Enabling and configuring the HTTPS inspection feature

Applies To: Forefront Threat Management Gateway (TMG)

The following procedures describe how to enable and configure the HTTPS inspection feature in Forefront TMG:

  • Enabling HTTPS inspection

  • Excluding sites and computers from HTTPS inspection

  • Configuring the certificate validation policy

Enabling HTTPS inspection

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure Web Access Policy.

  3. On the HTTPS Inspection Settings page of the Web Access Policy Wizard, select Allow users to establish HTTPS connections to Web sites, and then select the required protection type.

    The step you take next depends on the selected protection type:

    • If you selected Inspect HTTPS traffic and validate HTTPS site certificates, continue with the next step of this procedure.

    • If you selected Do not inspect HTTPS traffic, but validate the HTTPS site certificate, this procedure is complete. Click Next to proceed to the next step of the wizard. At the end of the wizard, click Finish and then, on the Apply Changes bar, click Apply. Go to Configuring the certificate validation policy.

  4. On the HTTPS Inspection Preferences page of the wizard, select whether you want to notify users that HTTPS traffic is being inspected.

    Important

    If you select to enable user notifications, enable HTTPS inspection notifications on Forefront TMG Client on all client computers, by selecting Notify me when content sent to secure Web sites is inspected on the Secure Connection Inspection tab.

  5. On the HTTPS Inspection Preferences page of the wizard, select whether you want to create the HTTPS inspection certificate by using Forefront TMG, customize certain aspects of the certificate (such as its name), or import an existing certificate. For details, see Managing HTTPS inspection certificates.

  6. On the Certificate Deployment Preferences page of the wizard, select whether to deploy the HTTPS inspection trusted root certification authority certificate automatically via Active Directory, or manually, by exporting and importing the certificate.

    Note

    When using Active Directory to deploy the HTTPS inspection certificate to client computers, in the Domain administrator username box, enter the name in the format Domain\Username. Note that the domain in which the user accounts are defined must be the same domain to which Forefront TMG is joined. For details, see Managing HTTPS inspection certificates.

  7. Continue advancing through the wizard, and at the end of the wizard, click Finish. On the Apply Changes bar, click Apply.

Excluding sites and computers from HTTPS inspection

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure HTTPS Inspection.

  3. To exclude sites from inspection, on the Destination Exceptions tab, click Add.

  4. On the Add Network Entries dialog box, select the URL categories, URL category sets, and domain names that you want to exclude from HTTPS inspection, and then click Add. If you wish to exclude a category set or domain set that are not on the existing lists, click New and create the required set.

    When you have finished adding sites, click Close.

  5. By default, Forefront TMG inspects the validity of the HTTPS certificate for all sites, including sites that you exclude from inspection. If you do not want Forefront TMG to perform this security check for a given site, click the site, and then click No Validation.

  6. To exclude computers from inspection, on the Source Exceptions tab, click Add.

  7. On the Add Network Entries dialog box, select the computers and computer sets that you want to exclude from HTTPS inspection, and then click Add. If you want to exclude a computer or computer set that is not on the existing lists, click New and create the required entry. When you have finished adding computers, click Close.

Configuring the certificate validation policy

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, under Web Protection Tasks, click Configure HTTPS Inspection.

  3. On the Certificate Validation tab, adjust the certificate validation settings as necessary.

    Note

    In order for Forefront TMG to check if a certificate has been revoked, the system policy rule "Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)" must be enabled. If this rule is not enabled, Forefront TMG can allow access to HTTPS sites without validating the certificate revocation status.

  4. If the protection type you selected when you enabled HTTPS inspection includes inspecting HTTPS traffic, select the Destination Exceptions tab, and review the list of HTTPS sites that are excluded from inspection. By default, Forefront TMG checks the validity of the certificates for these sites. If you do not want Forefront TMG to validate the certificate of a site excluded from HTTPS inspection, click the site, and then click No Validation.

  5. Click OK, and then on the Apply Changes bar, click Apply.

Concepts

Configuring HTTPS inspection in Forefront TMG secure Web gateway