Tmg https detection for virus camouflage detection

We learned how to use TMG to protect Exchange 2010 Server with Forefront TMG. This article introduces how to detect tmg https to prevent viruses and trojans from intruding into the server in disguise.

1. Introduction to tmg https Inspection

Tmg https Inspection (HTTPS detection) can prevent internal clients from accessing some illegal HTTPS websites. In general, it is to prevent clients from establishing SSL connections directly with external servers and solve the security problems caused by the uncheckable SSL encrypted content.

2. tmg https Inspection processing process

Shows the basic process.

 

Figure 1-HTTPS Inspection Processing

1) TMG reads the configuration from the configuration storage server, including the CA certificate used to read HTTPS Inspection.

2) The client initiates an http connect request, which is transparent to the client.

3) Establish an SSL connection between TMG and the target server.

4) TMG performs HTTPS Inspection according to the server certificate configuration. The process is as follows:

A. site to be blocked: Send the error page to the client;

B. The site is in the exception list: TMG closes the connection with the server, establishes a new connection with the client, and sends the "200 Connected" message to the client. The client directly establishes an SSL connection with an external site;

C. The site check is valid: Establish an SSL connection with the client.

5) establish an SSL connection between TMG and the client.

You can modify the HTTP Inspection policy as needed. For example, you can modify the certificate validity period. For more information, see.

Figure 2-certificate check Policy

There are also some certificate check policies not available on the interface, such:

• Certificate name match
• Whether the server certificate is trusted
• Server certificate type (whether it is used for server verification)

3. Problems with deploying the HTTPS Inspection client on TMG

Any security policy applied to the enterprise may cause some problems or receive negative feedback from the End User. Users often complain that some previously visited websites are unavailable. Users may think that HTTPS connections are secure, but they do not know that external servers may use fake server certificates or contain malicious code.

Although HTTPS Inspection can protect internal clients from accessing malicious HTTPS websites, it may also cause deployment problems. The following lists some common problems.

Problem 1: When The client accesses The HTTPS webpage, it receives The TMG Error: The page cannot be displayed-Error Code 502 (Proxy Error) -the certification authority that issued the SSL Server certificate supplied by a destination server is not trusted by the local computer.

Cause: TMG does not trust the certificate of an external HTTPS site. This type of problem does not occur for most websites that use commercial certificates. To allow users to access these websites, the TMG administrator needs to import the CA certificate of the site to the TMG local trusted root certificate store. In addition, you can add the site to the exclusion list without performing a certificate check.

Problem 2: When the client accesses an HTTPS website, an Error Code 502 (Proxy Error) is returned) -the name on the SSL server certificate supplied by a destination server does not match the name of the host requested.

Cause: the Certificate Name and access URL name do not match in the following situations:

• The Web server uses wildcards (for example, * .domain.com)
• The client uses an IP address to access the Web server.
• Reverse name resolution on TMG does not match (IP address to name)

TMG needs reverse name resolution to verify that the certificate name matches the access URL. If reverse name resolution fails, TMG cannot match the Certificate Name. If the client does need to access these HTTPS sites, you can add the domain name to the exclusion list and set it to not perform certificate checks.

Problem 3: the following security prompt page appears when the client accesses all HTTPS websites:

Figure 3-Web site security prompt

Cause: the client does not trust the CA certificate used by HTTPS Inspection on TMG. This CA certificate (for example, a TMG self-issued certificate) must be deployed on the client, otherwise, the client will not trust the CA certificate of TMG. For more information about how to deploy CA certificates, see Deploying the HTTPS inspection trusted root CA certificate to client computers.

Problem 4: when the client uses the Firefox browser to access all HTTPS sites, the following error is returned, but IE does not.

Figure 4-An error occurred while accessing the HTTPS site using the Firefox browser

Cause: some third-party browsers, such as Firefox, have their own certificate trust list maintained by Firefox, instead of using the Certificate Trust list used by local Windows. You need to refer to the documents of the corresponding Third-Party Browser to import the CA certificate of TMG.

Problem 5: when the client uses the TMG client to access the HTTPS website, the following prompt must be displayed, indicating that the HTTPS network traffic is under monitoring. However, this prompt appears only once when you access the same HTTPS website multiple times.

Figure 5-TMG client prompt

Cause: by default, this prompt will be cached for 12 hours. If the client does not restart the server, a prompt is displayed for the same HTTPS site within 12 hours. You can modify the default value in the registry.

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ RAT \ Stingray \ Debug \ FwcMgmt]

"FWC_MGMT_HTTPS_TEMPORARY_DISABLED_TIMEOUT" = dword: 2932E00

The default value is 2932E00 in hexadecimal format, which is 43200000 ms in decimal format and 12 hours in decimal format. This is the setting displayed on the TMG Client user interface. You do not need to restart the service.

Question 6: When you access an HTTPS site that requires client certificate verification, you receive the following error message:

Figure 6-error reported when accessing the HTTPS site that requires client certificate verification

Cause: TMG does not support access to the HTTPS site that requires client certificate verification because TMG does not have a client certificate for verification. You need to add the site to the exclusion list and set it to not perform certificate check.