About Web proxy clients

Web proxy clients make HTTP, HTTPS, or FTP-over-HTTP download requests to the TCP port on which Microsoft Forefront Threat Management Gateway listens for outbound Web requests in the client network. A Web proxy client is any application that:

  • Is CERN-compatible. That is, it understands the correct method for making a Web proxy request.
  • Provides a means for clients to specify a name (or IP address) and port to be used for Web proxy requests.

Typically, clients are Web browser applications that comply with HTTP 1.1. Either the browser specifies Forefront TMG as a proxy, or the browser obtains proxy settings from another server.

HTTP requests

When a CERN-compliant Web browser makes a URL request specifying either the HTTP protocol or no protocol, the following occurs:

  1. The browser sends an HTTP GET request, containing the URL, to the host and port specified in its proxy settings.
  2. The HTTP GET request reaches Forefront TMG, and the Microsoft Firewall service evaluates access rules associated with the HTTP protocol in order to find a matching rule. If a rule is found, the Firewall service performs any name resolution required for the request.
  3. The Firewall service passes the request to the Web proxy filter, which forwards the request to the Internet Web server. The Web proxy filter provides application-layer inspection and caching for such requests.
  4. Forefront TMG does not limit the port to which the Web proxy filter may forward requests.

HTTPS requests

When a CERN-compliant Web browser makes a URL request using the HTTPS protocol, the following occurs:

  1. The Web browser sends the following HTTP CONNECT request: CONNECT host_name:port HTTP/1.1.
  2. The CONNECT request reaches Forefront TMG, and the Firewall service evaluates the access rules.
  3. If the request passes the check, it is passed to the Web proxy filter to determine whether the port specified in the request is included in a tunnel port range defined by Forefront TMG.
  4. If the port is included in the range, the Web proxy service sends the request to the TCP port specified on the destination host to open a connection. Forefront TMG informs the client when the connection is established.
  5. The client sends encrypted packets directly to the destination on the specified TCP port, without mediation by the Web proxy filter.

For more information, see Configuring Web proxy clients.