Configuring HTTPS Inspection with Forefront Threat Management Gateway (TMG) 2010

Introduction

HTTPS (HTTP over SSL) is one of the most common protocols in use on the Internet today. By encrypting HTTP communication with SSL a client can establish a secure and private communication channel with a web server. Using HTTPS we can provide essential protection for passing authentication credentials and prevent the disclosure of sensitive information.

While the end-to-end secure encrypted channel provided by HTTPS enables important security and privacy protection, the protocol is often abused for malicious or nefarious purposes. So much so, in fact, that HTTPS is often referred to as the “universal firewall-bypass protocol”. The root of the problem is that most firewalls are unable to inspect HTTPS communication because the application-layer data is encrypted with SSL. Knowing this, attackers frequently leverage HTTPS to deliver malicious payloads to a user confident that even the most intelligent application-layer firewalls are completely blind to HTTPS and must simply relay HTTPS communication between hosts. Frequently end users will leverage HTTPS to bypass access controls enforced by their corporate firewalls and proxy servers, using it to connect to public proxies and for tunneling non-HTTP protocols through the firewall that might otherwise be blocked by policy.

HTTPS Inspection

Forefront Threat Management Gateway (TMG) 2010 includes many advanced web protection features that provide a high level of protection for clients accessing resources on the public Internet. TMG includes integrated URL filtering, a virus and malicious software scanning engine, and advanced intrusion detection and prevention capabilities. One of the most important protection technologies TMG provides is HTTPS inspection.

HTTPS inspection allows the TMG firewall to terminate outbound HTTPS sessions at the firewall. Essentially it provides a true proxy for HTTPS, instead of simply just tunneling HTTPS communication blindly. TMG accomplishes this by acting as a trusted man-in-the-middle. When a request is made of the TMG firewall for an HTTPS protected resource, the TMG firewall will establish a new connection to the destination server and retrieve its SSL certificate. TMG then copies the information from the certificate and creates its own certificate using these details and provides that to the client. As long as the client trusts the root certificate of the TMG firewall (more details on that later) the process is completely transparent to the end user.

By enabling forward (outbound) HTTPS inspection the TMG firewall can now provide complete protection for all web-based protocols. With the TMG firewall terminating outbound SSL sessions, the firewall can now decrypt and inspection HTTPS communication, allowing for the enforcement of HTTP policy, more accurate application of URL filtering, and inspection of files transferred over HTTPS.

Enabling HTTPS Inspection

To enable outbound HTTPS inspection, open the TMG management console, highlight the Web Access Policy node in the navigation tree, then click Configure HTTPS Inspection in the Tasks pane.

Figure 1

On the General tab, check the box next to Enable HTTPS inspection.

Figure 2

The TMG firewall will need a certificate with which to generate and sign the SSL certificates it creates on behalf of HTTPS web sites. You can use a self-generated certificate or, if you have an existing Public Key Infrastructure (PKI) in place, you can optionally import a certificate from your PKI. For demonstration purposes we’ll use a self-generated certificate. Select the option to Use Forefront TMG to generate a certificate and then click the Generate… button.

Figure 3

You can specify an Issuer name or accept the default Microsoft Forefront TMG HTTPS Inspection Certification Authority. Choose an expiration date, enter an issuer statement (if required) and click Generate Certificate Now.

Figure 4

When reviewing the details of the certificate, you’ll notice that even though the never expire option was selected, the certificate actually expires on 12/31/2048. This behavior is expected, as all certificates must have an expiration date. Notice also that you have a private key that corresponds to this certificate. This is essential to the operation of TMG HTTPS inspection. Nothing more is required here. Click Ok to continue.

Figure 5

Without taking additional steps, using a self-generated certificate to perform outbound HTTPS inspection will cause problems for our clients. Since the clients do not trust the Microsoft Forefront TMG HTTPS Inspection Certification Authority they will receive a certificate error each time they visit an HTTPS web site. To resolve this issue we have the option of publishing this certificate to ActiveDirectory. To do this, click the HTTPS Inspection Trusted Root CA Certificate Options button and select the option to deploy the certificate Automatically through Active Directory (recommended). Click the Domain Administrator Credentials button to supply credentials to be used for publishing the certificate. You can specify the user in the domain\user or user@domain format.

Figure 6

Optionally you can choose to install the certificate manually on each client computer by exporting the certificate to a file.

Figure 7

Once complete, the TMG HTTPS inspection certificate will be published to ActiveDirectory. Now when a client visits an HTTPS web site, for example https://www.bankofamerica.com/, the TMG firewall will issue its own certificate on behalf of the web site. Clicking the padlock icon in Internet Explorer displays more information about the web site.

Figure 8

Clicking the view certificates link shows that the certificate was issued to www.bankofamerica.com and that it was issued by the Microsoft Forefront TMG HTTPS Inspection Certification Authority.

Figure 9

Clicking the Certification Path tab reveals again that the certificate was issued by the Microsoft Forefront TMG HTTPS Inspection Certification Authority and that the certificate status is ok.

Figure 10

Exemptions

For various reasons there may be sites an administrator does not need or want to inspect HTTPS communication for. You can create destination exemptions to exclude specific sites or categories from HTTPS inspection by selecting the Destinations Exceptions tab on the HTTPS inspection properties page and choosing Add…. Here you can add URL categories, URL category sets, and domain name sets. Destinations that fall under any of these categories will be excluded from HTTPS inspection. You’ll notice that there is a default exemption category that includes commonly used Microsoft web sites. In addition, certificate validation (more on this later) can also be performed even for sites that are excluded from HTTPS inspection. You can change this behavior by clicking the destination object and click the Validation button.

Figure 11

Note:
To leverage URL categories and category sets URL filtering must be enabled and configured.

You can also add source address exceptions if required. If you have specific hosts in your environment that you wish to exclude from HTTPS inspection, choose the Source Exceptions tab and click Add…. You can exclude individual computers or computer sets as necessary.

Figure 12

Certificate Validation

An additional important feature that comes along with enabling HTTPS inspection is certificate validation. When HTTPS inspection is enabled, the TMG firewall will inspect the SSL certificate on the destination server to determine its validity. The TMG administrator has the option of blocking expired certificates, blocking certificates that are not yet valid, and enforcing a revocation check.

Figure 13

Client Notification

When a user visits an HTTPS protected web site, it is implied that communication is encrypted end to end. Enabling outbound HTTPS inspection on the TMG firewall changes this, so it might become necessary, for legal reasons, to notify users when their HTTPS communication is being inspected. To notify users when their HTTPS communication is being inspected, the Forefront TMG firewall client must be installed on their workstation. In addition, the TMG firewall and the client workstation must be domain members.

Figure 14

When users visit a web site for which HTTPS inspection is enforced, they will receive a notification in the system tray indicating that their communication is being inspected according to company policy.

Figure 15

Known Issues and Drawbacks

As wonderful as HTTPS inspection is in terms of security policy enforcement, it does have a few drawbacks.

• Applications may break. HTTPS inspection can and does break some applications. Typically these applications break because the developers have taken liberties with the code, never expecting an application layer firewall or proxy server to be inspecting their communication. If the application code inside the HTTPS session does not conform to RFC, the HTTP filter will block it by default. In addition, any non-HTTP protocols being tunneled over HTTPS will be blocked for the same reason.
• Extended Validation fails. Extended Validation (EV) certificates render the address bar of the web browser green to act as a visual clue that you are visiting a trusted web site. HTTPS inspection cannot duplicate EV in the certificate it issues to the client, so web sites that use EV certificates will work normally but the address bar will not display green.
• Doesn’t work well with consumer devices. Any device that is not a member of your domain, or is incapable of joining your domain will prove to be troublesome. Consumer devices or non-managed PCs will have to be configured manually, which can be potentially problematic if you have lots of these in your environment.

A Word of Caution

Before implementing HTTPS inspection, it is strongly suggested that you communicate your intentions to your legal and HR departments and obtain their consent. Inspecting end user’s private encrypted communication can be a sensitive subject, for obvious reasons. Before a production roll-out of HTTPS inspection, make certain that your corporate security and acceptable uses policies have been updated to indicate that encrypted communication will be inspected. User notification and exemption of sites deemed sensitive (e.g. banking and medical sites) may also be necessary.

Summary

HTTPS inspection is a powerful new feature of the Forefront TMG firewall. It effectively eliminates the SSL blind spot that for many years has been used as a loophole by attackers and malicious users to evade detection. HTTPS inspection extends the protection capabilities of the TMG firewall, providing more complete protection from web-based attacks. When HTTPS inspection is configured, the TMG firewall can more accurately apply its URL filtering, scan encrypted communication for viruses and malicious software, and enforce HTTP policy for SSL encrypted traffic. SSL certificate validation allows security administrators to enforce corporate policy for visiting sites with expired or revoked certificates, taking this decision out of the hands of end users. Don’t forget that users have a reasonable expectation of privacy when browsing HTTPS protected web sites, so involving legal and HR and having updated security and acceptable use policies is a must. Client notification and trusted source or destination exceptions can also be used to address these concerns. Overall, TMG HTTPS inspection is an important feature that can dramatically improve your company’s security posture.