21 October 2011

TMG SP2 customise URL filtering error pages

The old pre-SP2 error pages
ISA and TMG error pages have always been ugly.  Brown and ugly.  But thankfully with SP2 they have added improved error pages that are easier to customise.

When introducing URL filtering users would often get a screen that you wanted them to know was not an error but a purposeful denial.  To do this I customised the relevant error pages, after some to and fro this was the beast I could come up with with a "minimal effort"

Enable New Style Error Pages
After installing SP2 the default will still be to use the old style error messages.  To enable the new style you need to do the following:

  • From the TMG console select the Array
  • Right Click - Properties
  • Select the Error Pages tab
  • Select the "Use the new version available from ... SP2 onward"

You should now get the new style error pages

Already a big improvement.
If you had customised your error pages you need to also customise the new ones.  The exception to this is if you have specified a custom admin message.  This is retained.

Customise The error pages
To simply stick your company logo on the new error pages you need to just edit and replace the "C:\Program Files\Microsoft Forefront Threat Management Gateway\Templates\WebObjectsTemplates\ISA\HTML\logo.png" file.  This is a transparent png file so keep it that way or it will introduce a "big white block"

Editing this image will apply to all error pages.

For most - this is a far as you would normally go.

URL Filtering pages
The Web access policies allows you to specify a few options when defining the Block rule for the various URL categories you block.  You have a few options to choose from that render different levels of information on the error pages.  These actually change the error .htm file being used.

To set this you need to change the following

  • From the TMG management Console
  • Select the Web Acess Policy
  • The select the Deny rule that block the categories
  • Select the Actions Tab
  • Click the Advanced button

The options translate as follows:

12231.htm  - This page is used when the deny rule is set to display the URL category, but not the custom message; [URLCATEGORY] will be replaced with the category name.

12232.htm  - This page is used when the deny rule is set to display the custom message but not the URL category; [ADMINMESSAGE] will be replaced with the custom message.

12233.htm  - This page is used when the deny rule is set to display both the custom message and the URL category; [URLCATEGORY] will be replaced with the category name and [ADMINMESSAGE] will be replaced with the custom message.

In My case I chose to edit the 12231.htm file directly as opposed to using the "Admin Message"  This just gave me more control to do what I wanted to do.  Also to conform to corporate color all images were changed to grey scale

The net effect is the following:

Copy all your edited files to all the nodes in the array and remember - For the new pages to take effect you need to restart the firewall service on the TMG server.

The Improved error pages in SP2 is a welcome change.  If however you had customisasion on your old error pages you would have to transfer them to the new style ones.  Without too much effort you can stick a corporate look and feel, and relevant information on your pages.

No comments:

Post a Comment