FIX: "Page Cannot Be Displayed" error when you try to access a website that requires a client certificate authentication on a Forefront TMG client in Forefront TMG 2010 if HTTPS Inspection is enabled

Article translations Article translations
Article ID: 2501650 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario:
  • You enable the HTTPS inspection feature in Microsoft Forefront Threat Management Gateway (TMG) 2010.
  • You add a website to the destination exception list for HTTPS inspection.
  • You install and configure Forefront TMG Client on a computer. Or, you configure the computer to use Forefront TMG as the default gateway.
  • You try to access a website that requires a client certificate authentication on the computer.
In this scenario, you cannot access the website, and you receive the following error message:
Page Cannot Be Displayed

CAUSE

This issue occurs because the host name uses the IP address of the server instead of the URL for the certificate.

RESOLUTION

After you install the following update, Forefront TMG 2010 performs a reverse lookup of the host name and checks the server name for exclusion if the host name is an IP address.

Note If reverse lookup fails, this issue still occurs. If reverse lookup fails, resolve the DNS issue, or add an entry to the Windows hosts file that is located on the Forefront TMG server.

To resolve this issue, follow these steps:
  1. Run the script that is in the following Microsoft Knowledge Base (KB) article:
    982550 FIX: Error message occurs when you try to access a web server that requires a client certificate if HTTPS inspection is enabled in Forefront TMG 2010: "Error Code: 502 Proxy Error. The message received was unexpected or badly formatted. (-2146893018)"
  2. Install the software update that is described in the following Microsoft Knowledge Base (KB) article:
    2498770 Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1

MORE INFORMATION

In a typical scenario, the subject name and the Subject Alternative Name (SAN) extension of a server certificate are used to check the HTTPS inspection exclusion list. If the SSL handshake fails, these names cannot be retrieved. However, a client certificate might be required by the server. Therefore, we use the host name to check the destination exception list for HTTPS inspection if an SSL handshake fails on a specific error. When the host name uses an IP address, an issue that is resolved by the steps in the "Resolution" section occurs.

Note The reverse lookup result of the host name must be in the destination exception list for HTTPS inspection and must be marked as No validation.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2501650 - Last Review: February 25, 2011 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1, when used with:
    • Microsoft Forefront Threat Management Gateway 2010 Enterprise
    • Microsoft Forefront Threat Management Gateway 2010 Standard
Keywords: 
kbqfe kbfix kbsurveynew kbexpertiseinter KB2501650

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com