URL filtering and HTTPS Inspection (HTTPSi) are mutually exclusive features that can be run alone or together. The one does not rely on the other.
This feature that was introduced with TMG, for many of us it was a very welcome alternative to Websense. It works by creating a Deny rule for the URL categories that you specify. You can have multiple rules like this to apply different levels of restriction for various user groups.
This filters sites based on their URL. This will filter or block HTTP as well as HTTPS.
You can verify this by doing a "Query for URL category" looking up a URL on HTTP and HTTPS return the same URL category and the rule therefore applies to both.
A feature added with SP1 was that you now also have the option of blocking sites for non-primary categorizations.
You do not need certificates to get web filtering to works for you. It works on simply denying or granting access to a URL, it does not attempt to open and reseal SSL tunnels.
To understand what this does you first need to get an idea of how TMG handles HTTP traffic. TMG is a application layer firewall, so it is able to manipulate HTTP in many different ways. As a proxy, the traffic is passed through the Web proxy Application Filter. This mean TMG "looks into" the data and can apply it's restriction etc to it.
With HTTPS you have an SSL tunnel that starts at the web server and goes all the way through to the client. Effectively TMG can now not manipulate the traffic since it does not pass through the Web Proxy Application Filter. This allows any traffic to pass through the tunnel.
You have two choices. You can have TMG simple verify the validity of the certificates on behalf of the clients. This prevents users form ignoring the certificate warning the browsers pops up.
You still don't need certificates at this point. Since it is just verifying certificates before allowing or blocking access.
Secondly you have the option to verify and inspect traffic.
This enables the Web proxy application filter for HTTPS. This means you have the check and control as you do for HTTP traffic. TMG will now establish the primary tunnel from the web server to TMG, it will then inspect the traffic, then create a second tunnel between TMG and the client. Because TMG needs to create the secondary tunnel it needs a certificate to sign it with.
TMG will generate this certificate for you and publish it to Active Directory. Clients on the domain will then have the TMG as a trusted Root Certificate Authority.
The many different web access features in TMG allows you to have various levels of restriction , control, visibility and compression. These features are independently applied and can be used in various combinations depending on the needs.