FPCTunnelPortRanges Collection

The FPCTunnelPortRanges collection holds a set of FPCTunnelPortRange objects. Each FPCTunnelPortRange object represents a single range of tunnel ports. A tunnel port range specifies one or more ports on which the Forefront TMG Web proxy can forward an HTTP CONNECT request from a Web proxy client to a Web server. After a connection is established, packets sent from the client to the Web server on the port specified in the CONNECT request pass directly to the Web server without deep inspection by the Web proxy.

Ports that are included in tunnel port ranges are useful for passing packets with an encrypted payload, particularly Secure Sockets Layer (SSL) packets, through the Web proxy after a connection is established between a client on a protected network and an external Web server. When SSL-encrypted traffic is sent, Forefront TMG can inspect only the IP and TCP headers. The Forefront TMG computer cannot perform application-layer inspection of the encrypted contents in the SSL tunnel between the client and Web server.

When a client specifies the HTTPS protocol (HTTP over SSL) in a URL in a CERN-compliant Web browser configured to send requests to port 8080 (the default port number) on a Forefront TMG computer, the Web browser sends the following HTTP CONNECT request:

CONNECT host_name:443 HTTP/1.1

The number 443 is the default TCP port for SSL, but any port specified in the URL will be used.

By default, the Forefront TMG computer listens for outbound requests from clients in the Internal network on port 8080. When the CONNECT request reaches the Forefront TMG computer on the listening port, the Microsoft Firewall service checks the rules to determine whether a request may be sent from the source to the destination using the HTTP protocol. If the request passes the rules check, the Firewall service forwards the request to the Forefront TMG Web proxy, and the Web proxy determines whether the port specified in the CONNECT request is included in a tunnel port range. If the port number passes this test, the Web proxy allows the request to be sent to the TCP port specified on the destination host to open a connection. When this operation succeeds, the Forefront TMG computer informs the client that the connection has been established. From that point on, the client sends encrypted packets directly to the destination on the port specified in the CONNECT request without any mediation by the Web proxy.

By default, the external port ranges that are defined as tunnel port ranges are confined to 443–443 (the single port 443) for HTTP over SSL and 563–563 (the single port 563) for the Network News Transfer Protocol over SSL (NNTPS). You can use the AddRange method to create an additional tunnel port range. However, because traffic sent to ports included in a tunnel port range bypasses the Forefront TMG policy rules and Web proxy inspection, only tunnel port ranges for which this is required should be added.

The FPCTunnelPortRanges collection can be accessed through the TunnelPortRanges property of an FPCWebProxy object.

Click here to see the Forefront TMG object hierarchy.


The FPCTunnelPortRanges collection defines the following methods.

Method Description


Creates a new FPCTunnelPortRange object in the collection and returns a reference to it.


Retrieves the requested FPCTunnelPortRange object from the collection.


Reads the values of all the properties of the collection and its elements from persistent storage, discarding any changes that have not been saved.


Removes the specified FPCTunnelPortRange object from the collection.


Writes the current values of all the properties of the collection and its elements to persistent storage.


The FPCTunnelPortRanges collection defines the following properties.

Property Description


Gets an enumerator object for the collection.


Gets the number of FPCTunnelPortRange objects in the collection.

Interfaces for C++ Programming

This collection implements the IFPCTunnelPortRanges interface.


Client Requires Windows Vista or Windows XP.
Server Requires Windows Server 2008.
Version Requires Forefront Threat Management Gateway (TMG).

Declared in Msfpccom.idl.

See Also

COM Objects

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.