07 June 2011

TMG HTTPS Inspection Part III - Enabling and Testing

There are a few things to test,  and you would want to make sue they are all working before you proceed

It is slightly tricky to test this since there is no simple way to limit your testing to a user or machine since it works only on exclusion.  I would also suggest testing against new / different sites every time to avoid certificate caching getting in the way.  Also, do not test again any of the default Destination Exceptions sites.

Certificate Validation
This setting forces TMG to verify the certificates that it encounter to make sure that they are valid and trusted.

  • From the HTTPS Outbound Inspection Page under the General tab
  • Check Enable HTTPS Inspection
  • Select the option "Do not inspect traffic but validate site certificates. Block HTTPS traffic if certificate is not valid"
  • Switch to the Certificate Validation tab
  • "Block Expired Certificates" and "Block server certificates that are not yet valid" are simple and is executed by TMG.  
  • "Check for server certificate revocation" involves a lookup to the certificate CA.

Test first with the top two checked, if all is working fine then enable the revocation check and test again.  .

If everything is working correctly you can proceed with the next step. Un-check all three validation options and proceed to checking inspection

HTTPS Inspection
To test each bit individually make sure that all three validation option are disabled.  What we will be testing now is to check that TMG can successfully inspect the HTTPS traffic, and secondly that generating and signing certificates succeed.

  • From the HTTPS Outbound Inspection Page under the General tab
  • Check Enable HTTPS Inspection
  • Select Inspect traffic and validate certificates 
  • From the Client Notification tab check "Notify users that their HTTPS traffic is being inspected."     

I would suggest testing from a client machine with the Forefront client installed.  This will pop up messages from the TMG client when inspection is occurring.

Browse to a HTTPS testing site.
The TMG client should generate a popup displaying that inspection is occurring

The site should successfully open
If you now check the certificate details for the site you should see the following:

The certificate should be valid (no red cross on the icon)

The Issued to field should be the name of the site you are visiting (Indicated  in green)

The Issued by field should be the name of your TMG CA (Indicated in RED)

If this test is also successfully you should now be able to re-enable the certificate validation checks.

Test this again to ensure everything is working properly.   There are a few thing to be aware of. Check the "Things to consider when planning" section from : http://fixmyitsystem.com/2011/06/tmg-https-inspection-part-i-planning.html

No comments:

Post a Comment