22 Nov
2015
22 Nov
'15
8:18 p.m.
For outbound TMG needs a browser plugin. For inbound its usual to terminate
the SSL on the TMG firewall and then TMG opens a new SSL session to the
backend web server. For this to work TMG needs to have a copy of the
certificate including the private key. Wildcard certs are commonly used
with TMG but having a FQDN only guarantees the server is under control of
the certificate owner. You can have multiple sites on the same server, or
have a single site load balanced across multiple servers. SQUID will do the
same trick, but I have always run squid on the same box as the web farm,
but this isn't required...
On Nov 23, 2015 5:48 AM, "Toby Thain" <toby at telegraphics.com.au>
wrote:
On 2015-11-22 5:25 PM, Mouse wrote:
https is supposed to prevent "man in the
middle" attacks, provided you
Microsoft Forefront TMG maybe?
http://itknowledgeexchange.techtarget.com/itanswers/https-inspection-within…
--Toby
cert to provide caching for HTTPS connections - they're that common.
enfor$
That was the original theory, as I understand it.
But there are way too many "in most browsers by default" CAs that are
willing to sell wildcard certs such as can be used for MitM attacks
without disturbing cert validity checks. I even recall hearing of some
caching proxy (squid maybe?) that, out of the box, could use such a
...
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B