FIX: You cannot specify exact domains for HTTPS inspection in Threat Management Gateway 2010

Article translations Article translations
Article ID: 2619986 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In Microsoft Forefront Threat Management Gateway (TMG) 2010, you can specify an exclusion list from HTTPS inspection, that is, the list of sites that are excluded from HTTPS inspection. You cannot define an inclusion list, that is, the list of sites for which the HTTPS inspection is applied.

RESOLUTION

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2555840 Description of Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

There can only be one DomainNameSet in the inclusion list. If the inclusion list is set, the HTTPS Inspection Exclusion tab in the UI is disabled.

To set the inclusion list for HTTPS inspection, follow these steps:
  1. Create a DomainNameSet for the HTTPS inspection inclusion list.
  2. Copy the following script into Notepad save it with the file name ConfigureHTTPSiInclusionList.vbs.
    If WScript.Arguments.Count > 1 Then
    WScript.Echo "Usage:" & vbCRLF & _
    " ConfigureHTTPSiInclusionList <DomainNameSetName> - add DomainNameSet to HTTPS Inspection inclusion list" & vbCRLF & _
    " ConfigureHTTPSiInclusionList - remove DomainnameSet VPS" & vbCRLF
    WScript.Quit(1) 
    End If
    
    GUID = "{da361caa-f5ed-461a-ac23-13a02eec9867}"
    Attribute = "InclusionDomainNameSetGUID"
    
    Set Arr = CreateObject("FPC.Root").GetContainingArray()
    Set VendorSets = Arr.ArrayPolicy.WebProxy.OutboundHTTPSInspectionConfiguration.VendorParametersSets
    
    On Error Resume Next
    if WScript.Arguments.Count > 0 Then
    DomainNameSetName = WScript.Arguments(0)
    Set DomainNameSet = Arr.RuleElements.DomainNameSets.Item(DomainNameSetName)
    If Err.Number <> 0 Then
    WScript.Echo "DomainNameSet " & DomainNameSetName & " does not exist"
    WScript.Quit(1)
    End If
    End If
    
    
    Set VendorSet = VendorSets.Item( GUID)
    If Err.Number <> 0 Then
    Err.Clear
    Set VendorSet = VendorSets.Add( GUID )
    CheckError
    WScript.Echo "No existing VendorSet."
    Else
    WScript.Echo "Existing VendorSet found. Values in it:"
    for each name in VendorSet.allNames
    WScript.Echo " ", name, "=", VendorSet.Value(name)
    next
    WScript.Echo "-------------------------------------"
    End If
    
    
    If WScript.Arguments.Count > 0 Then
    Val = DomainNameSet.PersistentName
    WScript.Echo "Setting ", Attribute, " = ", Val
    VendorSet.Value(Attribute) = Val
    Else
    WScript.Echo "Deleting", Attribute
    VendorSet.RemoveValue(Attribute)
    End If
    
    Arr.Save
    
    Sub CheckError()
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    End Sub
  3. Run the following command:
    cscript ConfigureHTTPSiInclusionList.vbs <DomainNameSetName>

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 2619986 - Last Review: October 31, 2011 - Revision: 2.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1
Keywords: 
kbfix kbbug kbexpertiseinter kbsurveynew KB2619986

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com