Applies ToForefront Threat Management Gateway 2010 Enterprise Microsoft Forefront Threat Management Gateway 2010 Service Pack 2 Microsoft Forefront Threat Management Gateway 2010 Service Pack 2 Forefront Threat Management Gateway 2010 Standard

Symptoms

When HTTPS inspection is enabled, Microsoft Forefront Threat Management Gateway 2010 uses only the host part of the URL for URL filtering.For example, consider the following scenario:

  • Assume that www.contoso.com belongs in the education category.

  • You set a URL category override for www.contoso.com/poker to the gambling category, and a deny rule exists for that category.

When you browse to http://www.contoso.com/poker in this scenario, Threat Management Gateway blocks this URL because the category is evaluated as gambling. However, when you browse to https://www.contoso.com/poker, the page loads.

Cause

This behavior occurs because for HTTPS inspection, Threat Management Gateway passes only the host domain (www.contoso.com) to the categorization service. In the example, the host domain falls into the "education" category.

Status

This behavior is by design. Threat Management Gateway does not send the path part of the URL for categorization during HTTPS inspection because of privacy issues. For example, the query string might include a user name or even a password.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.