Just installed Forefront TMG 2010 and set up firewall rules. My company's policy requires to block access to webmail sites, like gmail, yahoo mail, etc. So I added these webmail domain names to a domain name set, and put that domain name set in the Exception box of the web access rule (on the To tab). So now, when user types http://gmail.com, an error page shows up saying that the site is blocked by TMG. However, if the user types https://gmail.com, the gmail login page loads up and after entering username/password, he can log in! I was trying to use URL sets to define the exception, but unfortunately, the URL set only works on HTTP, not HTTPS.
I can look up the IP of the gmail servers, and block traffic to those IPs. But most webmail sites have a range of IPs, it is tedious, at least, to enumerate all of them; plus, the IPs could change all the time. Is there a better solution?
Best Answer
Look at enabling HTTPS inspection and push out the Forefront TMG client to set up your workstations to correctly set the browsers proxy values. A great many of Forefront's more advanced features require the web browser to be correctly configured to use the Forefront server as a proxy.
Also there is an existing web mail category you can block without having to create your own. You should have gone through a setup process that involved setting blocked URL categories. You can add the webmail as one of those categories.