Symptoms
Consider the following scenario:
-
A server is implemented as a downstream proxy server in a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment.
-
Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 was applied to the TMG server.
-
External DNS resolution is not configured on the TMG server.
-
HTTPS Inspection is enabled on the TMG server.
In this scenario, when the TMG server is used to access an SSL site, a "Host Not Found (11001)" error message is generated.
Cause
This problem occurs because of a change to the HTTPS Inspection exception logic that was made in Forefront TMG 2010 Service Pack 2.
Resolution
To resolve this problem, install the hotfix package that is described in the following Microsoft Knowledge Base article:
2735208 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
References
For more information about the change to the exception logic for HTTPS Inspection, click the following article number to go to the article in the Microsoft Knowledge Base:
2619991 FIX: An application that uses port 443 to connect to a remote web server no longer works after HTTPSi is enabled in a Forefront Threat Management Gateway 2010 environmentThe new exception logic performs a DNS name resolution on the target's fully qualified domain name (FQDN) to determine whether it is part of the destination exception list. If the DNS lookup is unsuccessful, this causes the request to fail and generate the "Host Not Found (11001)" error message. For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates