Create the VPN Clients Access Rule
At this point, the VPN clients can connect to the TMG VPN server, but they can’t really do anything until you create an Access Rule. The Access Rule can be configured to allow VPN clients to connect to the entire internal network, or you can control which parts of the network or even which specific servers on the network the VPN clients can connect to. The TMG firewall offers you very granular control when it comes to specifyingto which resources the VPN clients can connect after establishing the VPN client connection to the TMG firewall.
To create the Access Rule, click the Firewall Policy node in the left pane of the console, as seen in Figure 1 below. In the right pane of the console, click the Create Access Rule link.
This brings up the Welcome to the New Access Rule Wizard page. On that page, enter the name of the Access Rule. In this example, name the Access Rule VPN Clients to Internal and Internet. Note that we must create a rule to enable the VPN clients to access the Internet because the default configuration of the Microsoft VPN client is to disable split tunneling. When split tunneling is disabled, the VPN client must be able to reach the Internet through the VPN server. The client can bounce off the TMG firewall to which it’s connected, or you could configure the VPN clients to connect to the Internet through a different TMG firewall on your network. That’s a subject for another article, and maybe we’ll do that in the future, because performance is a bit better when you have the VPN clients connect to the Internet through a TMG firewall array that’s different from the one to which they’ve established the VPN connection. In this example, though, we’ll configure the TMG firewall so that the VPN client can connect to the Internet through TMG1 – which is the same TMG firewall with which they establish the VPN connection.
After entering the name of the Access Rule, client Next, as shown in Figure 2.
On the Rule Action page, select the Allow option, since this rule is designed to allow connections and not deny connections.
Click Next as shown in Figure 3.
On the Protocols page, select the All outbound traffic option from the This rule applies to drop down list. Note that in a production environment, you would probably be more judicious about which protocols you would allow, so in that case you would choose the Select protocols or the All outbound traffic except selected option.
Select All outbound traffic and click Next as shown in Figure 4.
On the Malware Inspection page, select the Enable malware inspection for this rule option. We want this option enabled because the VPN clients are going to connect to the Internet through the TMG firewall, so we want to make sure that all web traffic is inspected for malware.
Select Enable malware inspection for this rule and click Next as shown in Figure 5.
On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click the VPN Clients entry. Next, click Close in the Add Network Entities dialog box that’s shown in Figure 6. This configures the rule to be applied only to VPN clients, which are defined by a collection of IP addresses dynamically added to the VPN Clients Network by the TMG firewall. When VPN clients connect to the TMG firewall’s VPN server, each VPN client is assigned an IP address, and that IP address is automatically added to the TMG Firewall’s VPN Clients Network.
The VPN Clients Network appears in the This rule applies to traffic form these sources list.
Click Next as shown in Figure 7.
On the Access Rule Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder, then double click the Internal Network and the External Network. Then click Close in the Add Network Entities dialog box as shown in Figure 8.
The External and Internal Networks now appear in the This rule applies to traffic sent to these destinations list. Note that the External Network represents all addresses that are not represented by any other TMG Firewall Network definition. This includes the Internet.
Click Next on the Access Rule Destinations page as shown in Figure 9.
Click Next on the User Sets page as shown in Figure 10.
Review the settings on the Completing the New Access Rule Wizard page and click Finish as shown in Figure 11.
The new Access Rule now appears in the All Firewall Policy list. We want to make some changes to the rule, so let’s right click the rule and click the Properties entry as shown in Figure 12.
In the VPN Clients to Internal and Internet Properties dialog box, click the To tab. Notice that on the To tab, you can see both External and Internal in the This rule applies to traffic sent to these destinations section, as we configured when we ran the Access Rule wizard. In the Exceptions section, click Add.
This brings up the Add Network Entities dialog box. Click the URL Categories folder. This shows you the list of built-in categories that you can use for URL filtering. Double click the following entries to add them to exceptions list:
- Illegal Drugs
These will now appear in the Exceptions list, as seen in Figure 13 below. This means that the VPN clients will be able to access all Internet sites except those included in these categories.
Click Close in the Add Network Entities dialog box.
In the VPN Clients to Internal and Internet Properties dialog box, click Apply and then click OK. Note that a dialog box appears and informs you that URL filtering is currently disabled and needs to be enabled globally for it to work, as you can see in Figure 14. In a production environment, you should enable URL filtering globally so that the URL filtering will work for the VPN clients (and all the other clients, for that matter). However, in this example, the Test Lab Guide lab is not connected to the Internet, so there’s no reason for us to go through the steps of enabling URL filtering since we can’t demonstrate this feature in the isolated Test Lab.
Click Apply to save the changes and update the firewall configuration. In the Saving Configuration Changes dialog box, click OK after the changes are saved, as shown in Figure 15.