Configuring malware inspection content delivery

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how you can shape the user experience while Web content is scanned for malware. Because malware inspection may cause a delay in the delivery of content from the server to the client, Forefront TMG sends portions of the content as the files are inspected. This process, called trickling, helps prevent the client application from reaching a time-out limit before the entire content is downloaded and inspected.

An alternative content delivery method is called progress notification. Instead of sending portions of the requested content during malware inspection, Forefront TMG sends an HTML page to the client, informing the user that the requested content is being inspected, and displaying an indicator of the download and inspection progress. After download and inspection of the content are completed, the page informs the user that the content is ready, and displays a button for downloading the content.

Note

When you apply the progress notification delivery method, after a user downloads a file, clicking Back in the browser window may cause the file to display as a page in binary format.

The following procedure describes how to configure malware inspection content delivery.

To configure malware inspection content delivery

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. On the Tasks tab, click Configure Malware Inspection, and then click the Content Delivery tab.

  3. Under Default Content Delivery Method for Scanned Content, select one of the following:

    • Standard trickling—Forefront TMG keeps most of the file on the server, but sends small amounts of data to the client application in order to preserve the connection. The entire file is scanned before it is sent to the user.

      Note

      If you selected standard trickling as your default content delivery method, you can configure specific content types to be processed for progress notification, and others for fast trickling.

    • Fast trickling—Forefront TMG sends the data as fast as possible to the user, but holds back the last part in order to complete the scan before completing the transfer. This method requires more resources from the Forefront TMG server, but also provides a better experience for the user.

      Note

      If you selected fast trickling as your default content delivery method, you can configure certain content types to be processed for progress notification.

  4. To specify content types that should trigger a progress notification HTML page, do the following:

    1. Click Use progress notification instead of the default content delivery method for the selected content types.

    2. Click Content Types for Progress Notification, and then in the Content Types Displaying Progress Notifications Properties window, click the Content Types tab.

    3. In Available types, either type a content type in the box, or select content types to add to the default list, and then click Add. To remove a content type, select it in the Selected types list, and then click Remove.

    4. When you have finished specifying the content types, click OK.

  5. To specify content types that use the fast trickling delivery method, do the following:

    1. Click Use fast trickling for the selected content types.

    2. Click Content Types for Fast Trickling, and then in the Content Types for Fast Trickling Properties window, click the Content Types tab.

    3. In Available types, either type a content type in the box, or select content types to add to the default list, and then click Add. To remove a content type, select it in the Selected types list, and then click Remove.

    4. When you have finished specifying the content types, click OK.

  6. Click OK, and then on the Apply Changes bar, click Apply.

Concepts

Configuring malware inspection
Planning to protect against malicious web content