How to configure the "HTTPS inspection caching in a forward proxy scenario" and "HTTPS inspection inclusion list" features in Forefront TMG 2010

Article translations Article translations
Article ID: 2498831 - View products that this article applies to.
Expand all | Collapse all

On This Page

Introduction

This article describes how to configure the following new features that are added in Microsoft Forefront Threat Management Gateway (TMG) 2010:
  • HTTPS inspection caching in a forward proxy scenario
  • HTTPS inspection inclusion list

    Note The HTTPS inspection inclusion list feature lets you specify the domains that are subjected to HTTPS inspection.

RESOLUTION

By default, these new features are not enabled. To enable these features, follow the steps that are described in the "More Information" section.

Update information

To install the features, install the software update that is described in the following Microsoft Knowledge Base (KB) article:
2498770 Software Update 1 rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

How to enable the features

To enable the new features, follow these steps:

  1. Enable HTTPS inspection on the Forefront TMG 2010 arrays.
  2. Enable cache on the Forefront TMG 2010 arrays.
  3. Create a DomainNameSet variable for inspection and caching on the Forefront TMG 2010 arrays. 
  4. Create a cache rule that contains this DomainNameSet variable on the Forefront TMG 2010 arrays.
  5. Start any text editor program, such as Notepad.
  6. Paste the following script into the text editor window.
    If WScript.Arguments.Count = 0 or WScript.Arguments.Count > 2 Then
    WScript.Echo "Usage:" & vbCRLF & _
    " ConfigureHTTPSiCaching.vbs <RuleName> <Value> - set value for HTTPS inspection caching VPS on rule" & vbCRLF & _
    " ConfigureHTTPSiCaching.vbs <RuleName> - delete HTTPS inspection caching VPS on rule" & vbCRLF
    WScript.Quit(1) 
    End If
    
    GUID = "{864eb995-5315-40d2-934f-6a160dfb3a63}"
    Attribute = "CacheHTTPSInspectionContent"
    
    Set Arr = CreateObject("FPC.Root").GetContainingArray()
    RuleName = WScript.Arguments(0)
    
    On Error Resume Next
    Set CacheRule = Arr.Cache.CacheConfiguration.CacheRules.Item(RuleName)
    If Err.Number <> 0 Then
    WScript.Echo "Rule " & RuleName & " doesn't exist"
    WScript.Quit(1)
    End If
    
    Set VendorSets = CacheRule.VendorParametersSets
    
    
    Set VendorSet = VendorSets.Item( GUID)
    If Err.Number <> 0 Then
    Err.Clear
    Set VendorSet = VendorSets.Add( GUID )
    CheckError
    WScript.Echo "No existing VendorSet."
    Else
    WScript.Echo "Existing VendorSet found. Values in it:"
    for each name in VendorSet.allNames
    WScript.Echo " ", name, "=", VendorSet.Value(name)
    next
    WScript.Echo "-------------------------------------"
    End If
    
    
    If WScript.Arguments.Count > 1 Then
    Val = CInt(WScript.Arguments(1))
    WScript.Echo "Setting ", Attribute, " = ", Val
    VendorSet.Value(Attribute) = Val
    Else
    WScript.Echo "Deleting", Attribute
    VendorSet.RemoveValue(Attribute)
    End If
    
    Arr.Save
    
    Sub CheckError()
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    End Sub
  7. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, save the file as ConfigureHTTPSiCaching.vbs.
  8. Click Start, click Run, type cmd, and then click OK.
  9. Use the cd <DirectoryPath> command to change to the directory to where you saved the .vbs file in step 7.
  10. Type the following command, and then press ENTER:
    ConfigureHTTPSiCaching.vbs <RuleName> -1
    Note The ConfigureHTTPSiCaching.vbs <RuleName> -1 command enables caching of HTTPS inspection content on an existing cache rule. This command does not create a cache rule or enable the cache.
  11. Start any text editor program, such as Notepad.
  12. Paste the following script into the text editor window.
    If WScript.Arguments.Count > 1 Then
    WScript.Echo "Usage:" & vbCRLF & _
    " ConfigureHTTPSiInclusionList <DomainNameSetName> - add DomainNameSet to HTTPS Inspection inclusion list" & vbCRLF & _
    " ConfigureHTTPSiInclusionList - remove DomainnameSet VPS" & vbCRLF
    WScript.Quit(1) 
    End If
    
    GUID = "{da361caa-f5ed-461a-ac23-13a02eec9867}"
    Attribute = "InclusionDomainNameSetGUID"
    
    Set Arr = CreateObject("FPC.Root").GetContainingArray()
    Set VendorSets = Arr.ArrayPolicy.WebProxy.OutboundHTTPSInspectionConfiguration.VendorParametersSets
    
    On Error Resume Next
    if WScript.Arguments.Count > 0 Then
    DomainNameSetName = WScript.Arguments(0)
    Set DomainNameSet = Arr.RuleElements.DomainNameSets.Item(DomainNameSetName)
    If Err.Number <> 0 Then
    WScript.Echo "DomainNameSet " & DomainNameSetName & " doesn't exist"
    WScript.Quit(1)
    End If
    End If
    
    
    Set VendorSet = VendorSets.Item( GUID)
    If Err.Number <> 0 Then
    Err.Clear
    Set VendorSet = VendorSets.Add( GUID )
    CheckError
    WScript.Echo "No existing VendorSet."
    Else
    WScript.Echo "Existing VendorSet found. Values in it:"
    for each name in VendorSet.allNames
    WScript.Echo " ", name, "=", VendorSet.Value(name)
    next
    WScript.Echo "-------------------------------------"
    End If
    
    
    If WScript.Arguments.Count > 0 Then
    Val = DomainNameSet.PersistentName
    WScript.Echo "Setting ", Attribute, " = ", Val
    VendorSet.Value(Attribute) = Val
    Else
    WScript.Echo "Deleting", Attribute
    VendorSet.RemoveValue(Attribute)
    End If
    
    Arr.Save
    
    Sub CheckError()
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    End Sub
  13. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, save the file as ConfigureHTTPSiInclusionList.vbs.
  14. Click Start, click Run, type cmd, and then click OK.
  15. Use the cd <DirectoryPath> command to change to the directory to where you saved the .vbs file in step 13.
  16. Type the following command, and then press ENTER:
    ConfigureHTTPSiInclusionList.vbs <DomainNameSet>
    Notes
    • The ConfigureHTTPSiInclusionList.vbs <DomainNameSet> command sets the DomainNameSet variable to be in the inclusion list of HTTPS inspection. This command does not create the DomainNameSet variable if the DomainNameSet variable does not exist.
    • Only one DomainNameSet variable is enabled in the inclusion list.
    • This script does not enable HTTPS inspection.

Properties

Article ID: 2498831 - Last Review: February 25, 2011 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
kbqfe kbfix kbsurveynew kbexpertiseinter KB2498831

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com