06 June 2011

TMG HTTPS Inspection Part II - Preparing and publishing TMG signing certificate

Why a certificate is needed
HTTPS means certificates and trusted Certificate Auhtorities.  When enabling HTTPS inspection (HTTPSi) you will essentially ask TMG to break the SSL tunnel, inspect the traffic, and then create another tunnel to the client. That second tunnel will be signed by the TMG CA.  To be able to do this without certificate warnings for every single HTTPS site, you will need to configure your TMG to be a Trusted Root Certificate Authority

How to generate the new signing certificate
You can use either PKI generated certificate or use a TMG generated certificate for this.  I would suggest using the TMG cert option.

From the TMG management console, Web Access Policy


  • Click HTTPS Inspection
  • Choose "Use FTMG to generate a certificate"
  • Click on Generate
  • Specify a "friendly" issuer name
  • Set the expiration or leave a Never
  • Optionally specify a Issuer statement
  • Click Generate Certificate Now



You will now be able to view the generated certificate


You will note that the issued by name and the issued to fields are the same,  hence the term self signed certificate.

All subsequent certificates will have the same issued by information but the issued to site will be the site being accessed.

To make sure that the certificates are from a trusted certificate authority we will now need to publish this certificate to Active Directory so that it can be replicated out to the client machines withing the corporate network




Publish the certificate to Active Directory
From the HTTPS Outbound Inspection  option under the General tab click on the large "HTTPS Inspection Trusted Root CA Certificate Options" button


  • Select Automatically through Active Directory
  • Click Domain Administrative Credentials
  • Specify Credential of an enterprise administrator
  • OK
  • OK



The certificate will now be sent through the Active Directory be published and trusted.

Give this some time to replicate and then check to see that it is installed correctly.

Verify the TMG as a Trusted Root Certificate Authority

  • From the MMC console 
  • Add the Certificates snap-in
  • Select Computer account (You have to be logged in as and administrator for this to be an option)
  • Expand the Trusted Root Certificate Authorities section
  • Click on Certificates

In the list you should see the self signed certificate you generated earlier.  If you view this certificate you should see that the status has changed.  The Certificate Information section should now state the intended purposes, as opposed to the CA root is not trusted.  The Icon would also have changed from having a red cross on it to not having a red cross.

It is important that this step has completed successfully before you move on to the next step.

No comments:

Post a Comment