When HTTPS inspection is enabled, Microsoft Forefront Threat Management Gateway 2010 uses only the host part of the URL for URL filtering.
For example, consider the following scenario:
Assume that www.contoso.com belongs in the education category.
You set a URL category override for www.contoso.com/poker to the gambling category, and a deny rule exists for that category.
When you browse to http://www.contoso.com/poker in this scenario, Threat Management Gateway blocks this URL because the category is evaluated as gambling. However, when you browse to https://www.contoso.com/poker, the page loads.
This behavior occurs because for HTTPS inspection, Threat Management Gateway passes only the host domain (www.contoso.com) to the categorization service. In the example, the host domain falls into the "education" category.
This behavior is by design. Threat Management Gateway does not send the path part of the URL for categorization during HTTPS inspection because of privacy issues. For example, the query string might include a user name or even a password.