This topic provides instructions on how to enable HTTPS inspection on Web access policy rules. You do this by first configuring Forefront TMG to allow users to establish HTTPS connections to Web sites, and then by selecting the type of inspection you want to enable. You can configure Forefront TMG to:
- Inspect outbound HTTPS traffic, and validate
HTTPS site certificates
- Validate HTTPS site certificates only
- Allow access to all HTTPS sites, without any
inspection
For general information about HTTPS inspection, including information regarding the certificates necessary for implementation, see Planning for HTTPS inspection.
Using the Web Access Policy
Wizard
You can enable and configure access to HTTPS sites using the Web Access Policy Wizard, or by editing the HTTPS Inspection properties. The Web Access Policy Wizard helps you set up most aspects of HTTPS inspection; however, some other settings are available only on the HTTPS Inspection properties. The instructions in the following procedure apply to the Web Access Policy Wizard.
Enabling HTTPS inspection
To enable HTTPS inspection
-
In the Forefront TMG Management console, in the tree, click the Web Access Policy node.
-
In the Tasks pane, click Configure Web Access Policy.
-
On the HTTPS Inspection Settings page of the Web Access Policy Wizard, select Allow users to establish HTTPS connections to Web sites, and then select one of the following types of protection:
- To enable HTTPS inspection, select Inspect
HTTPS traffic and validate HTTPS site certificates, and then
click Next.
- To enable certificate validation only, select
Do not inspect HTTPS traffic, but validate the HTTPS site
certificate.
Note:If you enable certificate validation only, the remaining steps in this procedure are not relevant. Continue advancing through the wizard, and at the end of the wizard, click Finish. On the Apply Changes bar, click Apply. Your next step is to configure the certificate validation policy. For configuration information, see Configuring the certificate validation policy. - To enable HTTPS inspection, select Inspect
HTTPS traffic and validate HTTPS site certificates, and then
click Next.
-
On the HTTPS Inspection Preferences page of the wizard, select whether you want to notify users that HTTPS traffic is being inspected. If you choose to enable notification, do the following:
- Make sure that each client computer is running Forefront TMG
Client.
- Make sure that each client computer has the HTTPS inspection
trusted root certification authority certificate installed in the
Trusted Root Certification Authorities certificate store. For
details, see Deploying the HTTPS
inspection trusted root CA certificate to client computers.
- Make sure that each client computer is running Forefront TMG
Client.
-
On the HTTPS Inspection Preferences page, select whether you want to create the HTTPS inspection certificate by using Forefront TMG, customize certain aspects of the certificate (such as its name), or import an existing certificate. For details, see Generating the HTTPS inspection certificate.
-
On the Certificate Deployment Preferences page, select whether to deploy the HTTPS inspection trusted root certification authority certificate by using Active Directory or by exporting and importing the certificate (manual deployment).
Note:When using Active Directory to deploy the HTTPS inspection trusted root certification authority certificate to client computers, in the Domain administrator username box, enter the name in the format Domain\Username. Note that this is the domain in which the user accounts are defined and not necessarily the domain to which Forefront TMG is joined. For details, see Deploying the HTTPS inspection trusted root CA certificate to client computers. -
Continue advancing through the wizard, and at the end of the wizard, click Finish. On the Apply Changes bar, click Apply.
Next Steps
Related Topics
Copyright © 2009 by Microsoft Corporation. All rights reserved.