Home > Forefront TMG 2010, Scripting, Threat Management Gateway > Enable Authentication for SafeSearch Enforcement Rule in Forefront TMG 2010

Enable Authentication for SafeSearch Enforcement Rule in Forefront TMG 2010

February 28, 2013

SafeSearch enforcement in Forefront TMG 2010 is a simple and effective way to prevent users on your network from accessing explicit adult content via popular search engines. Enabling SafeSearch enforcement is accomplished by opening the Forefront TMG 2010 management console, highlighting the Web Access Policy node in the navigation tree, clicking the Configure SafeSearch link in the Tasks pane and selecting the option to Enable SafeSearch.

Forefront TMG 2010 Safe Search Enforcement

When SafeSearch is enabled a rule is created that grants access to all users from the Internal network to all sites in the Search Engines category.

Forefront TMG 2010 Safe Search

Effectively this grants unauthenticated access to many search engines including Bing, Google, and Yahoo. This level of access is quite broad and enables anonymous users to access quite a bit of content, which might not be desirable in some environments. It is not possible to change the users in the GUI either, unfortunately. However, it can be changed programmatically using COM and VBscript. For example, the following code will change the users from All Users to All Authenticated Users.

Dim Root, Array, Rule
Set Root = CreateObject("FPC.Root")
Set Array = Root.GetContainingArray()
Set Rule = Array.ArrayPolicy.PolicyRules("SafeSearch")
Rule.AccessProperties.UserSets.Add "All Authenticated Users", fpcInclude
Rule.AccessProperties.UserSets.RemoveSpecified "All Users"

Important Note: This change is not officially supported by Microsoft. If you make this change it may potentially cause other issues, so please proceed with caution.

Once the script has completed the SafeSearch rule will now apply to All Authenticated Users and prevent unwanted anonymous access to web sites categorized as Search Engines.

Forefront TMG 2010 Safe Search

  1. March 2, 2013 at 7:57 am

    Is adding “All Authenticated Users” just an example? Could other groups within AD be added as well?

  2. March 3, 2013 at 9:40 am

    Absolutely. If you have a specific group for Internet users you can just substitute that in my example here.

  3. Chris
    December 6, 2013 at 5:53 am


    I’ve implemented the safe search, and it works just fine on Bing and Yahoo. Google has been very problematic though.

    My ISA logs indicate that https traffic is being picked up by the safe search rule, but the safe search string is not appended, http is fine though.

    I tried to block encrypted.google.com, but ISA 2010 seems unable to block https domains, despite https inspection being turned on

  4. December 6, 2013 at 7:32 pm

    Since Google uses SSL/TLS for their search this will prevent Forefront TMG from filtering it properly unless you have HTTPS inspection enabled. Recall that with SSL the proxy can’t see the full URL including the path, which is where the safe search enforcement really happens.

  1. No trackbacks yet.
Comments are closed.