FIX: "Page Cannot Be Displayed" error when you try to access a website that requires a client certificate authentication on a Forefront TMG client in Forefront TMG 2010 if HTTPS Inspection is enabled

Consider the following scenario:

• You enable the HTTPS inspection feature in Microsoft Forefront Threat Management Gateway (TMG) 2010.
• You add a website to the destination exception list for HTTPS inspection.
• You install and configure Forefront TMG Client on a computer. Or, you configure the computer to use Forefront TMG as the default gateway.
• You try to access a website that requires a client certificate authentication on the computer.

In this scenario, you cannot access the website, and you receive the following error message:

This issue occurs because the host name uses the IP address of the server instead of the URL for the certificate.

After you install the following update, Forefront TMG 2010 performs a reverse lookup of the host name and checks the server name for exclusion if the host name is an IP address.

Note If reverse lookup fails, this issue still occurs. If reverse lookup fails, resolve the DNS issue, or add an entry to the Windows hosts file that is located on the Forefront TMG server.

To resolve this issue, follow these steps:

1. Run the script that is in the following Microsoft Knowledge Base (KB) article:
   982550  (http://support.microsoft.com/kb/982550/ ) FIX: Error message occurs when you try to access a web server that requires a client certificate if HTTPS inspection is enabled in Forefront TMG 2010: "Error Code: 502 Proxy Error. The message received was unexpected or badly formatted. (-2146893018)"
2. Install the software update that is described in the following Microsoft Knowledge Base (KB) article:
   2498770  (http://support.microsoft.com/kb/2498770/ ) Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1

In a typical scenario, the subject name and the Subject Alternative Name (SAN) extension of a server certificate are used to check the HTTPS inspection exclusion list. If the SSL handshake fails, these names cannot be retrieved. However, a client certificate might be required by the server. Therefore, we use the host name to check the destination exception list for HTTPS inspection if an SSL handshake fails on a specific error. When the host name uses an IP address, an issue that is resolved by the steps in the "Resolution" section occurs.

Note The reverse lookup result of the host name must be in the destination exception list for HTTPS inspection and must be marked as No validation.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: