FIX: "Page Cannot Be Displayed" error when you try to access a website that requires a client certificate authentication on a Forefront TMG client in Forefront TMG 2010 if HTTPS Inspection is enabled


Consider the following scenario:In this scenario, you cannot access the website, and you receive the following error message:
Page Cannot Be Displayed


This issue occurs because the host name uses the IP address of the server instead of the URL for the certificate.


After you install the following update, Forefront TMG 2010 performs a reverse lookup of the host name and checks the server name for exclusion if the host name is an IP address.

Note If reverse lookup fails, this issue still occurs. If reverse lookup fails, resolve the DNS issue, or add an entry to the Windows hosts file that is located on the Forefront TMG server.

To resolve this issue, follow these steps:
  1. Run the script that is in the following Microsoft Knowledge Base (KB) article:
    982550 FIX: Error message occurs when you try to access a web server that requires a client certificate if HTTPS inspection is enabled in Forefront TMG 2010: "Error Code: 502 Proxy Error. The message received was unexpected or badly formatted. (-2146893018)"
  2. Install the software update that is described in the following Microsoft Knowledge Base (KB) article:
    2498770 Software Update 1 Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1

More Information

In a typical scenario, the subject name and the Subject Alternative Name (SAN) extension of a server certificate are used to check the HTTPS inspection exclusion list. If the SSL handshake fails, these names cannot be retrieved. However, a client certificate might be required by the server. Therefore, we use the host name to check the destination exception list for HTTPS inspection if an SSL handshake fails on a specific error. When the host name uses an IP address, an issue that is resolved by the steps in the "Resolution" section occurs.

Note The reverse lookup result of the host name must be in the destination exception list for HTTPS inspection and must be marked as No validation.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

ID d'article : 2501650 - Dernière mise à jour : 25 févr. 2011 - Révision : 1