KB: HTTPS inspection in Forefront Threat Management Gateway 2010 doesn't use the full URL path for URL categorization


When HTTPS inspection is enabled, Microsoft Forefront Threat Management Gateway 2010 (TMG 2010) uses only the host part of the URL for URL filtering. For example, consider the following scenario:

- Assume that www.contoso.com belongs in the Education category.

  • - You set a URL category override for www.contoso.com/poker to the Gambling category, and a deny rule exists for that category.

When you browse to http://www.contoso.com/poker in this scenario, TMG blocks this URL because the category is evaluated as Gambling, however when you browse to https://www.contoso.com/poker, the page loads.

This behavior occurs because for HTTPS inspection, TMG passes only the host domain (www.contoso.com) to the categorization service. In the example above, the host domain falls into the Education category.

For additional details please see the following:

KB3041871 - HTTPS inspection in Forefront Threat Management Gateway 2010 doesn't use the full URL path for URL categorization (http://support.microsoft.com/en-us/kb/3041871)

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter :

clip_image001 clip_image002

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/

ConfigMgr 2012 R2