"502 Proxy Error" error code when you try to access a website from a computer that has Forefront TMG 2010 SP1 installed

Consider the following scenario:

• You click to select Enable HTTPS inspection check box on the General tab of the HTTPS Outbound Inspection dialog box on a computer that has Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 1 (SP1) installed.
• You add a domain name set, and then you add a Fully Qualified Domain Name (FQDN) of a website to the set. You set the Certificates field to No Validation in the Destination Exceptions tab.
  
  Note When the No Validation option is set, Forefront TMG 2010 SP1 cannot retrieve and validate the server certificate of Forefront TMG 2010 SP1.

In this scenario, you receive an error message that resembles the following when you try to access the website from the computer:

This issue occurs because Forefront TMG 2010 SP1 sends an empty client certificate to the web server during the initial Secure Sockets Layer (SSL) handshake.

When certain web servers receive an empty client certificate, these servers accept and renegotiate the client certificate. For example, IIS web servers accept and renegotiate the client certificate. However, other web servers may return an SSL error when these web servers receive an empty client certificate. Therefore, Forefront TMG displays the error message.

Update information

To resolve this issue, install the software update that is described in the following Microsoft Knowledge Base (KB) article:

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: