About policy enforcement
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
When you apply changes to the firewall policy or to network rules, Forefront TMG ensures that all existing client connections comply with the new policy or rules, and terminates connections that are not allowed.
In the Forefront TMG Management console, configuration changes are only applied when you click the Apply button on the Apply Changes bar; the Apply Changes bar appears automatically, whenever you make configuration changes.
Policy enforcement takes place when a connection is established, and when the following rule elements change:
From (source) address and port.
To (destination) addresses, names, and URLs.
Schedule—When a firewall policy rule or a network rule includes a schedule, Forefront TMG continuously ensures that requests matching that rule do not expire. When a request expires, Forefront TMG terminates the connection. Note that this could be caused by a change in policy, or by a change in the time on the Forefront TMG server.
User Sets and Content Types that are used to evaluate policy when the connection is first established are also used for reevaluation.
If you modify rule elements that are not going to be reevaluated, such as User Sets or Content Types that were not originally used for evaluation, and you want to ensure that no existing connections violate the new policy, then you should end client sessions manually in the Forefront TMG Management console (as described in Monitoring client sessions), or restart the firewall service.
Note the following:
Reevaluation of existing HTTP sessions takes place the first time there is a traffic exchange along the corresponding connection. Thus, it is possible that some HTTP sessions may exist in the Session Monitoring view, even if they are not allowed by the new policy, as long as they do not pass any traffic.
Custom policy elements associated with application filters are not considered in policy reevaluation. For example, if you add an interface to an RPC definition used in a deny rule, existing connections to that interface will not be terminated. Similarly, if you disable an SMTP command in the SMTP Filter, existing connections that use that command will not be terminated.
Modifications in protocol definitions (changes in protocol properties or the addition of new protocols) do not affect existing connections. A connection is associated with a specific protocol (such as, HTTP or FTP) only during connection establishment, and this association remains unchanged through the lifetime of the connection. For example, if a connection was associated with FTP protocol (port 21) and later another protocol element with the same port 21 was added, the connection will still match policy rules containing FTP protocol, and will not match policy rules that do not contain FTP protocol, even if they contain the newly defined protocol.