Today I had to create a rule in ISA/TMG for a client to allow any computer to get out to the Windows Activation Servers without the user being given access to other websites. It was pretty simple but I thought I’d share with you all.
Basically all the rule has to do is to allow HTTP and HTTPS protocols out from All Protected Networks to 220.127.116.11 (this is a referrer server that MS use to direct it to another country/locality based activation server) and create both a Domain Name Set and a URL set for *.microsoft.com. I could have gone more precise with the *.microsoft.com but that might then break things in future if the activation servers change based on the referral server.
The rule looks like this.
Build the rule, apply it – wait a few minutes for TMG’s configuration to sync with the TMG Configuration Database and you should be good