Filter Requirements for Forefront TMG Client Computers

Application filters can work with Forefront TMG Client computers, Firewall clients, and SecureNAT clients. This topic describes specific design considerations for filters that must work with Forefront TMG Client computers, which also apply to filters that must work with Firewall clients. For information about designing filters to work with SecureNAT clients, see Filter Requirements for SecureNAT Clients.

To handle connect requests for outgoing primary connections from Forefront TMG Client computers, the filter must register for events originating from Forefront TMG Client computers. Use the fwxSourceWSP value of the FwxFirewallEventSource enumerated type to register for Forefront TMG Client events. A filter designed to handle requests from both Forefront TMG Client computers and SecureNAT clients should use the macro FWX_ALL_SOURCES to include both values.

To allow a Forefront TMG Client computer to receive a secondary inbound connection, use IFWXSession::RetroactiveAllowBind. Use this method because the client application may have already bound a socket on the Microsoft Firewall service, and the filter should use that socket. IFWXSession::RetroactiveAllowBind enables the previously created bind by associating it with a protocol, and also tests whether the client application bound a Firewall service socket. If the client application did not bind a Firewall service socket, IFWXSession::RetroactiveAllowBind will fail. Therefore, the filter should also call IFWXSession::BindForClient. IFWXSession::BindForClient lets a client application — for which the Forefront TMG Client computer failed to create a remote socket for a bind call — receive an inbound connection.

 

 

Build date: 7/12/2010