Implementing a CNG HTTPS Inspection Certificate for Forefront Threat Management Gateway (TMG) 2010 (Part 1)

If you would like to be notified when Richard Hicks releases the next part of this article series please sign up to the ISAserver.org Real time article update newsletter.

Introduction

The HTTPS inspection feature of Forefront Threat Management Gateway (TMG) 2010 is arguably the single most powerful tool the TMG platform provides for protecting clients accessing the public Internet. In last month’s article I described in detail the benefits and challenges associated with HTTPS inspection. One of those challenges for TMG today is handling SSL/TLS protected web sites that use Cryptographic Next Generation (CNG) Suite-B cryptography. I also demonstrated how to resolve this shortcoming by using a special script developed by Microsoft to enable support for CNG certificates when using a self-signed HTTPS inspection certificate on the TMG firewall. This month I’ll demonstrate how to configure TMG HTTPS inspection using an internal Windows Server 2008 R2 Enterprise Public Key Infrastructure (PKI) with support for CNG.

Preparing the Certificate Template

Before we begin configuring TMG for HTTPS inspection, we must first prepare our internal PKI Certificate Authority (CA). We’ll need to configure and deploy a certificate template that TMG can use to create its own certificates to issue to users on behalf of public web sites. Begin by opening the Certification Authority management console, highlighting Certificate Templates and choosing Manage.

Image
Figure 1

When the Certificate Templates Console opens, right-click the Subordinate Certification Authority template and choose Duplicate Template.

Image
Figure 2

Choose Windows Server 2008 Enterprise.

Image
Figure 3

On the General tab provide a descriptive name for the certificate template, review and optionally adjust the Validity period if required.

Image
Figure 4

Select the Extensions tab, highlight Key Usage, and click Edit. In the Signature section select Certificate signing and clear all other options. Leave Make this extension critical selected.

Image
Figure 5

Image
Figure 6

Also on the Extensions tab highlight Basic Constraints, click Edit, and select the option Do not allow subject to issue certificates to other CAs.

Image
Figure 7

On the Security tab, ensure that the user who will be requesting the certificate on the TMG firewall has Enroll permissions.

Image
Figure 8

In the Certification Authority management console, right-click Certificate Templates and choose New and Certificate Template to Issue.

Image
Figure 9

Choose the certificate template you just created and click Ok.

Image
Figure 10

Requesting the Certificate on the TMG Firewall

On the TMG firewall, open a management console window and add the Certificates snap-in for the Computer account. Expand Certificates, and then right-click the Personal folder and choose All Tasks, Advanced Operations, and Create Custom Request.

Image
Figure 11

Click Next, highlight Active Directory Enrollment Policy and click Next, and then select the certificate template you created earlier and click Next again.

Image
Figure 12

Click Details and then click Properties.

Image
Figure 13

On the Subject tab, in the Subject name field, select Common name for the Type, provide a descriptive name for the certificate, and then click Add.

Image
Figure 14

On the General tab enter a Friendly name for the certificate request.

Image
Figure 15

On the Private Key tab, expand Key Options and ensure that the Key size is 2048 and that the Make private key exportable option is selected.

Image
Figure 16

On the same tab also expand Select Hash Algorithm and choose SHA256 from the drop-down list and then click Ok.

Image
Figure 17

Click Next and then provide a file name for the certificate request file and then click Finish.

Image
Figure 18

Open an elevated command prompt and submit the certificate request to the CA by executing the following command.

certreq.exe -submit -config “<ca_hostname\ca_name>” <request_filename> <certificate_response>

Image
Figure 19

If automatic approval is configured the certificate request will be automatically retrieved after submission. If approval is required, the certificate can be retrieved after approval by executing the following command.

certreq.exe -retrieve -config “<ca_hostanme\ca_name>” <request_id> <certificate_response>

Note:
If you receive an error message stating that the request failed because the RPC server was unavailable, be sure your firewall policy settings are configured to allow this access. More details on configuring the TMG firewall to allow RPC access to a CA can be found here.

Once the certificate request has been made and has been approved, accept it on the TMG firewall by executing the following command.

certreq.exe -accept -config “<ca_hostname\ca_name>” <certificate_response>

Image
Figure 20

In the certificate management MMC, expand Personal and then Certificates. Right-click the new certificate and choose All Tasks and then Export.

Image
Figure 21

Select Yes, export the private key.

Image
Figure 22

Select Personal Information Exchange – PKCS #12 (.PFX). Make sure that no other options are selected.

Image
Figure 23

Provide a password and the location to save the file to complete the certificate export process.

Configure TMG HTTPS Inspection

Open the Forefront TMG management console, select Web Access Policy in the navigation tree, and then click Configure HTTPS Inspection in the Tasks pane. On the General tab, select Enable HTTPS Inspection if it is not already enabled. Under HTTPS Inspection Certificate Settings choose Import a certificate and then click Import.

Image
Figure 24

Locate the certificate you just exported, provide the password, and then click Ok. Click Ok again, and then apply the configuration.

Client Testing

When a client browses to a secure web site, TMG with HTTPS inspection enabled will present to the client a certificate created dynamically and is signed by a certificate issued by our PKI. Since this is an Enterprise CA, the root certificate is trusted by all domain members. Here you can see that the certificate for twitter.com was issued by my lab network’s root CA.

Image
Figure 25

A closer look at the certificate for this web site indicates that although the certificate is issued to twitter.com, it was issued by the Forefront TMG HTTPS Inspection service.

Image
Figure26

Summary

The HTTPS inspection feature of Forefront TMG 2010 is an extremely powerful tool that security administrators can employ to perform more complete and thorough network traffic inspection and substantially improve their overall security and protection. HTTPS inspection works by terminating HTTPS communication in the same way it does for regular HTTP traffic. The TMG firewall then creates a new SSL certificate for the site and provides that to the client. The certificate issued by TMG can be a self-signed certificate or a certificate issued by an internal private PKI. In my last article I provided details for using the self-signed certificate option. In this article I demonstrated using a PKI to issue the HTTPS inspection signing certificate to TMG. While the self-signed option is quick and easy, the PKI option is much more elegant and is the preferred method for configuring HTTPS inspection, in my opinion. By following the guidance in this article you can configure HTTPS inspection using your PKI and also provide support for web sites that use modern Cryptographic Next Generation (CNG) certificates.

If you would like to be notified when Richard Hicks releases the next part of this article series please sign up to the ISAserver.org Real time article update newsletter.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top