Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

HTTPS inspection in Forefront Threat Management Gateway 2010 doesn't use the full URL path for URL categorization


View products that this article applies to.

Symptoms

When HTTPS inspection is enabled, Microsoft Forefront Threat Management Gateway 2010 uses only the host part of the URL for URL filtering.

For example, consider the following scenario:
  • Assume that www.contoso.com belongs in the education category.
  • You set a URL category override for www.contoso.com/poker to the gambling category, and a deny rule exists for that category.
When you browse to http://www.contoso.com/poker in this scenario, Threat Management Gateway blocks this URL because the category is evaluated as gambling. However, when you browse to https://www.contoso.com/poker, the page loads.

↑ Back to the top


Cause

This behavior occurs because for HTTPS inspection, Threat Management Gateway passes only the host domain (www.contoso.com) to the categorization service. In the example, the host domain falls into the "education" category.

↑ Back to the top


Status

This behavior is by design. Threat Management Gateway does not send the path part of the URL for categorization during HTTPS inspection because of privacy issues. For example, the query string might include a user name or even a password.

↑ Back to the top


Keywords: kbexpertiseinter, kbprb, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 3041871
Revision : 1
Created on : 1/7/2017
Published on : 3/7/2015
Exists online : False
Views : 289