FIX: HTTPS traffic may not be inspected when a user accesses a site

View products that this article applies to.

Symptoms

Consider the following scenario:

You enable Microsoft Forefront Threat Management Gateway (TMG) 2010 functionality to specify exact domains for HTTPS inspection, as is documented in update 2619986 .
You specify a domain name set on which you want Forefront TMG 2010 to apply HTTPS inspection. For example, you specify Hotmail.com.
A user accesses a site that is in the domain name set.

In this scenario, HTTPS traffic may not be inspected.

Cause

This problem may occur if the destination site uses a server certificate that has subject alternative names (SANs). If any of the Domain Name System (DNS) names in the SAN list are not in the inclusion domain name set that is specified for HTTPS inspection, HTTPS traffic will not be inspected.

↑ Back to the top

Resolution

To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway 2010 Service Pack 2.

↑ Back to the top

Workaround

To work around this problem, make sure that all the DNS names in the SAN list are included in the domain name set that is used for the inclusion domains. You can inspect these names by viewing the server certificate and then inspecting the Subject Alternative Name field.

↑ Back to the top