To provide HTTPS protection, Forefront TMG acts as an intermediary, or a "man in the middle", between the client computer that initiates the HTTPS connection, and the secure Web site. When a client computer initiates a connection to a secure Web site, Forefront TMG intercepts the request and does the following:

1. Establishes a secure connection (an SSL tunnel) to the requested Web site and validates the site’s server certificate.
   
   
2. Copies the details of the Web site's certificate, creates a new SSL certificate with those details, and signs it with a Certification Authority certificate called the HTTPS inspection certificate.
   
   
3. Presents the new certificate to the client computer, and establishes a separate SSL tunnel with it.
   
   

Because the HTTPS inspection certificate was previously placed in the client computer’s Trusted Root Certification Authorities certificate store, the computer trusts any certificate that is signed by this certificate. By cutting the connection and creating two secure tunnels, the Forefront TMG server can decrypt and inspect all communication between the client computer and the secure Web site during this session.

When enabling HTTPS inspection, consider the following:

• In multiple-array deployments, you generate an HTTPS inspection certificate for each of the arrays.
  
  
• Extended Validation (EV) SSL is not supported with HTTPS inspection. When Forefront TMG performs HTTPS inspection on a site that uses an EV SSL certificate, the EV visibility that is offered by some Web browsers, such as Internet Explorer 7 causing the URL address bar to turn green, will not be displayed in users’ browsers. To maintain a site’s EV visibility, you must exclude it from HTTPS inspection.
  
  
• HTTPS inspection is incompatible with connections to external SSTP servers, and servers that require client certificate authentication. If you are aware of such a server, it is recommended that you exclude it from HTTPS inspection.
  
  
• To deploy the HTTPS inspection trusted root certification authority (CA) certificate to client computers using Active Directory, Forefront TMG must be deployed in a domain environment.
  
  

Note:
For information about excluding sites from HTTPS inspection, see Excluding sources and destinations from HTTPS inspection.

The following table summarizes the certificate validation that Forefront TMG performs when HTTPS inspection is enabled. For sites that are excluded from HTTPS inspection, you can select to exclude with or without validation when you configure destination exceptions. For information about excluding sites from HTTPS inspection, see Excluding sources and destinations from HTTPS inspection.

Because the user of the client computer is unaware that Forefront TMG is breaking the connection and inspecting the traffic, for privacy and legal reasons, you might want to do the following:

• Notify clients that their HTTPS traffic is being inspected. You can do this for client computers running Forefront TMG Client. For information, see Notifying users that HTTPS traffic is being inspected.
  
  
• Exclude specific URLs or URL categories, such as financial and health sites, from inspection. For information, see Excluding sources and destinations from HTTPS inspection.
  
  

Concepts