Using An Existing PKI for TMG Firewall Outbound SSL Inspection

image There’s a feature that ISA firewall administrators have been asking a long time for, and TMG finally answers that request in the form of outbound SSL inspection (outbound SSL bridging). The outbound SSL inspection feature enables the TMG firewall to break open the SSL connections established by your users behind the TMG firewall so that they can’t violate network security policy by downloading malware and other malicious code over a secure SSL connection.

Like a VPN connection, the session is encrypted, so the firewall that can’t act as a “trusted man in the middle” is at a complete loss at protecting your against the shenanigans taking place within the encrypted tunnel. Fortunately, the TMG firewall isn’t naive to this issue and protects you from this scenario.

To perform its duties as a trusted man in the middle, the TMG firewall must be able to impersonate the destination web server (similar to how the TMG firewall impersonates web sites published by the TMG firewall). TMG accomplishes this task by dynamically generating web site certificates for the destination web sites, and signs them itself. For this to work, you have to make sure that the clients in your organization trust the signing authority.

There are two way you can approach this: you can enable TMG to generate its own signing certificate and automatically deploy it to the NT Auth store in AD. Another method, which should be considered the preferred solution if you have an established PKI on your network, is to generate your own certificate. However, even when you use this option, deployment is still to a poorly documented NTAuth store instead of a more transparent GPO.

Check out Jason’s article at:



MVP (Enterprise Security)
[email protected]

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top