You can use Forefront TMG to inspect inside outbound HTTPS traffic, to protect your organization from security risks such as:

  • Outbound traffic refers to traffic that originates from client computers on networks that are protected by Forefront TMG.

  • Although you can enable outbound HTTPS traffic without inspection, it is not recommended that you do this.

The following sections provide information to help you plan for HTTPS inspection:

How HTTPS inspection works

To provide HTTPS protection, Forefront TMG acts as an intermediary, or a "man in the middle", between the client computer that initiates the HTTPS connection, and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following:

  1. Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site’s server certificate.

  2. Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS inspection certificate.

  3. Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it.

Because the HTTPS inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session.

Considerations for enabling HTTPS inspection

When enabling HTTPS inspection, consider the following:

  • In multiple-array deployments, you generate an HTTPS inspection certificate for each of the arrays.

  • Extended Validation (EV) SSL is not supported with HTTPS inspection. When Forefront TMG performs HTTPS inspection on a site that uses an EV SSL certificate, the EV visibility that is offered by some Web browsers, such as Internet Explorer 7 causing the URL address bar to turn green, will not be displayed in users’ browsers. To maintain a site’s EV visibility, you must exclude it from HTTPS inspection.

  • HTTPS inspection is incompatible with connections to external SSTP servers, and servers that require client certificate authentication. If you are aware of such a server, it is recommended that you exclude it from HTTPS inspection.

  • To deploy the HTTPS inspection trusted root certification authority (CA) certificate to client computers using Active Directory, Forefront TMG must be deployed in a domain environment.

For information about excluding sites from HTTPS inspection, see Excluding sources and destinations from HTTPS inspection.

About certificate validation in HTTPS inspection

The following table summarizes the certificate validation that Forefront TMG performs when HTTPS inspection is enabled. For sites that are excluded from HTTPS inspection, you can select to exclude with or without validation when you configure destination exceptions. For information about excluding sites from HTTPS inspection, see Excluding sources and destinations from HTTPS inspection.

Validation type Inspected traffic Sites that are excluded from HTTPS inspection with certificate validation Sites that are excluded from HTTPS inspection without certificate validation

Eligible for server authentication




Expiration, revocation




Name mismatch, trust




Privacy issues

Because the user of the client computer is unaware that Forefront TMG is breaking the connection and inspecting the traffic, for privacy and legal reasons, you might want to do the following:

Related Topics