Demystifying outbound HTTPS inspection in Forefront TMG

by Shijaz Abdulla on 13.06.2010 at 20:52

What is Forward HTTPS Inspection or Outbound HTTPS Inspection?

In ISA Server 2004/2006, we had Inbound HTTPS inspection, which we are familiar with by the name “SSL Bridging”. SSL Bridging or Inbound HTTPS inspection is used to protect published web servers from malicious requests originating from the Internet/external network. In essence, the ISA Server had the same SSL certificate that the web server had, along with its private key. When an HTTPS request reaches the ISA Server, it decrypts the request using the certificate and inspects it. If it is found to be safe, the ISA Server establishes another SSL session between itself and the published web server.

SSL Bridging was an excellent piece of technology for inspecting inbound HTTPS traffic, but ISA Server did not have a feature to inspect “outbound” HTTPS traffic.

Okay – so what’s Outbound HTTPS Inspection?

Outbound HTTPS traffic refers to the HTTPS requests originating from the internal network to the Internet, (for example, user’s internet browser). Why is this required? Often blocked websites or services can be accessed through an HTTPS session because the proxy servers do not have visibility of the content that is passing inside the HTTPS session.

This is often the technique used by many anonymizers, P2P software, and applications like Skype to evade being blocked by a proxy server. More dangerously, it is often used by modern malware to pass undetected between your internal network and the internet, as your edge security products simply cannot see what’s inside the SSL.

So, how does HTTPS Inspection work? I’m putting it down in *very* simple terms below:

1. TMG Server has an SSL CA Certificate on it (can be self-generated or from Active Directory). However, all client computers in your internal network must trust TMG’s HTTPS Inspection certificate.

2. User’s computer tries to access an HTTPS website (or other HTTPS content) on the Internet.

3. TMG does not blindly “proxy” the request to remote HTTPS server. Instead, TMG Server acts like a client and talks to the remote HTTPS website.

4. TMG validates the site’s certificate, copies the details of that certificate and creates a new SSL certificate with those exact same details and signs it with its own CA Certificate. It then returns this certificate to the internal client.

Since TMG pretends to be the client to the remote server, it gets to decrypt the content sent back and perform malware inspection and policy based filtering on the content returned.

5. What you get here is two different tunnels, one from TMG to the remote HTTPS server and another from TMG to the internal client – a perfect “man-in-the-middle attack”. I like to call it the “good-man-in-the-middle attack”. Smile With the connection being “cut” into two different tunnels, TMG server can decrypt, inspect and re-encrypt all communication between the client and the remote HTTPS server.

Let’s now roll up our sleeves and see how to turn on HTTPS inspection.

 

image_thumb20

  1. Right click on Web Access Policy. Choose “Configure” > “HTTPS Inspection”
  2. Choose “Enable HTTPS inspection”

    image_thumb23

  3. You can choose to Inspect traffic and validate site certificates (recommended).
  4. Under the HTTPS Inspection Certificate settings, you have two options – Use TMG to generate a certificate or Import a certificate already issued by your Enterprise Root CA trusted by your organization or issued by a third party certificate. In either case, all client computers in your network MUST trust the CA certificate.
  5. If you used Forefront TMG to generate the certificate, make sure you save the CA certificate in the Trusted Root CA store on all your computers. You can automatically deploy the certificate by clicking on the HTTPS Inspection Trusted Root CA Certificate Options button. You will need domain administrator credentials.

    image

Hope you enjoyed this article. Subscribe to this blog for more how-to’s on TMG and other Forefront products.

Trackback Permanent Link

12 Responses to Demystifying outbound HTTPS inspection in Forefront TMG

  1. Pingback: Blocking Skype and other IM protocols in Forefront TMG | microsoftNOW

  2. Pingback: TMG or UAG? Which one do I need? | microsoftNOW

  3. Pingback: Privacy becomes more precious everyday, and so does Open Source… « Sameh M. Shaker's Weblog

  4. Johann says:

    Hi, I’m writing a PHP application which tries to connect to Facebook by using the Facebook PHP SDK. This application resides in a server behind a Forefront TMG server. When I try to connect to Facebook I receive an error messagen saying “Forefront TMG denied the specified URL…”. By inspecting the error details I notice that the SDK is trying to connect to Facebook by using an ip address (xxx.xxx.xxx.xxx:xxx) instead of a url (authentication.facebook.com). If I disable the HTTPS Inspection feature everything goes well, however, I don’t want to do that. Do you know how can I enabe ip like requests at Forefront TMG? Thanks in advance for your help!!!

    • Hi Johann,

      I believe you can exclude specific URLs from being subject to HTTPS inspection. Try adding an exclusion for the URL thats not working well.

      Shijaz

      • Luis Galvao says:

        Hi,

        One of the things that TMG will make is a verification on the certificate of the https page. In case you have a certificate that does not match the address you are trying to reach, or if you use a wildcard certificate, the TMG will block the access since he cannot verify his contents and establish the two ssl sessions (one with the client and the other with the web server).

        hope this helps

        Luís

  5. Pingback: Pour protéger Exchange: TMG ou UAG, lequel choisir? « Blog des consultants du Permis Informatique

  6. theanh says:

    hi all.
    creat rule in TMG allow for gmail&mail.yahoo.com.
    help me !

  7. M.Jan says:

    Thanks for your benificial information about HTTPS Inspection,
    But i have a problem, when i enable HTTPS Inspection, then Gmail.com and mostly facebook and hotmail is not be browsing from clients, even i grant them full access and also i exclude the gmail, facebook, hotmail from https inspection, but again the clients can not access the gamil and hotmail and facebook
    I also install certificate in client machine. again same problems
    Please help me, it really make me crazy.
    thanks

  8. Forefront TMG et tous ces DLP et ces always_bcc() sur smtp, ça me fait gerber http://t.co/mOxhUGHP #naziinside #liberte #fuckmoijaimonvpn^^

  9. Eric Vermeulen says:

    Hi,

    I am playing around with TMG Three-homed on Hyper V. I have got almost everything to work , there is just one thing that is getting to me. Whenever an SSL tunnel is set up between a client in the client LAN to a SSL server outside (paysites / Ideal) the client LAN seems to break on the way back to the destination server side. I have tried to play around with the HTTPS outbound and inspection, but can’t seem to get my finger behind this.

    Thanks,

    Eric

  10. Pingback: Bloqueio de protocolos de IM Skype | Technovainfo

Leave a Reply