Today I was behind a Forefront TMG 2010 RC firewall in a lab, browsing the web from a web proxy client(IE8 browser, manually configured proxy settings).
So I thought to go check my Yahoo web email.
Errrr…
So what happened ?
I use Bing rarely. Today it was one of those rarely times, and from laziness I’ve just searched with Bing ‘yahoo mail’:
Turns out I wasn’t very attentive, and I’ve just clicked on the first search result, missing the ‘https’ in front of that link.
Bing indexed ‘https://mail.yahoo.com/’, which is not quite a good thing(there is an old discussion about this address and Yahoo web mail’s certificate).
“Normally”, on a Google search, the first result is for ‘http://mail.yahoo.com/’:
And if you click on this, a “pesky” redirection occurs to the “real https address”:
And the certificate for Yahoo’s web email is issued to ‘login.yahoo.com’(CN, no SAN entries):
Since the Outbound HTTPS Inspection on Forefront TMG 2010 RC, by default, checks the server’s certificate, Forefront TMG RC 2010 denied the connection saying that(which is correct): Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.
Same thing (sort of) would have happened if I would have used Bing from a browser without TMG(and its Outbound HTTPS Inspection) on the path and go to this address:
The difference here was that the error shown by IE8 behind Forefront TMG 2010 RC(while the Outbound HTTPS Inspection was one) was somehow ambiguous. If I check with Wireshark what Forefront TMG 2010 RC tells to the client, we can actually notice that it kinda’ makes sense what Forefront TMG 2010 RC replies to the client, but IE8 does not display this message, making the whole process somehow not user friendly, letting one wondering what has happened:
Same story with other browsers:
- Google Chrome 3.x
- Firefox 3.5.x
- Safari 4.x on Windows:
However, Opera 10 is able to read that message and display it:
References: