TMG Safe Search Enforcement and limitations

Software Update 1 for Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
has been released and can be downloaded from here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=695d0709-0d8b-45ee-afdb-727c4428ca4d

One of the features that caught my eye was this one.

• SafeSearch Enforcement. Forefront TMG can enforce blocking adult text, images and videos from search results by popular search engines. SafeSearch can be enforced on specific groups or to the entire organization.

 
This is a feature that was available in a previous Web Sensible product I used to use.  So I was quite keen to see how well it works in TMG.  After installing the Software Update you now have a new item in the web protection tasks.  This will launch a really simple wizard where you can turn this feature on, and then another tab where you can exclude users.
 
 

 

For those who are not quite familiar with this concept it is simply this.  The major search engines support some sort of safe search feature.  This prevent explicit or inappropriate content from being returned when searching for items. This is especially relevant to image and video searches.

Google Bing and Yahoo use three settings

• Strict
• Moderate
• Off

 Safe search enforcement in TMG is either on or off.  You can see what TMG is doing by checking out the configuration file “SafeSearchConfiguration.xml”, located in the installation directory:

<Configuration>
    <provider domainPattern=".google." safeSearchSuffix="&amp;safe=active" >
        <searchQuery pattern="/search?" />
        <searchQuery pattern="/images?" />
    </provider>
    <provider domainPattern=".yahoo.com" safeSearchSuffix="&amp;vm=r" >
        <searchQuery pattern="/search?" />
        <searchQuery pattern="/search;" />
        <searchQuery pattern="/search/images?" />
        <searchQuery pattern="/search/images;" />
        <searchQuery pattern="/search/video?" />
        <searchQuery pattern="/search/video;" />
    </provider>
    <provider domainPattern="www.bing.com" safeSearchSuffix="&amp;adlt=strict" >
        <searchQuery pattern="/search?" />
    </provider>
</Configuration>

I figured I would do some digging and see if I could figure out how stuff works. So armed with Firefox and firebug I checked out some searches.  I used google as my search engine since that is the default for everyone.  Then I did an image search for "xxx" and changed the safe search setting.  With Firebug I grabbed the GET strings  and the results are as follows.

Normal

http://www.google.co.za/images?um=1&hl=en&biw=1440&bih=63&tbs=isch:1&q=xxx&btnG=Search&aq=f&aqi=&oq=&gs_rfai=&uss=1

Safe off

http://www.google.co.za/images?um=1&hl=en&safe=off&biw=1440&bih=63&tbs=isch%3A1&sa=1&q=xxx&btnG=Search&aq=f&aqi=&aql=&oq=&gs_rfai=

Strict

http://www.google.co.za/images?um=1&hl=en&safe=active&biw=1440&bih=63&tbs=isch%3A1&sa=1&q=xxx&btnG=Search&aq=f&aqi=&aql=&oq=&gs_rfai=

If we look at the three results we can see that the "safe=" parameter is only included when the safe search is set to Off or Strict. 

This is where a limitation of Safe search enforcement comes in.  It would have been nice to enforce Moderate safe search but that is just not possible.  The only setting that can be enforced is the Strict one.

With Safe Search Enforcement this is all you will get for a "XXX" image search...

You do not have the option to enable Moderate or Off.  (Well you do, they just dont work)

Conclusion
Most users will never be aware of the safe search features in the search engines or that you are enforcing them with TMG.  For the users who want to change their setting, you have no other option but to exclude them from "Safe Search Enforcement"  You will then give the responsibility back to them to choose between the Moderate and Off options.

Search engines do a good job of preventing "accidental" exposure and I had to manually go and change my settings to be able to view possibly offensive content.  Having said that, I am very happy to have this as an option even if I choose not to use it.