Figure 1
Web proxy chaining is enabled by creating web chaining rules . These rules determine how the firewall routes the web proxy requests when allowing them. To configure web proxy chaining in this basic scenario, open the TMG management console on the downstream proxy server and click the Networking button in the console tree.
Figure 2: In the main window, select the Web Chaining tab, and then in the Tasks panel select Create New Web Chaining Rule .
When the New Web Chaining Rule Wizard opens, name the new web chaining rule.
Select the appropriate Web Chaining Rule Destination . We have almost no restrictions on the options here, but for demonstration purposes, we only choose to forward all requests to the Internet by selecting the External network .
Select the option to transfer the requests to the specified upstream server.
Specify the IP address, hostname or FQDN of upstream proxy server. Unless you have changed the web proxy listening ports on upstream proxy server, you will not need to change the default ports listed here. To apply the Apply malware check to Web content received from or sent to an upstream proxy checked only when upstream proxy server does not perform malware inspection, because the malware inspection is not supported on both downstream proxy server and upstream proxy server at the same time. The option to scan for viruses and malware is by you. If you choose to scan on upstream proxy server, you can prevent malicious software from entering the network. If upstream proxy server is aggregating a large number of downstream proxy server requirements, the load will increase significantly and may overload CPU and disk performance, resulting in latency. In this case, scanning downstream servers will help you distribute the load, reducing resource consumption on upstream servers.
Select the backup action that is appropriate for your environment. If the downstream server has a direct connection to the Internet, you can choose the option to retrieve requests directly from a destination ( retrieve requests directly from the specified destination ). If there is a proxy server (or array) in another location that can be used as an upstream server, then you can choose the option to route requests to the upstream server ( route requests to an upstream server ). (there will be additional information reminders). If the downstream server does not have alternate routes (or is not allowed for corporate security policies), select the default option to ignore requests .
The new rule will now appear in the list. Web chaining rules will be processed in order, so our new rule is preceded by the default rule. Although we have created a new rule here, it is possible to change the default rule to provide the same results.
Note: An important issue to keep in mind is that access rules must be properly placed on the downstream server and upstream to facilitate web access.
Connection restrictions
In many cases, enabling web proxy chaining can cause the server downstream to exceed the connection restrictions enforced by the overflow settings on the upstream server. Upstream servers will receive connection requests from a particular host (downstream server) instead of each individual client. If the server is downstream aggregating requests for a large number of clients, we need to change the default connection restrictions on the upstream server. This can be configured by adding downstream servers to the IP exception list, rather than changing the default restrictions for all hosts. You will find the overflow settings in the TMG management interface by clicking Intrusion Prevention System in the interface tree, clicking Configure Flood Mitigation Settings in the main window and then selecting the IP Exceptions tab and creating a computer set containing Your downstream servers.
Conclude
Depending on your specific requirements, web proxy chaining configuration may be relatively simple (as discussed here) or can be quite complicated. The example outlined above assumes that all traffic will be routed to the upstream proxy server, and no authentication is required. In many cases, the downstream proxy will have a direct connection to the Internet and only some traffic is routed to the upstream proxy server. Normally an upstream proxy server also requires authentication, so additional plans and configurations are required. In part two of this article series, I will show you some more detailed deployment scenarios.