I recently (and almost accidently) saw today an error in the alert tab in ForeFront TMG that was saying :
Description: The number of HTTP requests per minute from the source IP address 10.136.17.176 exceeded the configured limit. Forefront TMG will block new HTTP requests sent from this IP address. This event indicates that this IP address probably belongs to an infected host. See the product documentation for more information about
Forefront TMG flood mitigation.
After a quick look at the IP address, it occured that it was someone from my team who was intensively testing a web service and therefore generating a lot of traffic. I decided to therefore to configure ForeFront flood mitigation in order to get rid of this error.
To do so, you need to
- Go into “Intrusion Prevention System” in ForeFront Admin console.
- Select the second tab called “Behavioral Intrusion Detection” and click “Configure Flood Mitigation Settings“.
- A screen pops up and you can configure several settings. In my case, my error was about a large number of HTTP requests per second. I’ll the look at the “Maximum HTTP Requests” and click the Edit button
- The default values appears. You’ll notice that we distinguish the “limit” and the “Custom limit”. I decided not to change those values, but to add my develper in the “IP Exceptions” list so that he can benefit from a 6000 limit opposed to the default 600 one. So I clicked Cancel to escape this screen and go to the place where I can add some IP exceptions.
- So I went to the IP Exceptions tab where I can add a list of computers that will be treated as exceptions. Since I want all my local computers (not just the one that was blocked initially) to benefit from this exception, I created a new “Computer Set” with an address range from 10.136.0.0 to 10.136.255.255 (all my computers are sitting within this private IP range).
- Click OK and then the top ribbon to get the changes committed.