21 June 2011

TMG - HTTPS filtering vs. HTTPS Inspection

The following seems to create some confusion when administrators start of with TMG.

URL filtering and HTTPS Inspection (HTTPSi) are mutually exclusive features that can be run alone or together.  The one does not rely on the other.

URL Filtering
This feature that was introduced with TMG, for many of us it was a very welcome alternative to Websense.  It works by creating a Deny rule for the  URL categories that you specify.  You can have multiple rules like this to apply different levels of restriction for various user groups.

This filters sites based on their URL.  This will filter or block HTTP as well as HTTPS.

You can verify this by doing a "Query for URL category"  looking up a URL on HTTP and HTTPS return the same URL category and the rule therefore applies to both.

A feature added with SP1 was that you now also have the option of blocking sites for non-primary  categorizations.

You do not need certificates to get web filtering to works for you.  It works on simply denying or granting access to a URL, it does not attempt to open and reseal SSL tunnels.

HTTPS Inspection
To understand what this does you first need to get an idea of how TMG handles HTTP traffic.  TMG is a application layer firewall, so it is able to manipulate HTTP in many different ways.  As a proxy, the traffic is passed through the Web proxy Application Filter.  This mean TMG "looks into" the data and can apply it's restriction etc to it.

With HTTPS you have an SSL tunnel that starts at the web server and goes all the way through to the client.  Effectively TMG can now not manipulate the traffic since it does not pass through the Web Proxy Application Filter.  This allows any traffic to pass through the tunnel.

You have two choices.  You can have TMG simple verify the validity of the certificates on behalf of the clients.  This prevents users form ignoring the certificate warning the browsers pops up.

You still don't need certificates at this point. Since it is just verifying certificates before allowing or blocking access.

Secondly you have the option to verify and inspect traffic.

This enables the Web proxy application filter for HTTPS.  This means you have the check and control as you do for HTTP traffic.  TMG will now establish the primary tunnel from the web server to TMG, it will then inspect the traffic, then create a second tunnel between TMG and the client.  Because TMG needs to create the secondary tunnel it needs a certificate to sign it with.

TMG will generate this certificate for you and publish it to Active Directory.  Clients on the domain will then have the TMG as a trusted Root Certificate Authority.

The many different web access features in TMG allows you to have various levels of restriction , control, visibility and compression.  These features are independently applied and can be used in various combinations depending on the needs.



jake said...

how to block httpS://www.facebook.com with out enabling HTTPS Inspection.

Etienne Liebetrau said...

Hi Jake

Not sure what you are asking, but blocking a site that is https can be blocked with a rule that contains a urlset. For blocking a site specify the url as


For httpS specify


Let me know how it goes.

Anonymous said...

Hi! how to create cert for HTTPS inspection using CA ?

Etienne Liebetrau said...

You cannot use another CA to generate the Certificate as TMG has to be the trusted root to be authorized to issue the certificates.

Anonymous said...

no, what exactly template i should use to request certificate for TMG from my CA

Etienne Liebetrau said...

are you on skype so we can chat? etienne-fixmyitsystem

Marc said...


I am already filtering facebook.com using domain name sets. I have a problem that when a user accesses https://facebook.com the user does not get the standard deny message but instead an IE error that the page cannot be loaded. Do you know how i can get it to display the correct TMG errorpage?

Etienne Liebetrau said...

If you are getting the page cannot be displayed error then there is probably something else going with the HTTPS request. To try and figure out what exactly is happening set up a deny rule using a URL set.

Add the following into the URL set


Any requests (http and https) to Facebook should now be denied by this.

Check the TMG logging to see if this rule is catching the requests.

The other side to this is to check browser side to see what is happening. Use something like HTTPwatch for IE or Firebug for Firefox as a http sniffer to figure out what the browser is actually up to.

Let me know how it goes or look me up on skype: etienne-fixmyitsystem

Hasan said...

Etienne Liebetrau, can you please tell me how to block Ultrasurf in TMG 2010.

Etienne Liebetrau said...

Hi Hasan

I tried this out and could not get it to work at all from behind TMG. The reason for this appears to be that it uses SSL to encapsulates the traffic but it attempts to do so over port 9999. This is by default not allowed through TMG as it does not match it's definition of what SSL traffic should look like.

I am not able to check access if the client is configured as a secure NAT client. But as a proxy client it is dead in the water...

Let me know if it does work through your TMG and we can check it out further - Catch my on Skype if you want to chat more realtime..

حسين أحمد said...

How Block All Web , and Opening some selected web

manish said...

Hi All,
I want to block .exe websites from HTTPS websites. I configured HTTP filter and it just blocks exe from http website. Is there any way that I can block downloading of .exe files from https websites.

And is it possible if someone renames .exe to pdf then also it will block the download of that file.

Post a Comment