Forefront TMG 2010 introduced a feature called HTTPS inspection, which allows inspecting HTTPS traffic in the same way as HTTP traffic.
Without HTTPS inspection, the client and server create an SSL tunnel and all traffic between them is encrypted. This prevents TMG for inspecting the traffic and protecting the user.
In HTTPS inspection mode, two SSL tunnels are created: client-TMG and TMG-server. Then, all traffic in network is encrypted, but TMG decrypts all traffic from client, inspects it, encrypts and sends to server and vice versa. HTTPS inspection provides the following benefits:
· Server certificate is validated. Servers with invalid certificates are blocked.
· Forefront TMG policy is applied even for encrypted communications.
· Forefront TMG web filters are alo applied to encrypted requests. In particular, the traffic is scanned with EMP, NIS and other Forefront TMG features to help protect from malware/vulnerabilities.
However, in some cases, HTTPS inspection cannot or shouldn’t be applied. This happens in some of the following cases:
- Administrators can choose not to inspect sites that contain sensitive user information, like health, bank, stock etc. Such sites could be exempt from inspection by Forefront TMG.
- There are some clients whose traffic commonly include sensitive information (like company managers, lawyers etc.). Traffic from such clients could also be exempted.
- Client certificate authentication. Since the client certificate is only available on the client machine, TMG will not be able to authenticate to the server.
- ·Performance: HTTPS inspection has a performance impact due to the tunnels’ creation and traffic inspection. If an administrator trusts a particular site, he may elect to exclude it from HTTPS inspection to reduce the load on the Forefront TMG server.
- Misconfigured destination server: in some cases, destination servers contain an invalid certificate (self-signed, expired, etc.). While this is bad practice, it does not necessarily represent a malicious site.
For these reasons, Forefront TMG introduced two HTTPS exclusion mechanisms: destination exceptions and source exceptions.
In order to configure exclusion by destination, open the HTTPS inspection UI (Web access policy->Configure HTTPS inspection) and go to the “Destination exceptions” tab (see screenshot below).
You can add the following network objects to the destination exception list: DomainNameSets, UrlCategories and UrlCategorySets.
Destination exception matching is performed in the following way:
- Forefront TMG establishes an SSL tunnel with server. As a part of establishment, TMG receives the server certificate.
- Forefront TMG retrieves the certificate’s subject name and names in SAN (Subject Alternative Name) extension, if existing. For each name, Forefront TMG looks for a match in the destination exclusion list. If there is at least one match, the site is excluded.
- Even if the site is excluded, Forefront TMG performs a certificate check. The policy of certificate check is different for different types of exclusions (we will discuss this below). If a certificate doesn’t pass certificate policy checks, the site is blocked. Otherwise, the site is excluded from HTTPS inspection.
- In case the site is excluded from inspection, Forefront TMG closes the connection with the server, opens a new one and moves to data pump mode: client and server establish SSL tunnel and TMG just transfers data from client to server and vice versa.
In order to configure exclusion by source, open the HTTPS inspection UI (Web access policy->Configure HTTPS inspection) and go to the “Source exceptions” tab (see screenshot below).
You can add to the source exception list the following network objects: Computers and Computer sets.
Source exception matching is performed in the following way:
- Forefront TMG establishes an SSL tunnel with the server. As a part of establishment, Forefront TMG receives a server certificate.
- Forefront TMG checks whether the client IP is in the source exclusion list. If yes, the traffic will be excluded.
- Even if the traffic is excluded, TMG performs a certificate check. The policy of certificate check is different for different types of exclusions (we will discuss this below). If a certificate doesn’t pass certificate policy checks, the site is blocked. Otherwise, the traffic is excluded from HTTPS inspection.
- In case the traffic is excluded from inspection, Forefront TMG closes connection with server, opens a new one and moves to data pump mode: client and server establish an SSL tunnel and TMG just transfers data from client to server and vice versa.
One of the main added values of HTTPS inspection is validating server certificates. Browsers also perform a similar check and give warnings to users. However, many users ignore such warnings and continue browsing to malicious sites. HTTPS inspection completely blocks such sites.
There are five different error checks that can be performed by HTTPS inspection on server certificates:
- Certificate type – server certificate must be applicable for server authentication
- Name mismatch – server certificate subject name or one of names in SAN extension must correspond to host name in URL
- Trust – server certificate must be trusted on TMG server
- Expiration – server certificate must have valid start and end dates
- Revocation – server certificate must be not revoked.
In case of inspection, TMG by default performs all these checks. Two notes:
- Expiration and revocation are configurable globally on the “Certificate validation” tab of HTTPS inspection dialog.
- Name mismatch, trust and certificate type checks are always performed by TMG in inspection mode. This happens because in case of inspection, TMG is responsible for certificate validity.
In case of exclusion, there are two options: “certificate validation” and “no certificate validation”.
- Certificate validation: TMG performs certificate type check, name mismatch check and trust check.
- No certificate validation: TMG performs certificate type check only.
For destination exceptions, certificate validation is configured per object in the exclusion list (see second column in destination exception screenshot). For each object, you can change its validation mode by pressing on “Validation” and “No Validation” button (it is the same button, it just changes capture according to current object state)
The table below summarizes certificate checks for each mode:
Expired, not yet valid
Exclusion, no validation
New in TMG service pack 1– “complete” source exception
A new “No certificate validation” checkbox was added to the source exception configuration in TMG service pack1. It is configured globally for the whole exception list (see checkbox in second screenshot).
This mode can be used to completely bypass the entire HTTPS inspection mechanism for the machines in the source exceptions list. Please note that this mode is less secure as in this case TMG will not validate the server certificate in any way. It is usually recommended to prefer destination exceptions.
Choosing the right exception method
It is usually recommended to use destination exceptions. By choosing destination exception, you only exempt sites that you trust (either because they are well managed or because they have some validation problem, such as a self-signed certificate).
Source based exceptions may be used to exempt machines when you do not yet know the specific destinations that needs to be added to the exception list or if these are client computers that you do not want to inspect for some reason.
Author: Roman Golubchyck
Reviewer: Ori Yosefi