Enabling HTTPS inspection

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic provides instructions on how to enable HTTPS inspection on Web access policy rules. You do this by first configuring Forefront TMG to allow users to establish HTTPS connections to Web sites, and then by selecting the type of inspection you want to enable. You can configure Forefront TMG to:

  • Inspect outbound HTTPS traffic, and validate HTTPS site certificates

  • Validate HTTPS site certificates only

  • Allow access to all HTTPS sites, without any inspection

For general information about HTTPS inspection, including information regarding the certificates necessary for implementation, see Planning for HTTPS inspection.

Using the Web Access Policy Wizard

You can enable and configure access to HTTPS sites using the Web Access Policy Wizard, or by editing the HTTPS Inspection properties. The Web Access Policy Wizard helps you set up most aspects of HTTPS inspection; however, some other settings are available only on the HTTPS Inspection properties. The instructions in the following procedure apply to the Web Access Policy Wizard.

Enabling HTTPS inspection

To enable HTTPS inspection

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure Web Access Policy.

  3. On the HTTPS Inspection Settings page of the Web Access Policy Wizard, select Allow users to establish HTTPS connections to Web sites, and then select one of the following types of protection:

    • To enable HTTPS inspection, select Inspect HTTPS traffic and validate HTTPS site certificates, and then click Next.

    • To enable certificate validation only, select Do not inspect HTTPS traffic, but validate the HTTPS site certificate.

    Note

    If you enable certificate validation only, the remaining steps in this procedure are not relevant. Continue advancing through the wizard, and at the end of the wizard, click Finish. On the Apply Changes bar, click Apply. Your next step is to configure the certificate validation policy. For configuration information, see Configuring the certificate validation policy.

  4. On the HTTPS Inspection Preferences page of the wizard, select whether you want to notify users that HTTPS traffic is being inspected. If you choose to enable notification, do the following:

    1. Make sure that each client computer is running Forefront TMG Client.

    2. Make sure that each client computer has the HTTPS inspection trusted root certification authority certificate installed in the Trusted Root Certification Authorities certificate store. For details, see Deploying the HTTPS inspection trusted root CA certificate to client computers.

  5. On the HTTPS Inspection Preferences page, select whether you want to create the HTTPS inspection certificate by using Forefront TMG, customize certain aspects of the certificate (such as its name), or import an existing certificate. For details, see Generating the HTTPS inspection certificate.

  6. On the Certificate Deployment Preferences page, select whether to deploy the HTTPS inspection trusted root certification authority certificate by using Active Directory Domain Services (AD DS) or by exporting and importing the certificate (manual deployment).

    Note

    When using AD DS to deploy the HTTPS inspection trusted root certification authority certificate to client computers, in the Domain administrator username box, enter the name in the format Domain\Username. Note that the domain in which the user accounts are defined must be the same domain to which Forefront TMG is joined. For details, see Deploying the HTTPS inspection trusted root CA certificate to client computers.

  7. Continue advancing through the wizard, and at the end of the wizard, click Finish. On the Apply Changes bar, click Apply.

Next Steps

Generating the HTTPS inspection certificate

Concepts

Configuring HTTPS inspection
Planning for HTTPS inspection