the appropriate policy element during policy evaluation.
Note: The default configuration for these elements is to apply the primary category only (as in previous versions).
For example, assume that the URL www.contoso.com is categorized by MRS as Alcohol, Streaming Media and News:
The exclamation mark icon indicates the category that Forefront TMG has determined as the primary category, and the check mark icons indicate the non-primary categorizations.
Assume also that we have a rule denying access to Alcohol, News and Streaming media URL categories. Now let's see how the rule engine outcome changes according to the new functionality and different categories in the list:
URL Categories in a rule
Is non-primary categorization enable enabled?
Will the rule match?
Both Yes and No (Alcohol is the primary category and isn't affected by the new functionality)
Yes (Logged as News)
Streaming Media and News
Yes (Logged as Streaming Media)
Alcohol and Streaming Media
Yes (Logged as Alcohol)
Each Forefront TMG element dealing with multiple categories may match a different category. For example, if destination exceptions in malware inspection contain News category and exceptions in HTTPS outbound inspection contain Streaming Media category, a request to www.contoso.com would both be excluded from malware inspection and HTTPS outbound inspection.
When you include non-primary categorizations, there is an effect on logging and reporting. Instead of logging the primary category, Forefront TMG logs the category that appears in both matched rule and MRS result that has the highest place in the precedence list. For example, if the matched rule contains a list of categories including News, Sports and Travel categories and the requested URL was categorized as News, Travel and Chat, the logged category would be the most significant of News and Travel (which is Travel). Reporting utilizes logged categories, so according to multiple categories configuration state, reported categories may vary for the same traffic logged with or without non-primary categorizations.
URL categories applied to malware inspection and HTTPS outbound inspection aren't logged.
Author: Dima Datsenko
Reviewers: Ori Yosefi, David Strausberg