How to: Resolve common problems with HTTPS Inspection using Microsoft Forefront Threat Management Gateway 2010

How to resolve common HTTPS inspection issues while using Microsoft TMG 2010

While working with Microsoft Forefront Threat Management Gateway 2010 (previously known as Internet Security and Acceleration server) https inspection is a big new component of it. If you ever look through your logs and you find https-inspection as the protocol that is causing failing connection odds are your users or applications are experiencing communication issues. Below are a couple of scenarios where the https inspection might be failing and explanations as to why. It is important to study them as ultimately communication issues hurt your enterprises productivity. Http inspection is therefore a center piece of secure communications over the Internet and the nature of that information is highly sensitive for your business.

 

Scenario 1:  The page cannot be displayed – Error Code 502 (Proxy Error) – the certification authority that issued the SSL Server certificate supplied by  a destination server is not trusted by the local computer.

When trying to browse an HTTPS web site you get the following error: The page cannot be displayed – Error Code 502 (Proxy Error) – the certification authority that issued the SSL Server certificate supplied by  a destination server is not trusted by the local computer.

Explanation: This error happens when the TMG server does not trust the certificate of the site you’re trying to visit. Usually this is not the case when using commercial certificates as those are extremely likely to be trusted. There are two options if your users need to access this website no matter what: a) Add the CA certificate for the website you are trying to visit to the local trusted root certificate store of your TMG server; b) Add the website to the exception list and disable the Certificate Validation on the https inspection which is generally not the ideal approach.

 

Scenario 2:  The page cannot be displayed – Error Code 502 (Proxy Error) – the name on the SSL server certificate supplied by a destination server does not match the name of the host requested.

When trying to browse a HTTPS web site you receive an error saying: The page cannot be displayed – Error Code 502 (Proxy Error) – the name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  

Explanation: There are special cases where the “name mismatch” error that can happen and the conditions are:

• Web server uses a wild card certificate (*.domain.com for instance)
• Client is a transparent client (so accessing the web server using its IP address)
• Client is web proxy, but accesses the web server using its IP address
• Reverse name resolution (IP to name) of the web server fails from TMG

In that case, TMG needs to perform a reverse name resolution to identify any name mismatch. However if the reverse name resolution fails for some reasons, TMG can’t complete the name mismatch validation. If this is a valid site and the end user needs to access the recommendation is to add the *.domain.com to the list of destinations exempted from inspection, and set the certificate validation to “No validation”.

 

Scenario 3:  There is a problem with this website’s security certificate. The security certificate presented by this website was not trusted by the certificate authority. Security Certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website.

When trying to browse any HTTPS web site you get the following warning:

There is a problem with this website’s security certificate. The security certificate presented by this website was not trusted by the certificate authority. Security Certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website.

Explanation: The most common cause for this error while accessing all HTTPS web sites is because the client workstation doesn’t trust the certificate that TMG is using. The CA certificate (e.g. self signed certificate) used by TMG must be deployed on the client, otherwise the client won’t trust the certificate issued by TMG on behalf of the web server. Read Deploying the HTTPS inspection trusted root CA certificate to client computers from TMG Documentation on TechNet for more information on how to deploy the CA certificate to the clients. Basically there are two common options:

• Deploy the TMG HTTPS inspection certificate manually to client computers. You can do this by exporting it through the TMG console and then installing it manually or through an automation process on your client machines
• Deploy the TMG HTTPS inspection certificate automatically via Active Directory. Using the options on the TMG console you are able to import the TMG HTTPS inspection certificate into Active Directory and have it deploy via policy to all machines on the domain.

 

Scenario 4:  Server not found. Firefox can’t find the server at [URL]. Check the address for typing errors such as ww.example.com instead of www.example.com. If you are unable to load any pages, check your computer’s network connections. If your computer or network is protected by a firewall or proxy, make sure that firefox is permitted to access the web. 

When trying to access any HTTPS web sites from Firefox (or perhaps another third party browser i.e. not IE) you receive the error below (it works if you try to access using Internet Explorer):  

Server not found. Firefox can’t find the server at [URL]. Check the address for typing errors such as ww.example.com instead of www.example.com. If you are unable to load any pages, check your computer’s network connections. If your computer or network is protected by a firewall or proxy, make sure that firefox is permitted to access the web.

Explanation: Some third party browsers such as Firefox have their own trusted root certificate store and does not use the local windows trusted root certificate store while browsing Internet. Consult the third party browser documentation to see how to install the root certificate that TMG is using for HTTPS inspection. The reason why it works with Internet Explorer is because Internet Explorer consults the local Windows trusted root certificate store, therefore if the root CA certificate used by TMG is already deployed using group policy, then IE will trust the CA.