Excluding sources and destinations from HTTPS inspection

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to exclude domains, Web sites, and categories of Web sites, as well as internal clients, from HTTPS inspection.

Note

HTTPS inspection is incompatible with connections to external SSTP servers, and servers requiring client authentication. If you are aware of such a server, it is recommended that you add it to the Destination Exceptions list.

Excluding sites from HTTPS inspection

For privacy and legal reasons you may want to exclude specific URLs, or categories of URLs, such as financial and health sites, from inspection. Use the instructions below to exclude destinations from inspection.

To exclude sites from HTTPS inspection

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure HTTPS Inspection.

  3. On the Destination Exceptions tab, click Add.

  4. On the Add Network Entries dialog box, do the following:

    1. If necessary, click New and create a URL Category Set or Domain Name Set to exclude from inspection.

    2. Select the URL categories, URL category sets, and domain names that you want to exclude from HTTPS scans.

    3. Click Add after each selection, and when finished, click Close.

  5. By default, Forefront TMG inspects the validity of the HTTPS certificate for each of the Web sites excluded from HTTPS inspection, thereby providing some minimal security. If you do not want Forefront TMG to perform this security check for a given site, click the site, and then click No Validation.

Excluding clients from HTTPS inspection

To exclude clients from HTTPS inspection

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure HTTPS Inspection.

  3. On the Source Exceptions tab, click Add.

  4. On the Add Network Entries dialog box, do the following:

    1. If necessary, click New and create a Computer Set or Computer to exclude from inspection.

    2. Select the computers and computer sets that you want to exclude from HTTPS scans.

    3. Click Add after each selection, and when finished, click Close.

Next Steps

Notifying users that HTTPS traffic is being inspected

Concepts

Configuring HTTPS inspection