Article ID: 2619986 - Last Review: October 31, 2011 - Revision: 2.0

FIX: You cannot specify exact domains for HTTPS inspection in Threat Management Gateway 2010

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Expand all | Collapse all

SYMPTOMS

In Microsoft Forefront Threat Management Gateway (TMG) 2010, you can specify an exclusion list from HTTPS inspection, that is, the list of sites that are excluded from HTTPS inspection. You cannot define an inclusion list, that is, the list of sites for which the HTTPS inspection is applied.
Back to the top

RESOLUTION

To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2555840  (http://support.microsoft.com/kb/2555840/ ) Description of Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010

Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

There can only be one DomainNameSet in the inclusion list. If the inclusion list is set, the HTTPS Inspection Exclusion tab in the UI is disabled.

To set the inclusion list for HTTPS inspection, follow these steps:
  1. Create a DomainNameSet for the HTTPS inspection inclusion list.
  2. Copy the following script into Notepad save it with the file name ConfigureHTTPSiInclusionList.vbs.
    If WScript.Arguments.Count > 1 Then
WScript.Echo "Usage:" & vbCRLF & _
" ConfigureHTTPSiInclusionList <DomainNameSetName> - add DomainNameSet to HTTPS Inspection inclusion list" & vbCRLF & _
" ConfigureHTTPSiInclusionList - remove DomainnameSet VPS" & vbCRLF
WScript.Quit(1) 
End If

GUID = "{da361caa-f5ed-461a-ac23-13a02eec9867}"
Attribute = "InclusionDomainNameSetGUID"

Set Arr = CreateObject("FPC.Root").GetContainingArray()
Set VendorSets = Arr.ArrayPolicy.WebProxy.OutboundHTTPSInspectionConfiguration.VendorParametersSets

On Error Resume Next
if WScript.Arguments.Count > 0 Then
DomainNameSetName = WScript.Arguments(0)
Set DomainNameSet = Arr.RuleElements.DomainNameSets.Item(DomainNameSetName)
If Err.Number <> 0 Then
WScript.Echo "DomainNameSet " & DomainNameSetName & " does not exist"
WScript.Quit(1)
End If
End If


Set VendorSet = VendorSets.Item( GUID)
If Err.Number <> 0 Then
Err.Clear
Set VendorSet = VendorSets.Add( GUID )
CheckError
WScript.Echo "No existing VendorSet."
Else
WScript.Echo "Existing VendorSet found. Values in it:"
for each name in VendorSet.allNames
WScript.Echo " ", name, "=", VendorSet.Value(name)
next
WScript.Echo "-------------------------------------"
End If


If WScript.Arguments.Count > 0 Then
Val = DomainNameSet.PersistentName
WScript.Echo "Setting ", Attribute, " = ", Val
VendorSet.Value(Attribute) = Val
Else
WScript.Echo "Deleting", Attribute
VendorSet.RemoveValue(Attribute)
End If

Arr.Save

Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
  3. Run the following command:
    cscript ConfigureHTTPSiInclusionList.vbs <DomainNameSetName>
Back to the top

REFERENCES

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates

Back to the top
APPLIES TO
  • Microsoft Forefront Threat Management Gateway 2010 Standard
  • Microsoft Forefront Threat Management Gateway 2010 Enterprise
  • Microsoft Forefront Threat Management Gateway 2010 Service Pack 1
Back to the top
Keywords: 
kbfix kbbug kbexpertiseinter kbsurveynew KB2619986
Back to the top