Excluding sources and destinations from HTTPS inspection
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic describes how to exclude domains, Web sites, and categories of Web sites, as well as internal clients, from HTTPS inspection.
Note
HTTPS inspection is incompatible with connections to external SSTP servers, and servers requiring client authentication. If you are aware of such a server, it is recommended that you add it to the Destination Exceptions list.
For privacy and legal reasons you may want to exclude specific URLs, or categories of URLs, such as financial and health sites, from inspection. Use the instructions below to exclude destinations from inspection.
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure HTTPS Inspection.
On the Destination Exceptions tab, click Add.
On the Add Network Entries dialog box, do the following:
If necessary, click New and create a URL Category Set or Domain Name Set to exclude from inspection.
Select the URL categories, URL category sets, and domain names that you want to exclude from HTTPS scans.
Click Add after each selection, and when finished, click Close.
By default, Forefront TMG inspects the validity of the HTTPS certificate for each of the Web sites excluded from HTTPS inspection, thereby providing some minimal security. If you do not want Forefront TMG to perform this security check for a given site, click the site, and then click No Validation.
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure HTTPS Inspection.
On the Source Exceptions tab, click Add.
On the Add Network Entries dialog box, do the following:
If necessary, click New and create a Computer Set or Computer to exclude from inspection.
Select the computers and computer sets that you want to exclude from HTTPS scans.
Click Add after each selection, and when finished, click Close.