Notifying users that HTTPS traffic is being inspected

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic describes how to enable notification of HTTPS inspection to client computers that are running Forefront TMG Client. Enabling client notification may be necessary to remain in compliance with corporate privacy policies.


To receive notifications of HTTPS inspection, client computers must have the HTTPS inspection trusted root certification authority (CA) certificate installed in the local computer Trusted Root Certification Authorities certificate store. If the certificate is not installed in this exact certificate store, the user will not receive balloon notifications of HTTPS inspection. For details, see Deploying the HTTPS inspection trusted root CA certificate to client computers.


  • Forefront TMG Clients will not receive HTTPS inspection notifications if the inspection is performed by an upstream proxy server. To enable client notifications in a Web chaining scenario, make sure that HTTPS inspection is enabled on the downstream proxy.

  • The Allow Client Notifications system policy rule (allowing notifications to Forefront TMG Clients) is not dynamically updated with additional networks (besides the default networks: VPN, Quarantine and Internal). Use the system policy editor to manually add any other network containing Forefront TMG Clients to the destination networks of this rule.

Enabling HTTPS inspection notifications on Forefront TMG

To enable HTTPS inspection notifications on Forefront TMG server

  1. In the Forefront TMG Management console, in the tree, click the Web Access Policy node.

  2. In the Tasks pane, click Configure HTTPS Inspection.

  3. On the Client Notification tab, click Notify users that HTTPS inspection is being inspected, and then click OK.

Enabling HTTPS inspection notifications on Forefront TMG Client

To enable HTTPS inspection notification on Forefront TMG Client

  1. On the Secure Connection Inspection tab, select Notify me when content sent to secure Web sites is inspected.


Configuring HTTPS inspection