Managing HTTPS inspection certificates

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to install and deploy HTTPS inspection certificates for the inspection of HTTPS traffic, including prerequisites and configuration procedures. Those steps are not required if you implement HTTPS inspection for certificate validation only.

Prerequisites

• In order to inspect HTTPS traffic, a certification authority (CA) certificate must be placed on the Forefront TMG server, and deployed to all client computers. For information on how you can obtain the certificate, see Planning for HTTPS inspection.

• In an array that is managed by an Enterprise Manager Server (EMS), the certificate must be installed on each of the arrays that are managed by the EMS.

• When using a local or public CA certificate, the certificate must be trusted on the Forefront TMG server.

• Automatic certificate deployment requires Forefront TMG to be deployed in a domain environment; in a workgroup environment, you deploy the certificate manually on each client computer.

• For applications that use proprietary certificate stores, for example, Mozilla Firefox, you must manually deploy the certificate, including deployment to domain users.

• To notify users that HTTPS traffic is being inspected, Forefront TMG Client must be installed on the client computers.

Configuration overview

Managing HTTPS inspection certification requires two steps:

1. Placing a CA certificate on the Forefront TMG server; this certificate serves as the HTTPS inspection certificate. For information, see Placing the HTTPS inspection certificate on the Forefront TMG server.

2. Deploying the HTTPS inspection certificate to client computers, and placing it in client computers’ Trusted Root Certification Authorities certificate store. For information, see Deploying the HTTPS inspection certificate to client computers.

Placing the HTTPS inspection certificate on the Forefront TMG server

The following procedures describe how to place the HTTPS inspection certificate on the Forefront TMG server. You should select the method that is appropriate for the certificate you wish to use.

• Generating a self-signed certificate

• Importing a local or public CA certificate

Generating a self-signed certificate

1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and then, in the Tasks pane, click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, on the General tab, under HTTPS Inspection Certificate Settings, select Use Forefront TMG to generate a certificate, and then click Generate.

3. On the Generate Certificate dialog box, you can customize certificate details; for example, enter a custom name for the HTTPS inspection certificate, or select an expiration date. After you enter the required details, click Generate Certificate Now.

4. On the Certificate dialog box, click OK.

   Important

   Do not click Install Certificate.

The next step is to deploy the certificate to client computers. Leave the HTTPS Outbound Inspection dialog box open, and go to Deploying the HTTPS inspection certificate to client computers.

Importing a local or public CA certificate

1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and then, in the Tasks pane, click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, on the General tab, under HTTPS Inspection Certificate Settings, select Import a certificate, click Import, and then use the Open dialog box to select the certificate you want to import.

The next step is to deploy the certificate to client computers. Leave the HTTPS Outbound Inspection dialog box open, and go to Deploying the HTTPS inspection certificate to client computers.

Deploying the HTTPS inspection certificate to client computers

You can use one of the following methods to deploy the certificate to client computers:

• Automatically, via Active Directory Domain Services (AD DS). For information, see Deploying the HTTPS inspection certificate automatically.

• If you are not using AD DS, you must manually install the certificate on each client computer, and place it in the computer’s Trusted Root Certification Authorities certificate store. For information, see Deploying the HTTPS inspection certificate manually.

Deploying the HTTPS inspection certificate automatically

1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and then, in the Tasks pane, click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, on the General tab, click HTTPS Inspection Trusted Root CA Options.

3. On the Certificate Deployment Options dialog box, select Automatically through Active Directory (recommended), and then click Domain administrator credentials.

4. On the Microsoft Threat Management Gateway dialog box, enter the credentials, and then click OK.

   Note

   The credentials you enter must have sufficient privileges to update AD DS, and allow for running processes on Forefront TMG.

5. Close the Certificate Deployment Options and HTTPS Outbound Inspection dialog boxes. On the Apply Changes bar, click Apply. No further configuration is necessary; the certificate is forwarded to Active Directory and deployed to client computers automatically.

   Important

   • Deployment to client computers occurs after the group policy is applied; this can take up to eight hours.
     
     
   • Until client computers receive the certificate, accessing HTTPS Web sites will generate a warning message in Internet Explorer. To prevent this, it is recommended that you temporarily disable HTTPS inspection. You can do this by clicking Configure HTTPS Inspection in the Tasks pane of the Web Access Policy node, and then clearing the check box Enable HTTPS inspection. When deployment has finished, reenable HTTPS inspection.
     
     

Deploying the HTTPS inspection certificate manually

The manual deployment of the HTTPS inspection trusted root CA certificate requires two actions:

1. Exporting the certificate from Forefront TMG.

2. Importing the certificate to each client computer. This operation requires administrative rights on the client computer.

To export the certificate

1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node, and then, in the Tasks pane, click Configure HTTPS Inspection.

2. In the HTTPS Outbound Inspection dialog box, on the General tab, click HTTPS Inspection Trusted Root CA Options.

3. On the Certificate Deployment Options dialog box, select Manually on each client computer, click Export to file, and then use the Save As dialog box to export the certificate.

To import the certificate to a client computer

1. On the client computer, click Start, click All Programs, click Accessories, and then click Run.

2. Type MMC, and then press ENTER.

3. In the Microsoft Management Console, click the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

4. On the Certificates snap-in dialog box, select Computer Account, and then click Next. In the Add or Remove Snap-ins window, click OK. The Add or Remove Snap-ins window closes.

5. In the Select Computer window, ensure that Local computer is selected, and then click Finish.

6. In the Microsoft Management Console, in the Logical Store Name pane, right-click Trusted Root Certification Authorities, click All Tasks, and then click Import.

7. In the Certificate Import Wizard, browse to the file that you saved when you exported the certificate, and then click Next.

8. On the Certificate Store page, make sure that all certificates are placed in the Trusted Root Certification Authorities certificate store, click Next, and then click Finish.

Related Topics

Concepts

Configuring HTTPS inspection in Forefront TMG secure Web gateway