Planning for HTTPS inspection

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

You can use Forefront TMG to inspect inside outbound HTTPS traffic, to protect your organization from security risks such as:

• Viruses, and other malicious content that could utilize Secure Sockets Layer (SSL) tunnels to infiltrate the organization undetected.

• Users who bypass the organization’s access policy by using tunneling applications over a secure channel (for example, peer-to-peer applications).

Note

• Outbound traffic refers to traffic that originates from client computers on networks that are protected by Forefront TMG.
  
  
• Although you can enable outbound HTTPS traffic without inspection, it is not recommended that you do this.
  
  

The following sections provide information to help you plan for HTTPS inspection:

• How HTTPS inspection works

• Considerations for enabling HTTPS inspection

• About certificate validation in HTTPS inspection

• Privacy issues

How HTTPS inspection works

To provide HTTPS protection, Forefront TMG acts as an intermediary, or a "man in the middle", between the client computer that initiates the HTTPS connection, and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following:

1. Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site’s server certificate.

2. Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS inspection certificate.

3. Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it.

Because the HTTPS inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session.

Note

The tunnel strength between the client and Forefront TMG may not be the same as that of the tunnel between Forefront TMG and the target HTTPS server.

Considerations for enabling HTTPS inspection

When enabling HTTPS inspection, consider the following:

• In order to inspect HTTPS traffic, a certification authority (CA) certificate must be placed on the Forefront TMG server and deployed to all client computers. You can obtain the certificate in one of two ways:

  • Generate a self-signed certificate on the Forefront TMG server.

  • Import a certificate that was issued by either a root CA in your organization, or by a trusted public CA, that is, a CA that is created by an outside entity, such as VeriSign. The certificate must be a Personal inFormation eXchange (.pfx) file, and must be trusted on the Forefront TMG server.

• In multiple-array deployments, you generate or import the HTTPS inspection certificate for each of the arrays.

• Extended Validation (EV) SSL is not supported with HTTPS inspection. When Forefront TMG performs HTTPS inspection on a site that uses an EV SSL certificate, the EV visibility that is offered by some Web browsers, such as Internet Explorer 7 causing the URL address bar to turn green, will not be displayed in users’ browsers. To maintain a site’s EV visibility, you must exclude it from HTTPS inspection.

• HTTPS inspection is incompatible with connections to external SSTP servers, and servers that require client certificate authentication. If you are aware of such a server, it is recommended that you exclude it from HTTPS inspection.

• To deploy the HTTPS inspection trusted root certification authority (CA) certificate to client computers using Active Directory, Forefront TMG must be deployed in a domain environment.

• HTTPS inspection does not support self-signed certificates. If you need to enable access to sites that use self-signed certificates, it is recommended that you exclude them from HTTPS inspection. For information, see Excluding sources and destinations from HTTPS inspection.

  For example, if you implement e-mail protection with Microsoft Forefront Protection 2010 for Exchange Server, to enable the download of Cloudmark antispam engine definitions updates, exclude the Cloudmark download site from HTTPS inspection, because it uses a self-signed certificate.

Note

For information about excluding sites from HTTPS inspection, see Excluding sources and destinations from HTTPS inspection.

About certificate validation in HTTPS inspection

The following table summarizes the certificate validation that Forefront TMG performs when HTTPS inspection is enabled. For sites that are excluded from HTTPS inspection, you can select to exclude with or without validation when you configure destination exceptions. For information about excluding sites from HTTPS inspection, see Excluding sources and destinations from HTTPS inspection.

Validation type	Inspected traffic	Sites that are excluded from HTTPS inspection with certificate validation	Sites that are excluded from HTTPS inspection without certificate validation
Eligible for server authentication	Yes	Yes	Yes
Expiration, revocation	Yes	No	No
Name mismatch, trust	Yes	Yes	No

Certification revocation considerations in Forefront TMG HTTPS inspection

Note the following issues regarding certificate revocation:

• Because Forefront TMG caches certificates, if a certificate needs to be revoked, it will only be revoked once the caching timeout expires.

• If Forefront TMG is unable to connect to the certificate revocation list (CRL) service, and is therefore unable to check for revocation, it treats the certificate as valid.

Privacy issues

Because the user of the client computer is unaware that Forefront TMG is breaking the connection and inspecting the traffic, for privacy and legal reasons, you might want to do the following:

• Notify clients that their HTTPS traffic is being inspected. You can do this for client computers running Forefront TMG Client. For information, see Notifying users that HTTPS traffic is being inspected.

• Exclude specific URLs or URL categories, such as financial and health sites, from inspection. For information, see Excluding sources and destinations from HTTPS inspection.

Related Topics

Concepts

Configuring HTTPS inspection
Planning to protect against web browsing threats