Configuring the certificate validation policy
Published: November 15, 2009
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic describes how to configure an HTTPS site certificate validation policy. After you have enabled HTTPS inspection, Forefront TMG examines the certificate for each secure Web site that is accessed by a client computer. You can configure whether to consider certificate validation whenever any site or specific HTTPS sites are accessed, and configure the parameters that define when a certificate is considered invalid. For more information about certificate validation, see Planning for HTTPS inspection.
To configure the certificate validation policy
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
In the Tasks pane, click Configure HTTPS Inspection.
On the General tab, make sure that Enable HTTPS inspection is selected, and then select one of the following:
Inspect traffic and validate site certificates—This is the default setting.
Do not inspect traffic, but validate site certificates—Select this option to check only the validity of secure Web site certificates.
- Inspect traffic and validate site certificates—This is the default setting.
On the Certificate Validation tab, adjust the certificate validation settings as necessary.
On the Destination Exceptions tab, review the list of HTTPS sites that are not subject to inspection. By default, Forefront TMG checks the validity of the certificates for these sites. If you do not want Forefront TMG to validate the certificate of a site excluded from HTTPS inspection, click the site, and then click No Validation.
Note: For information about excluding, URL categories, URL category sets and domain names from HTTPS inspection, see Excluding sources and destinations from HTTPS inspection.
Click OK, and then on the Apply Changes bar, click Apply.
Note: In order for Forefront TMG to check if a certificate has been revoked, the system policy rule "Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)" must be enabled. If this rule is not enabled, Forefront TMG allows access to HTTPS sites without validating the certificate revocation status.