Bing Safe Search, ISA Server and Forefront TMG

[LEFT][CODE]http://blogs.technet.com/isablog/archive/2009/06/19/bing-safe-search-isa-server-and-forefront-tmg.aspx[/CODE][SIZE=3][COLOR=#ffffff][FONT=Calibri][B][COLOR=Black]Introduction[/COLOR][/B][/FONT][/COLOR][/SIZE]
[COLOR=#365f91][FONT=Calibri]With the release of Microsoft’s new search portal (AKA decision engine), the Bing team has offered a couple of methods by which you can filter out unwanted content; generally classified as “explicit”. Unfortunately, the first method outlined in [/FONT][/COLOR][URL="http://www.bing.com/community/blogs/search/archive/2009/06/04/smart-motion-preview-and-safesearch.aspx"][FONT=Calibri][COLOR=#0000ff]the Bing blog[/COLOR][/FONT][/URL][COLOR=#365f91][FONT=Calibri] doesn’t help ISA or TMG users. To help make this easier for firewall and proxy administrators, the Bing team created a new subdomain as explicit.bing.net. In this posting, I’ll show you how to use that new method in your ISA and TMG policies.[/FONT][/COLOR]
[SIZE=3][COLOR=#ffffff][FONT=Calibri][B][COLOR=Black]TMG URL Categories (TMG Beta 3 and later only)[/COLOR][/B][/FONT][/COLOR][/SIZE]
[COLOR=#1f497d][COLOR=#1f497d][FONT=Calibri][FONT=Calibri][B]<Update 5 Jun 2009>
[/B]At the request of the Bing team, Microsoft Reputation Services has categorized [I]*.explicit.bing.net[/I] and [I]explicit.bing.net[/I] as "Pornography", so the manual steps below are only required if you do not use the URL categorization provided by Microsoft Reputation Services.
[/FONT][/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri][FONT=Calibri][B]</Update>[/B][/FONT][/FONT][/COLOR]
[FONT=Calibri]TMG Beta 3 brings with it the long-awaited URL categories feature. In concert with Microsoft Reputation Services and their many partners, TMG allows you to block content you or your organization consider inappropriate. This process will help you include the new Bing explicit sites to that set. [/FONT]
[/COLOR] [COLOR=#1f497d][FONT=Calibri]1.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the TMG management console, select [B]Firewall Policy[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]2.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the right pane:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]select the [B]Toolbox[/B] tab [/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]expand [B]Network Objects[/B], then [B]URL Categories[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]3.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Right-click [B]Pornography[/B] (or whichever category you prefer) and select [B]Properties[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]4.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]URL Categories Properties[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]click [B]Add[/B] [/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]in the [B]URL Categories Override[/B] dialog, enter [I]explicit.bing.net/*[/I], click [B]OK[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]click [B]Add[/B] [/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]d.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]in the [B]URL Categories Override[/B] dialog, enter [I]*.explicit.bing.net/*[/I], click [B]OK[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]5.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Your modified URL category should appear as shown below[/FONT][/COLOR]


[COLOR=#1f497d][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3256887/original.aspx[/IMG] [/COLOR]

[COLOR=#1f497d][FONT=Calibri]6.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Click [B]OK[/B] to close the URL Category Properties page[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]Ideally, you would have allowed TMG to build a default blocked URL category set as part of the Web Access Policy wizard. If you’ve already created your Web Access policy set using this option, your Web Access policy set will include a Blocked Web Destinations “deny” access rule as shown below:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3256542/original.aspx[/IMG][/FONT][/COLOR]

[COLOR=#1f497d][FONT=Calibri]If you don’t have this rule and you’re willing to completely rewrite your Web Access Policy, use the Configure Web Access Policy wizard to create a default Web Access policy that includes this set. Otherwise…[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]7.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the TMG management console left pane, select [B]Firewall Policy[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]8.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the center pane, select the first-listed access rule (this ensures that the new rule is listed first)[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]9.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the left pane, right-click [B]Firewall Policy[/B] and select [B]New[/B], then [B]Access Rule[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]10.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Welcome[/B] page, enter [I]Deny Porn[/I] and click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]11.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Rule Action[/B] page, select [B]Deny[/B] and click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]12.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Protocols[/B] page, click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]13.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Add Protocols[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]expand [B]Web[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Select [B]HTTP[/B], then click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Select [B]HTTPS[/B], then click [B]Add[/B], then click [B]Close[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]14.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Protocols[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]15.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Sources[/B] page, click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]16.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Add Network Entities[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]expand [B]Network Sets[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]select [B]All Protected Networks[/B], click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]click [B]Close[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]17.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Sources[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]18.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Destinations[/B] page, click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]19.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Add Network Entities[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]expand [B]URL Categories[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]select [B]Pornography[/B], click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]click [B]Close[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]20.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Destinations[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]21.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]User Sets[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]22.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Completing the New Access Rule Wizard[/B] page, verify that the summary data is correct, and then click [B]Finish[/B]; your new rule should appear immediately above the previously-selected access rule.[/FONT][/COLOR]
[SIZE=3][COLOR=#ffffff][FONT=Calibri][B][COLOR=Black]TMG Beta 2 or ISA Server Domain Name Sets[/COLOR][/B][/FONT][/COLOR][/SIZE]
[COLOR=#1f497d][FONT=Calibri][B]I[/B]f you don’t want to mess with URL Categories (or you haven’t upgraded from TMG B2 yet – fer shame on ya), or you’re still using ISA Server, then you need to use domain name sets in a deny rule.[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]1.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the management console, select [B]Firewall Policy[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]2.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the right pane:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Select the [B]Toolbox[/B] tab [/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Expand [B]Network Objects[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Select [B]New[/B], then [B]Domain Name Set[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]3.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]New Domain Name Set Policy Element[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Enter [I]Bing Explicit[/I] in the Name field[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]click [B]Add[/B] [/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]in the center pane, enter [I]explicit.bing.net[/I], click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]d.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]in the center pane, enter [I]*.explicit.bing.net, [/I]click [B]OK[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]4.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Your modified Domain Name Set should appear as shown below[/FONT][/COLOR]


[COLOR=#1f497d][IMG]http://blogs.technet.com/photos/repository_ii_for_isa_blog_figures/images/3256540/original.aspx[/IMG] [/COLOR]

[COLOR=#1f497d][FONT=Calibri]5.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Click [B]OK[/B] to close the [B]New Domain Name Set Policy Element[/B] page[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]6.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the management console left pane, select [B]Firewall Policy[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]7.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the center pane, select the first-listed access rule (this ensures that the new rule is listed first)[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]8.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the left pane, right-click [B]Firewall Policy[/B] and select [B]New[/B], then [B]Access Rule[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]9.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Welcome[/B] page, enter [I]Deny Bing Explicit[/I] and click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]10.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Rule Action[/B] page, select [B]Deny[/B] and click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]11.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Protocols[/B] page, click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]12.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Add Protocols[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]expand [B]Web[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Select [B]HTTP[/B], then click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]Select [B]HTTPS[/B], then click [B]Add[/B], then click [B]Close[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]13.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Protocols[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]14.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Sources[/B] page, click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]15.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Add Network Entities[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]expand [B]Network Sets[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]select [B]All Protected Networks[/B], click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]click [B]Close[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]16.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Sources[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]17.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Destinations[/B] page, click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]18.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Add Network Entities[/B] page:[/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]a.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]expand [B]Domain Name Sets[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]b.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]select [B]Bing Explicit[/B], click [B]Add[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]c.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]click [B]Close[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]19.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Access Rule Destinations[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]20.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]User Sets[/B] page, click [B]Next[/B][/FONT][/COLOR]
[COLOR=#1f497d][FONT=Calibri]21.[/FONT][/COLOR][COLOR=#1f497d][FONT=Calibri]In the [B]Completing the New Access Rule Wizard[/B] page, verify that the summary data is correct, and then click [B]Finish[/B]; your new rule should appear immediately above the previously-selected access rule.[/FONT][/COLOR]
[SIZE=3][COLOR=#ffffff][FONT=Calibri][B][COLOR=Black]All Done[/COLOR][/B][/FONT][/COLOR][/SIZE]
[FONT=Calibri][COLOR=#1f497d][B]I[/B]n the center pane, click [B]Apply[/B] to enforce your new policy. When prompted, enter a description for this change (hey - the URL for this blog could work) and click [B]OK[/B][/COLOR][/FONT]
[COLOR=#365f91][FONT=Calibri]Jim Harrison, Program Manager, Forefront Edge CS[/FONT][/COLOR]
[COLOR=#4f81bd][FONT=Calibri][B]Tech Reviewers
[/B][/FONT][/COLOR][COLOR=#365f91][FONT=Calibri][COLOR=#365f91][FONT=Calibri]Chris Rayner, Sr Program manager, Search
[/FONT][/COLOR][/FONT][/COLOR][COLOR=#365f91][FONT=Calibri][COLOR=#365f91][FONT=Calibri]Mike Dean, Sr Product Mgr, Search
[/FONT][/COLOR]Yuri Diogenes, Support Engineer, Forefront Edge
[/FONT][/COLOR][COLOR=#365f91][FONT=Calibri]Mohit Saxena, Tech Lead, Forefront Edge[/FONT][/COLOR]
[/LEFT]