08 June 2011

TMG HTTPS Inspection Part IV - Troubleshooting

VPN web traffic unexpectedly gets HTTPSi
When VPN client access internal web applications they will be going through the HTTPSi process.  This is only true for traffic that does not require a proxy as per the WPAD.  Traffic here will then be treated the same, being inspected and being validated.  The same restriction will apply.

Since you are far more likely to see self signed certificates on the internal network, this can cause a problem.  To resolve this issue I put in an exlusion in for the VPN address pool range.

The indicator to this problem was and error message in Firefox.

"SSL received a record that exceeded the maximum permissible length"

This does not affect HTTPSi when outbound HTTPS sessions are established through a TMG proxy




FireFox - This Connection is Untrusted
Firefox does not use the system certificate store, so certificates being published in Active directory may be installed on the client machine but, Firefox will still not trust it.  To resolve the issue the TMG root signing certificate need to be installed into the Firefox certificate store.

Step 1 Export the TMG Signing certificate.

  • From the MMC add the Certificates Plug In
  • Expand the Trusted Root Certification Authorities
  • Expand Certificates
  • Locate your TMG signing certificate
  • Right Click  - All Tasks - Export
  • Follow the Wizard and save the file as a Base-64 encoded .cer file


Step 2 Import TMG certificate into the Firefox certificate store

  • Navigate to the FireFox options page
  • Click on the Advanced Option
  • Select the Encryption tab
  • Click view certificates
  • Select the Authorities tab
  • Click Import
  • Select the exported certificate from step 1


Step 3 Verify
Navigate to HTTPS site and validate that the certificate is signed by your TMG certificate authority  and that it is trusted.


Enterprise PKI
If you are Finding that your TMG signing certificate is not trusted on your environement you need to check to see that it is a Trusted Caertificate Authority in your AD Sites and Services.  The easiest way of checking this is the Run the Enterprise PKI snap-in from the mmc


  • Right Click the Enterprise PKI select Manage AD containers
  • Select the Certificates Authorities Container
  • You should now see the Trusted certificate Authorities for your environement
  • If the TMG certificate is listed there, open it and check the properties
  • If there are displayed issues such as yellow exclamations and red crosses it probably means AD needs to replicate properly throughout. This can take a few hours depending on your environment.

If the certificate is not even lists you will have to start the Certificate issue process again from within TMG.  Ensure that you do this as an Enterprise Admin.



Additional issues / problems
I will be adding to this as I find or become aware of additional issues.  Add a comment or drop me a mail if you have any issues we can look at.

No comments:

Post a Comment