Home > Forefront TMG 2010 > Configuring Forefront TMG 2010 HTTPS Inspection Inclusion List

Configuring Forefront TMG 2010 HTTPS Inspection Inclusion List

November 1, 2011

When HTTPS inspection is configured and enabled on a Forefront TMG 2010 firewall, the administrator has the option to define web sites to exclude from HTTPS inspection. This may be required for a variety of reasons. For example, an administrator may need to exclude certain destinations to address privacy concerns, or perhaps HTTPS inspection breaks an application that uses SSL to tunnel non-HTTP protocols. All HTTPS web sites are inspected except for those sites defined as Destination Exceptions.

Beginning with Service Pack 2 (SP2) for Forefront TMG 2010, administrators can now define an explicit inclusion list for HTTPS inspection. Sites included on this list will be subject to HTTPS inspection, while all other destinations will be excluded. To define an HTTPS inspection inclusion list, create a Domain Name Set and populate it with those destinations for which you explicitly want to enforce HTTPS inspection.

After saving and applying the configuration, copy this VBScript file to the TMG firewall, then open an elevated command prompt and type the following command:

cscript.exe ConfigureHTTPSiInclusionList.vbs <DomainNameSetName>

Substitute <DomainNameSetName> in the command above with the name of the Domain Name Set created earlier. Once configured, the Destination Exceptions tab of the HTTPS Outbound Inspection properties will be greyed out, and only those sites included in the Domain Name Set defined as the HTTPS inspection inclusion list will be subject to HTTPS inspection. All other destinations will be excluded. You can still define Source Exceptions as needed, however.

Only one Domain Name Set can be specified as the HTTPS inspection inclusion list. Running the command without parameters removes any configured inclusion list and returns HTTPS inspection back to its original state.

For more information regarding HTTPS inspection inclusion lists, refer to KB2619986.

  1. March 7, 2013 at 2:16 pm

    During my testing it appears that only array-level Domain Name Sets are allowed. Is there any way to get this to work with Enterprise-level Domain Name Sets? This way I can make a change to a single Domain Name Set that applies to all my arrays.

  2. March 7, 2013 at 2:25 pm

    Is it possible to edit the “Sites Exempt from HTTPS Inspection” predefined domain name set?

  3. March 11, 2013 at 8:57 pm

    Not to my knowledge, unfortunately.

  4. March 11, 2013 at 8:58 pm

    Absolutely. You can edit this Domain Name Set just as you would any other set.

  5. May 17, 2013 at 6:47 am

    When you enable the inclusion, does TMG ignore the “Sites Excempt from HTTPS Inspection” domain name set?

  6. May 20, 2013 at 7:42 am

    That is my understanding, yes. 🙂

  7. Juan Carlos Lopez
    October 31, 2014 at 9:34 am

    Hi, I have a problem with Google Chrome, I have a TMG for proxy, in IE and Mozilla it works fine and block correctly the banned sites, but in chrome, any banned site works fine and have completely access to any site my clients want. What can I do to solve this problem with Chrome?

  8. November 3, 2014 at 10:09 am

    The only way this can happen is if the client using Chrome is taking a different network path to the Internet than it is using other browsers. Typically this is caused by not having the proxy settings configured correctly.

  1. No trackbacks yet.
Comments are closed.