NYGiantsFan
asked on
Forefront Threat Management Gateway - SSL Decryption
Hi,
Does the Microsoft Forefront Threat Management Gateway (and other ISA version) have SSL decryption (interception) abilities that allows one to drop other equipment into the SSL decrypted zone?
Thank you for your insight.
Does the Microsoft Forefront Threat Management Gateway (and other ISA version) have SSL decryption (interception) abilities that allows one to drop other equipment into the SSL decrypted zone?
Thank you for your insight.
As an extra, https inspection is just being amended in FTMG 2010. A new update has just been released (rollup 3 for SP1), you may want to get this installed as well.
http://support.microsoft.com/kb/2498770
Keith
http://support.microsoft.com/kb/2498770
Keith
ASKER
Hi,
What I mean in dropping additional equipment, lets say we wanted to drop an IDS or malaware detector into the decrypted zone? Appliances exist that just decrypts traffic so you can plug such devices into it. Blue Coat does not allow you to plug additional hardware into the decrypted stream, Netanome does. I was wondering if FTMG does.
As for laws, we don't need no stinking laws. (Just kidding, it is covered)
What I mean in dropping additional equipment, lets say we wanted to drop an IDS or malaware detector into the decrypted zone? Appliances exist that just decrypts traffic so you can plug such devices into it. Blue Coat does not allow you to plug additional hardware into the decrypted stream, Netanome does. I was wondering if FTMG does.
As for laws, we don't need no stinking laws. (Just kidding, it is covered)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
I am not clear though on what you mean by 'that allows one to drop other equipment into the SSL decrypted zone' - can you explain further?
For reference, https inspection is a double-edged sword. What it does is allow FTMG to inspect SSL traffic by terminating the SSL connection and then the FTMG creates its own SSL connection to the destination in effect making two SSL bridges. However, this can also have legal ramifications.... For example, one of your users makes an SSL connection to his bank to transfer funds and you are breaking that SSL connection to 'inspect' traffic.... think about it.
Also, a number of ssl sites will cease to operate if https inspection is applied to them, Microsoft's own update sites are included in this list.
Keith