Excluding sources from the Outbound HTTPS inspection on Forefront TMG 2010: a little jam

According to this, in respect with the excluding destinations from Outbound HTTPS inspection on Forefront TMG 2010:

By default, Forefront TMG inspects the validity of the HTTPS certificate for each of the Web sites excluded from HTTPS inspection, thereby providing some minimal security. If you do not want Forefront TMG to perform this security check for a given site, click the site, and then click No Validation.


In the same document, for the excluding sources from HTTPS inspection, there is no mention about a certificate validation:



So, let’s test:

  • web proxy client, source client excluded from the HTTPS inspection, we’ve got a certificate check, note the protocol from TMG’s logs:


  • SecureNAT client, source client excluded from the HTTPS inspection, apparently we don’t have a check on the server’s certificate, but Forefront TMG 2010 still connects to the server(maybe to check if it can use SSL/TLS ? just guessing…):
    How can we notice this ?
    By looking at the Client Hello messages, I don’t use SSL 2.0 on the client and I have only 10 cipher suites enabled on it, so first is the Client Hello message used by the HTTPS Inspection on Forefront TMG, then is my client’s Hello message, note the protocol from TMG’s logs:





Actually it still connects “before”  when excluding destinations and configure them for no validation.
This can be great from a security point of view if it tries to see if the server can speak SSL/TLS.


But this “behavior” might lead us to a jam sometimes.
For example today I thought to try to use Skype behind Forefront TMG 2010. Knowing that Skype does not really use SSL/TLS, I’ve decided to add my machine(SecureNAT client) to the Source Exceptions tab of the HTTPS Inspection as I can’t exclude destinations due to Skype’s p2p nature(even if I could I don’t think it would matter due to the connect “before” behavior).
Skype is quite sneaky, it tried as SecureNAT and also it detected the proxy and attempted to use(CONNECT method) the proxy for TCP port 443(the rest of the ports were blocked and it could not go out on TCP port 80).



Which on Forefront TMG 2010 translated into:


The error code seem to indicate a SSL/TLS error(which at a glance seem illogical since we have a source exclusion for our client).

Actually if we take a Wireshark trace on Forefront TMG 2010’s external interface, apparently it(Forefront TMG 2010) tries to connect to the specified destination in order to obtain its certificate to verify it, which cannot do as Skype does not use true SSL/TLS, which leads to the termination of the client’s attempts(either as SecureNAT or web proxy client):


Comments (4) -

  • Hi...it's really nice post you got there...but to my question...have you managed to get the skype working??? so far I have reached the same as you did and I am looking for some way to get skype pass the TMG...have you found a solution yet (other than adding client to HTTPS exclude list...)???
  • I rarely use Skype so I have not tried again since posting this.
    There was a topic about this on forums.isaserver.org:

  • Hi,  I'm writing a PHP application which tries to connect to Facebook by using the Facebook PHP SDK.  This application resides in a server behind a Forefront TMG server.  When I try to connect to Facebook I receive an error messagen saying "Forefront TMG denied the specified URL...".  By inspecting the error details I notice that the SDK is trying to connect to Facebook by using an ip address (xxx.xxx.xxx.xxx:xxx) instead of a url (authentication.facebook.com).   If I disable the HTTPS Inspection feature everything goes well, however, I don't want to do that.  Do you know how can I enabe ip like requests at Forefront TMG?  Thanks in advance for your help!!!
    • Hi Johann,

      I've sent hou a reply over email in reply to your email on the same topic.

Comments are closed