Forefront Threat Management Gateway - SSL Decryption

Posted on 2011-03-03
Last Modified: 2013-11-16
Does the Microsoft Forefront Threat Management Gateway (and other ISA version) have SSL decryption (interception) abilities that allows one to drop other equipment into the SSL decrypted zone?

Thank you for your insight.
Question by:NYGiantsFan
  • 3
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 35027731
ISA does not - FTMG does - the service is called https inspection.
I am not clear though on what you mean by 'that allows one to drop other equipment into the SSL decrypted zone' - can you explain further?

For reference, https inspection is a double-edged sword. What it does is allow FTMG to inspect SSL traffic by terminating the SSL connection and then the FTMG creates its own SSL connection to the destination in effect making two SSL bridges. However, this can also have legal ramifications.... For example, one of your users makes an SSL connection to his bank to transfer funds and you are breaking that SSL connection to 'inspect' traffic.... think about it.

Also, a number of ssl sites will cease to operate if https inspection is applied to them, Microsoft's own update sites are included in this list.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 35027758
As an extra, https inspection is just being amended in FTMG 2010. A new update has just been released (rollup 3 for SP1), you may want to get this installed as well.


Author Comment

ID: 35035994

What I mean in dropping additional equipment, lets say we wanted to drop an IDS or malaware detector into the decrypted zone?  Appliances exist that just decrypts traffic so you can plug such devices into it.  Blue Coat does not allow you to plug additional hardware into the decrypted stream, Netanome does.  I was wondering if FTMG does.

As for laws, we don't need no stinking laws.  (Just kidding, it is covered)
LVL 51

Accepted Solution

Keith Alabaster earned 500 total points
ID: 35036022
I see - No FTMG would not do that. The break in the https stream is within the FTMG application where it is terminated, inspected and then recreated by FTMG using its own copy of the certificate through to the destination.


Author Closing Comment

ID: 35036069

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL Cert Popup during Exchange Migration 7 56
ASE reports it as spam 2 124
Ways to assess https/ssl websites 3 86
Redirect to HTTPS results in Infinite LOOP 4 91
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now