TMG rule organising enhancements

One of the nice new features in TMG 2010 is that it is a lot easier to manager your rules, especially if you have a lot of them.

 

Search

 

The first feature I want to explore is the search.   If you have ever had an ISA deployment where you publish multiple web applications you will know that the list can get quite long and tedious to look through to find that one rule you want to look at.  Sure, a really good naming convention will take you a long way, but there comes a time when it just does not cut it anymore.

 

 

The search allows you to find the rule you are looking for based on:

 

Free Text
Any free text. If you use free text, the search result contains all the matches in text-based properties, as well as matches in non-text properties defined as “searchable”.

 “default rule” finds the rules containing this string.
Default rule finds the rules containing the word default and the word rule. For example, a rule containing a listener with the following description: Many rules, all defaulted to this listener

Name:Value

The Name is a column name or a distinct UI property (e.g. Content Type) in the Firewall Policy node of the Forefront TMG Management console. The Value is one of the allowed values for this Name.

The result of the search contains all the matches within the available values of Name, including values of implied sub-properties.

From:Internal To:External Protocol:HTTP finds the rules that provide Web access.

Action:Allow Condition:"All Users" Listener:MyListener finds the rules allowing access to all users via a Web listener named MyListener.

Property:Value

The Property is a COM property name as defined in the Forefront TMG SDK. The Value is one of the allowed values for this Property.

The result of the search contains all the matches within the available values of Property, including values of implied sub-properties.

Type:fpcPolicyRuleAccess finds the access rules. SourceSelectionIPs:Internal DestinationSelectionIPs:External SpecifiedProtocols:HTTP finds the same rules that From:Internal To:External Protocol:HTTP finds.

All in all pretty impressive really, considering it was not in ISA at all!

Rule Groups

Groups allow you to group together rules that belong together.  As an example you may have an application that you publish that requires a few rules to handle the various allows / blocks and redirects.  You can now create the separate rules and put them in a group.  It does not impact on how the rules work I just displays or hide them as a pack.

Limitations

You cannot create sub groups.

Rules must be in sequential number order to be able to group them.

Rules cannot be added to a group. you have to ungroup the rules and then select old an new rules and then group them again.

 Conclusion

Following good naming convention is always a good idea and allows you to visually and logically organise your rules in a way that makes sense to you, the administrator, even if it does not makes sense to DD.  The new features have been added to handle increasing amounts of rules. Take the time to plan how you want to use them and they can make finding the right rule a breeze.