Troubleshooting HTTPS inspection
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
This topic describes the basic functionality of HTTPS inspection, and common issues that are encountered when deploying, configuring, or maintaining the HTTPS inspection feature for Forefront TMG Standard Edition and Forefront TMG Enterprise Edition. It also details actions you can take to resolve these issues, where applicable.
This topic is divided into the following sections:
How HTTPS inspection works
Server certificate issues
CA certificate issues
How HTTPS inspection works
This section describes how HTTPS inspection works. It includes the following:
Overview—A brief description of the HTTPS Inspection feature.
General Considerations—Deployment considerations when enabling HTTPS inspection.
HTTPS inspection exclusion list—The implications of adding sites to the HTTPS inspection exclusion list.
Overview
In order to inspect outgoing HTTPS traffic, Forefront TMG breaks the HTTPS connection and then acts as an intermediary or "man in the middle" between the client that initiated the connection and the secure Web site. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session.
The process of HTTPS inspection is as follows:
The client attempts to connect to a secure Web site.
Forefront TMG intercepts the connection request.
Forefront TMG establishes a secure connection (an SSL tunnel) to the requested Web site.
Forefront TMG validates the server certificate received from the Web site.
Forefront TMG copies the details of the Web site's server certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority (CA) certificate called the HTTPS inspection certificate.
Forefront TMG uses the new certificate for establishing an SSL connection with the client.
The client accepts the certificate generated by Forefront TMG on behalf of the web server, because the HTTPS Inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, and the computer trusts any certificate that is signed by this certificate.
A separate SSL tunnel is established between the client and Forefront TMG.
General Considerations
When enabling HTTPS inspection, consider the following:
In multiple-array deployments, you must generate an HTTPS inspection certificate for each of the arrays.
Extended Validation (EV) SSL is not supported with HTTPS inspection. When Forefront TMG performs HTTPS inspection on a site that uses an EV SSL certificate, the EV visibility that is offered by some Web browsers, such as Internet Explorer 7 causing the URL address bar to turn green, will not be displayed in users’ browsers. To maintain a site’s EV visibility, you must exclude it from HTTPS inspection.
HTTPS inspection can only be globally enabled; there are no per-rule HTTPS inspection settings.
HTTPS inspection is incompatible with connections to external SSTP servers. If you are aware of such a server, you can exclude it from HTTPS inspection.
To deploy the HTTPS inspection trusted root certification authority (CA) certificate to client computers using Active Directory, Forefront TMG must be deployed in a domain environment.
Sites that are known to have special privacy/regulation requirements (such as Financial or Health sites) should be tunneled directly through Forefront TMG (with no inspection), by adding the sites/URL categories to the exception list.
HTTPS inspection exclusion list
When a site is added to the HTTPS inspection exclusion list, Forefront TMG does not check the site’s certificate for expiration or revocation. However, name mismatch and trust are always checked, unless the “No Validation” mark is set. The Forefront TMG Administrator is responsible for adding sites that are trusted to the exclusion list, and by checking name mismatch and trust, Forefront TMG ensures that this is exactly the site. The Administrator can also globally disable the revocation and/or expiration check, or check expiration but allow certificates that expired no more than a specified number of days ago.
Warning
Adding sites to the HTTPS Inspection exclusion list may make your computer or your network more vulnerable to attack by malicious users or malicious software such as viruses. It is not recommended that you use this workaround; this information is provided so that you can implement the workaround at your own discretion. Note that adding to the exclusion list is per site. Disabling a specific HTTPS inspection check is global and applies to all sites.
For more information, see Excluding sources and destinations from HTTPS inspection.
Server certificate issues
A number of problems can occur with server certificates that result in Forefront TMG blocking access to the site. This action is recorded in the Forefront TMG log while Forefront TMG sends an HTML error page to the client (only a web proxy client will display the error page). An alert is also raised in the specific case of a certificate name mismatch error:
Certificate name mismatch alert: “Certificate Name Mismatch”.
Reverse lookup failure alert: “HTTPS Inspection - Unable to Validate Certificate Name”.
Possible error codes:
| Error code | Description |
|---|---|
12224 |
Server certificate not yet valid |
12225 |
Server certificate expired |
12226 |
Server certificate not trusted |
12227 |
Server certificate name mismatch |
12228 |
Server certificate is not for server authentication |
12229 |
Server requires client certificate |
12230 |
Server certificate is revoked |
Server certificate not yet valid
Cause: The server certificate supplied by the server is not yet valid.
Workaround: Add the site to the HTTPS Inspection exclusion list with any mark (the “Validation” mark is recommended).
Server certificate expired
Cause: The server certificate supplied by the server has expired.
Workaround: Add the site to the HTTPS Inspection exclusion list with any mark (the “Validation” mark is recommended).
Server certificate not trusted
Cause: The certification authority that issued the server certificate supplied by the server is not trusted.
Workaround: Add the site to the HTTPS Inspection exclusion list with the “No validation” mark.
Server certificate name mismatch
Cause: A name mismatch error occurs when the common name and names in the SAN extension of the certificate sent by the web server, does not match the name of the host requested. This includes situations where:
The web server uses a wild card certificate (for example, *.domain.com).
The client is either a transparent client or a full proxy client accessing the web server using its IP address, and a DNS reverse address lookup (IP to name) of the web server fails from Forefront TMG.
Workaround: Add the site to the HTTPS Inspection exclusion list with the “No validation” mark.
Note
In the case of a DNS reverse address lookup failure, setting a DNS/hosts file on Forefront TMG can solve the problem instead.
Server certificate is not for server authentication
Cause: The server certificate is not eligible for server authentication purposes. This is a certificate property.
Workaround: This check is always made and there is no workaround.
Server requires client certificate
Cause: This is a web server setting that requires a client to have a specific certificate. Forefront TMG cannot create an SSL tunnel with the server because the required certificate is located on the client machine.
Workaround: Add the site to the HTTPS Inspection exclusion list with any mark (the “Validation” mark is recommended). An SSL tunnel will be created between the client and server directly, and the client will provide the client certificate to server.
Server certificate is revoked
Cause: The server certificate supplied by the server has been revoked by the certification authority that issued the certificate.
Workaround: Add the site to the HTTPS Inspection exclusion list with any mark (the “Validation” mark is recommended).
CA certificate issues
The CA certificate used by Forefront TMG must be deployed on the client; otherwise the client won’t trust the certificate issued by Forefront TMG on behalf of the web server. If the client does not have the CA certificate used by Forefront TMG, it will receive an error when accessing an SSL web site if HTTPS inspection is enabled.
CA certificate cannot be deployed
Problem: The CA certificate cannot be deployed to client computers (the administrator gets an error message).
Solution: Check the COM Error traces. The problem is most likely that bad Active Directory credentials have been provided (domain administrator credentials are required).
CA certificate is not imported
Problem: The CA certificate is not imported to the Forefront TMG computer. No error alert is raised or error generated.
Cause: The CA certificate is either not yet valid, has expired, or is not trusted. The only way to identify the exact cause is by looking into Forefront TMG tracing:
ERROR:ImportRootCACertificate() failed hr = HRESULT=<error code>
The error codes are:
Not yet valid: 0xC0040418
Expired: 0xC0040419
Not trusted: 0xC004041B
Solution: Use a certificate that is valid, trusted, and has not expired.
Failure in CA certificate duplication
Problem: The CA certificate duplication process fails and an alert is generated: “CA certificate failed to sign”.
Workaround: Add the site to the HTTPS inspection exclusion list with any mark (the “Validation” mark is recommended).
CA certificate is expired
Problem: An alert is raised when the CA certificate has expired.
Solution: Create or import a new CA certificate and deploy it.
CA certificate is going to expire
Problem: An alert is raised 14 days before expiration (“CA certificate is expiring soon”).
Solution: Create or import a new CA certificate and deploy it before the expiration date.