Forefront TMG 2010 introduced a feature called HTTPS inspection, which allows inspecting HTTPS traffic in the same way as HTTP traffic.
Without HTTPS inspection, the client and server create an SSL tunnel and all traffic between them is encrypted. This prevents TMG for inspecting the traffic and protecting the user.
In HTTPS inspection mode, two SSL tunnels are created: client-TMG and TMG-server. Then, all traffic in network is encrypted, but TMG decrypts all traffic from client, inspects it, encrypts and sends to server and vice versa. HTTPS inspection provides the following benefits:
· Server certificate is validated. Servers with invalid certificates are blocked.
· Forefront TMG policy is applied even for encrypted communications.
· Forefront TMG web filters are alo applied to encrypted requests. In particular, the traffic is scanned with EMP, NIS and other Forefront TMG features to help protect from malware/vulnerabilities.
However, in some cases, HTTPS inspection cannot or shouldn’t be applied. This happens in some of the following cases:
For these reasons, Forefront TMG introduced two HTTPS exclusion mechanisms: destination exceptions and source exceptions.
In order to configure exclusion by destination, open the HTTPS inspection UI (Web access policy->Configure HTTPS inspection) and go to the “Destination exceptions” tab (see screenshot below).
You can add the following network objects to the destination exception list: DomainNameSets, UrlCategories and UrlCategorySets.
Destination exception matching is performed in the following way:
In order to configure exclusion by source, open the HTTPS inspection UI (Web access policy->Configure HTTPS inspection) and go to the “Source exceptions” tab (see screenshot below).
You can add to the source exception list the following network objects: Computers and Computer sets.
Source exception matching is performed in the following way:
One of the main added values of HTTPS inspection is validating server certificates. Browsers also perform a similar check and give warnings to users. However, many users ignore such warnings and continue browsing to malicious sites. HTTPS inspection completely blocks such sites.
There are five different error checks that can be performed by HTTPS inspection on server certificates:
In case of inspection, TMG by default performs all these checks. Two notes:
In case of exclusion, there are two options: “certificate validation” and “no certificate validation”.
For destination exceptions, certificate validation is configured per object in the exclusion list (see second column in destination exception screenshot). For each object, you can change its validation mode by pressing on “Validation” and “No Validation” button (it is the same button, it just changes capture according to current object state)
The table below summarizes certificate checks for each mode:
Expired, not yet valid
Exclusion, no validation
New in TMG service pack 1– “complete” source exception
A new “No certificate validation” checkbox was added to the source exception configuration in TMG service pack1. It is configured globally for the whole exception list (see checkbox in second screenshot).
This mode can be used to completely bypass the entire HTTPS inspection mechanism for the machines in the source exceptions list. Please note that this mode is less secure as in this case TMG will not validate the server certificate in any way. It is usually recommended to prefer destination exceptions.
Choosing the right exception method
It is usually recommended to use destination exceptions. By choosing destination exception, you only exempt sites that you trust (either because they are well managed or because they have some validation problem, such as a self-signed certificate).
Source based exceptions may be used to exempt machines when you do not yet know the specific destinations that needs to be added to the exception list or if these are client computers that you do not want to inspect for some reason.
Author: Roman Golubchyck
Reviewer: Ori Yosefi
Thank you for another fantastic blog. Where else could I get this kind of info written in such an incite full way? I have been looking for such information.
Is it possible to publish an internal website (through TMG 2010) that requires Client certificates? The internal website is setup to "require client certificates".