Forefront TMG Update 1: SafeSearch Enforcement by diTii


									Configuring SafeSearch

To enable SafeSearch, do the following:

1. In the Forefront TMG Management console, click the Web Access Policy node, and in the Tasks pane,
click Configure SafeSearch.

2. On the General tab, click Enable SafeSearch.

3. If you want to disable SafeSearch enforcement for certain authenticated users, click on the Users tab
and add the users or user groups.

Note: You must enable URL filtering to use the SafeSearch feature on Forefront TMG, because
SafeSearch makes use of the Search Engines URL Category.

SafeSearch System Policy Rule

When SafeSearch is enabled for the first time, a system policy rule is created. This rule serves as a
container for the user white list and handles authentication when the list is not empty. The rule has the
following properties:

    l   Protocols: HTTP/HTTPS
    l   Source: Internal
    l   Destination: Search Engines (URL Category)
    l   Users: All Users with exclusion of users from the white list

After the rule is created for the first time, enabling or disabling SafeSearch will affect the rule state

Enforcement is performed only for traffic matching this rule. The rule is identified by its internal ID and can
only be created by enabling SafeSearch in the Management console, or by calling
ConfigureSafeSearchRule in COM:

        interface IFPCPolicyRules2 : IFPCEEPolicyRules


        HRESULT ConfigureSafeSearchRule([out,retval] IFPCPolicyRule** ppVal);


This COM function returns a newly created or already existing SafeSearch rule, while resetting all its
properties to SafeSearch rule defaults. The default setting for this rule is to enforce SafeSearch for all
users, but it can be configured to exclude specific users or user groups.

Static Configuration

The feature has a configuration file â€œSafeSearchConfiguration.xml†, located in the installation


          <provider domainPattern=".google." safeSearchSuffix="&amp;safe=active" >

              <searchQuery pattern="/search?" />

              <searchQuery pattern="/images?" />


          <provider domainPattern="" safeSearchSuffix="&amp;vm=r" >

              <searchQuery pattern="/search?" />

              <searchQuery pattern="/search;" />

              <searchQuery pattern="/search/images?" />

              <searchQuery pattern="/search/images;" />

              <searchQuery pattern="/search/video?" />

              <searchQuery pattern="/search/video;" />


          <provider domainPattern="" safeSearchSuffix="&amp;adlt=strict" >

              <searchQuery pattern="/search?" />



SafeSearchConfiguration.xml can be altered to support additional search engines (by adding a new
provider) or changing a level of enforcement (e.g., from strict to moderate). If altered, the file must be
manually distributed over all members of the affected array and the firewall service must be restarted.

To top