About compression and HTTPS traffic

Microsoft Forefront Threat Management Gateway provides secure handling of compressed HTTPS traffic and inspection of that traffic in a bridging scenario.

Inspection of HTTPS traffic

HTTPS traffic that is tunneled through Forefront TMG cannot be inspected. This is true for compressed HTTPS traffic that is tunneled through Forefront TMG. However, in a bridging scenario,Forefront TMG performs inspection of HTTPS traffic in the following order:

1. Decryption
2. Decompression
3. Inspection
4. Encryption
5. Compression

By using compression for HTTPS traffic, you can improve response efficiency, which is particularly important for HTTPS. This also enables Forefront TMG to cache security-neutral page elements (such as certain graphics), further improving efficiency.

Note that the bridging scenario requires a digital certificate for each Forefront TMG computer (in the branch office and in headquarters) and for published servers, as appropriate.

Compressed HTTPS traffic and browser security

Versions of Internet Explorer that predate recent security patches for Internet Explorer 6.0 decompress, decrypt, and store a local copy of compressed HTTPS traffic. This presents a security risk, particularly for information received on a public computer. For this reason, when one of those browsers requests compression, Forefront TMG returns uncompressed data. Requests that pass through some Web proxies may also result in Forefront TMG returning uncompressed data.