New in Forefront TMG Update 1: SafeSearch Enforcement

Forefront TMG can now automatically block adult text, images, and videos from search results by major web search engines. The same SafeSearch feature that users can activate in their browsers can now be enforced on Forefront TMG, and applied to groups of users or to the entire organization.

When SafeSearch is enabled on Forefront TMG, the following happens:

· When a user submits a query to a major search engine, Forefront TMG modifies the query string, causing the search engine to treat the request as a SafeSearch request, and return filtered results.

· End-users cannot receive unfiltered content, even if they try to disable the feature in their browsers.

· SafeSearch is enforced over secure connections when HTTPS inspection is enabled on Forefront TMG. If a user establishes an HTTPS session with a search engine, Forefront TMG strictly enforces SafeSearch results.

This functionality is especially useful to schools and other organizations that want to block inappropriate web content.

Configuring SafeSearch

To enable SafeSearch, do the following:

1. In the Forefront TMG Management console, click the Web Access Policy node, and in the Tasks pane, click Configure SafeSearch.

2. On the General tab, click Enable SafeSearch.

3. If you want to disable SafeSearch enforcement for certain authenticated users, click on the Users tab and add the users or user groups.

Note: You must enable URL filtering to use the SafeSearch feature on Forefront TMG, because SafeSearch makes use of the Search Engines URL Category.

SafeSearch System Policy Rule

When SafeSearch is enabled for the first time, a system policy rule is created. This rule serves as a container for the user white list and handles authentication when the list is not empty. The rule has the following properties:

  • Protocols: HTTP/HTTPS
  • Source: Internal
  • Destination: Search Engines (URL Category)
  • Users: All Users with exclusion of users from the white list

After the rule is created for the first time, enabling or disabling SafeSearch will affect the rule state (enabled/disabled).

Enforcement is performed only for traffic matching this rule. The rule is identified by its internal ID and can only be created by enabling SafeSearch in the Management console, or by calling ConfigureSafeSearchRule in COM:

interface IFPCPolicyRules2 : IFPCEEPolicyRules


HRESULT ConfigureSafeSearchRule([out,retval] IFPCPolicyRule** ppVal);


This COM function returns a newly created or already existing SafeSearch rule, while resetting all its properties to SafeSearch rule defaults. The default setting for this rule is to enforce SafeSearch for all users, but it can be configured to exclude specific users or user groups.

Static Configuration

The feature has a configuration file “SafeSearchConfiguration.xml”, located in the installation directory:


    <provider domainPattern=".google." safeSearchSuffix="&amp;safe=active" >

        <searchQuery pattern="/search?" />

        <searchQuery pattern="/images?" />


    <provider domainPattern="" safeSearchSuffix="&amp;vm=r" >

        <searchQuery pattern="/search?" />

        <searchQuery pattern="/search;" />

        <searchQuery pattern="/search/images?" />

        <searchQuery pattern="/search/images;" />

        <searchQuery pattern="/search/video?" />

        <searchQuery pattern="/search/video;" />


    <provider domainPattern="" safeSearchSuffix="&amp;adlt=strict" >

        <searchQuery pattern="/search?" />



SafeSearchConfiguration.xml can be altered to support additional search engines (by adding a new provider) or changing a level of enforcement (e.g., from strict to moderate). If altered, the file must be manually distributed over all members of the affected array and the firewall service must be restarted.

Author: Dima Datsenko

Reviewers: Dotan Elharrar, David Strausberg