Enabling and configuring the HTTPS inspection feature
Applies To: Forefront Threat Management Gateway (TMG)
The following procedures describe how to enable and configure the HTTPS inspection feature in Forefront TMG:
Enabling HTTPS inspection
Excluding sites and computers from HTTPS inspection
Configuring the certificate validation policy
Enabling HTTPS inspection
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure Web Access Policy.
On the HTTPS Inspection Settings page of the Web Access Policy Wizard, select Allow users to establish HTTPS connections to Web sites, and then select the required protection type.
The step you take next depends on the selected protection type:
If you selected Inspect HTTPS traffic and validate HTTPS site certificates, continue with the next step of this procedure.
If you selected Do not inspect HTTPS traffic, but validate the HTTPS site certificate, this procedure is complete. Click Next to proceed to the next step of the wizard. At the end of the wizard, click Finish and then, on the Apply Changes bar, click Apply. Go to Configuring the certificate validation policy.
On the HTTPS Inspection Preferences page of the wizard, select whether you want to notify users that HTTPS traffic is being inspected.
Important
If you select to enable user notifications, enable HTTPS inspection notifications on Forefront TMG Client on all client computers, by selecting Notify me when content sent to secure Web sites is inspected on the Secure Connection Inspection tab.
On the HTTPS Inspection Preferences page of the wizard, select whether you want to create the HTTPS inspection certificate by using Forefront TMG, customize certain aspects of the certificate (such as its name), or import an existing certificate. For details, see Managing HTTPS inspection certificates.
On the Certificate Deployment Preferences page of the wizard, select whether to deploy the HTTPS inspection trusted root certification authority certificate automatically via Active Directory, or manually, by exporting and importing the certificate.
Note
When using Active Directory to deploy the HTTPS inspection certificate to client computers, in the Domain administrator username box, enter the name in the format Domain\Username. Note that the domain in which the user accounts are defined must be the same domain to which Forefront TMG is joined. For details, see Managing HTTPS inspection certificates.
Continue advancing through the wizard, and at the end of the wizard, click Finish. On the Apply Changes bar, click Apply.
Excluding sites and computers from HTTPS inspection
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure HTTPS Inspection.
To exclude sites from inspection, on the Destination Exceptions tab, click Add.
On the Add Network Entries dialog box, select the URL categories, URL category sets, and domain names that you want to exclude from HTTPS inspection, and then click Add. If you wish to exclude a category set or domain set that are not on the existing lists, click New and create the required set.
When you have finished adding sites, click Close.
By default, Forefront TMG inspects the validity of the HTTPS certificate for all sites, including sites that you exclude from inspection. If you do not want Forefront TMG to perform this security check for a given site, click the site, and then click No Validation.
To exclude computers from inspection, on the Source Exceptions tab, click Add.
On the Add Network Entries dialog box, select the computers and computer sets that you want to exclude from HTTPS inspection, and then click Add. If you want to exclude a computer or computer set that is not on the existing lists, click New and create the required entry. When you have finished adding computers, click Close.
Configuring the certificate validation policy
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, under Web Protection Tasks, click Configure HTTPS Inspection.
On the Certificate Validation tab, adjust the certificate validation settings as necessary.
Note
In order for Forefront TMG to check if a certificate has been revoked, the system policy rule "Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)" must be enabled. If this rule is not enabled, Forefront TMG can allow access to HTTPS sites without validating the certificate revocation status.
If the protection type you selected when you enabled HTTPS inspection includes inspecting HTTPS traffic, select the Destination Exceptions tab, and review the list of HTTPS sites that are excluded from inspection. By default, Forefront TMG checks the validity of the certificates for these sites. If you do not want Forefront TMG to validate the certificate of a site excluded from HTTPS inspection, click the site, and then click No Validation.
Click OK, and then on the Apply Changes bar, click Apply.
Related Topics
Concepts
Configuring HTTPS inspection in Forefront TMG secure Web gateway