Configuring HTTPS Inspection in Forefront TMG 2010 Automatically through Active Directory

HTTPS Inspection is a new feature of Forefront TMG that allows TMG 2010 to decrypt and inspect outbound HTTPS traffic. This protects an organization from security risks inherent to Secure Sockets Layer (SSL) tunnels, such as:

      • Viruses and other malicious content that could infiltrate the organization undetected.
      • Users who bypass the organization’s access policy by using tunneling applications over a secure channel (for example, peer-to-peer-applications).

TMG 2010 scans HTTPS? How?

1.  Intentionally break the end to end SSL Tunnel  “Good Man in the Middle attack”

  • Establish SSL with client
  • Establish original SSL request to Web Server

2.Validate certificates

3. Make exclusions to banking sites etc.

4. Users can be notified when checks happen.

When planning your HTTPS Inspection implementation, you need to first consider the certificate settings, to decide whether you will use forefront TMG 2010 generated self-signed certificate or issued by a trusted CA.  I recommended to use Forefront TMG Generate a self-signed Certificate for HTTPS Inspection because certificate expire date is 2049. Remember that Commercial CAs will not typically issue HTTPS Inspection.

There are two methods by which you can import the HTTPS Inspection trusted root CA certificate to client computers:

1. Automatically through Active Directory – Automatic deployment using Active Directory is the recommended method, because the certificate is stored in a secure location, and it saves administrators the overhead of manual deployment. But for this, TMG must be deployed in a domain environment.

2. Manually on each client computer – If the TMG Server is deployed in a workgroup environment, the certificate must be installed manually on each client computer, and it must be placed in the local computer certificate store.

By default, HTTPS Inspection is disabled. HTTPS Inspection can be enabled through the Web Access Policy. Follow these steps to enable this feature:

1. From the Forefront TMG console, click Web Access Policy and select Configure HTTPS Inspection under Web Protection Task on the Tasks pane.

2. In the HTTPS Outbound Inspection dialog box, select Enable HTTPS Inspection Under General Tab.

3. We will use a Forefront TMG 2010 self-signed certificate, so accept the default setting Use Forefront TMG to generate a certificate and click on the Generate button.

4. On the Generate Certificate dialog box, fill in the Issuer name and accept the default Expiration date according to your company needs and then click Generate Certificate Now.

5. A new certificate will be generated and the Certificate page pops up. Verify the certificate configuration and Click OK to close the Certificate display and click Close to close the Generate Certificate window.

6. On the HTTPS Outbound Inspection page, click HTTPS Inspection Trusted Root CA Certificate Options button.

7. On the Certificate Deployment Options dialog box, select Automatically through Active Directory (recommended) and Click on Domain Administrator Credentials box.

8. In the authentication dialog box, enter the credentials for an account that has write access to the domain Enterprise Trusted Root certificate store and Click OK.

9. Click OK to close this dialog box.

10. On the Certificate Deployment Options, click OK to close this dialog box.

11. On the HTTPS Outbound Inspection dialog box, Click Apply.

12. Click OK to close HTTPS Outbound Inspection dialog box. Click Apply button to save changes and update the configuration.

13. On the Saving Configuration changes dialog box, click OK.

Note: To verify successful publication of the TMG HTTPS Inspection CA certificate to Active Directory, perform the following steps on any computer in the domain:

1. Click Start and select Run, type  mmc and click OK.

2. On the Console1 dialog box, Click File Menu and select Add/Remove Snap-in…

3. On the Add or Remove Snap-ins… Dialog box, select Certificates in Available snap-ins: box and click Add button.

4. On the Certificates snap-in select Computer account and click Next.

5. On the Select Computer dialog box, Click Finish. Click OK. Verify Forefront TMG 2010 self-signed generated certificate under Trusted Root Certification Authorities.

Test HTTPS Inspection in Client Computers:

14. Log to the workstation computer, open Internet Explorer and type, https web sites to check HTTPS Inspection. If you get Forefront TMG self-generated certificate in Certification Path on Certificate dialog box. Our mission is successful. But we have to exclude online banking web sites for privacy reasons. We also need to evaluate any legal and compliance regulations before enable HTTPS Inspection.

15. The beauty of Forefront TMG 2010 HTTPS Inspection is that we can exclude HTTPS Outbound Inspection in two ways:

Source Exceptions: As the best practice, Manager does not wish his HTTPS connections to be Inspected. So we will need to add his Laptop IP to exclude from HTTPS Inspection.

Destination Exceptions:  Some destinations (e.g. financial institutions) can be excluded from HTTPS Inspection for privacy reasons and organization’s security IT policies.


HTTPS Inspection is a new feature of Forefront TMG 2010 that allows TMG to decrypt and inspect outbound HTTPS-encrypted sessions to be Inspected for malware or exploits. The best part of TMG HTTPS Inspection is that administrator can exclude HTTPS Inspection based on Source Exceptions and Destination Exceptions which is very cool features. So I will request to try to use Forefront TMG 2010 HTTPS Inspection before you buy other third party HTTPS Inspection Firewall.

Related Post  Configuring Access Rules for Internet Access in TMG 2010

Leave a Reply

Your email address will not be published. Required fields are marked *