Notifying users of HTTPS inspection

  • Article

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to enable notification of HTTPS inspection to client computers that are running Forefront TMG Client, including prerequisites and configuration steps. Enabling client notification may be necessary to comply with corporate privacy policies.

Note

Client notification is not applicable if you implement HTTPS inspection for certificate validation only.

Prerequisites

  • To receive notifications of HTTPS inspection, client computers must have the HTTPS inspection trusted root certification authority (CA) certificate installed in the local computer Trusted Root Certification Authorities certificate store. If the certificate is not installed in this exact certificate store, the user will not receive balloon notifications of HTTPS inspection. For details, see Managing HTTPS inspection certificates.

  • Forefront TMG Clients can only receive HTTPS inspection notifications if the inspection is performed by a downstream proxy server, not by an upstream proxy server. To enable client notifications in a Web chaining scenario, make sure that HTTPS inspection is enabled on the downstream proxy.

  • The Allow Client Notifications system policy rule, which allows notifications to Forefront TMG Clients, is not dynamically updated with any networks other than the default networks: VPN, Quarantine and Internal. Use the system policy editor to manually add other networks containing Forefront TMG Clients to the destination networks of this rule.

Configuration steps

Enabling HTTPS inspection notifications requires the following procedures:

  1. Enabling HTTPS inspection notifications on Forefront TMG

  2. Enabling HTTPS inspection notifications on Forefront TMG Client

Enabling HTTPS inspection notifications on Forefront TMG

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure HTTPS Inspection.

  3. On the Client Notification tab, click Notify users that HTTPS inspection is being inspected, and then click OK.

Enabling HTTPS inspection notifications on Forefront TMG Client

  • On the Secure Connection Inspection tab, select Notify me when content sent to secure Web sites is inspected.

Concepts

Configuring HTTPS inspection in Forefront TMG secure Web gateway