Hi All

I am facing an issue with https inspection in TMG. We have enabled HTTPS inspection in an TMG array. Everything is working fine expect https site is not opening. In the Error Log there is the entry: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested. 

I have also added the site in the "Destination Exception" and the enties under domain name set are *.domain.com,www.domain.com and domain.com. I have checked the cert and it has following enteries:-
CN=domian.com
IN SAN the entries are
DNS Name=domian.com
DNS Name=www.domian.com

we have already installed rollo up 3 for sp2. 

Any ideas why the validation is made even when we configured No validation?

-Ashish

Hi,

you can a check list here http://technology.bauzas.com/microsoft/how-to-resolve-common-problems-https-inspection-using-microsoft-forefront-threat-management-gateway-2010/ under scenario 2.

Especially the point about reverse DNS looks promising. Is the website you try publicly available so that I can run a test from my lab against it?

Regards,

Lutz

Hi,

you can a check list here http://technology.bauzas.com/microsoft/how-to-resolve-common-problems-https-inspection-using-microsoft-forefront-threat-management-gateway-2010/ under scenario 2.

Especially the point about reverse DNS looks promising. Is the website you try publicly available so that I can run a test from my lab against it?

Regards,

Lutz

• Marked as answer by ashishvaidya Thursday, August 08, 2013 2:39 PM

Hi,

you can a check list here http://technology.bauzas.com/microsoft/how-to-resolve-common-problems-https-inspection-using-microsoft-forefront-threat-management-gateway-2010/ under scenario 2.

Especially the point about reverse DNS looks promising. Is the website you try publicly available so that I can run a test from my lab against it?

Regards,

Lutz

• Marked as answer by ashishvaidya Thursday, August 08, 2013 2:39 PM

yup the site is publicly available, but i think i cant tell you the address here.(my client wont allow that) If you can give me your email address may i can send you the link.

i think i found the solution. Thanks to the hint provided by lutz. i did a reverse dns look up for that site and it was resolving to the different name. Added that in the exception and it started to work perfectly.

-Ashish

i think i found the solution. Thanks to the hint provided by lutz. i did a reverse dns look up for that site and it was resolving to the different name. Added that in the exception and it started to work perfectly.

-Ashish

• Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Sunday, August 11, 2013 3:48 AM

i think i found the solution. Thanks to the hint provided by lutz. i did a reverse dns look up for that site and it was resolving to the different name. Added that in the exception and it started to work perfectly.

-Ashish

• Marked as answer by Jeremy_WuMicrosoft contingent staff, Moderator Sunday, August 11, 2013 3:48 AM

Okay now i ran into an issue with a different site https://www.trainingandseminars.com

i have inspected the site cert and it shows two san entries i.e www.866seminars.com and www.trainingandseminars.com. I did a nslookup for the site and it is resolving to 192.185.7.250 and reverse lookup is resolving to trainingandseminars.com

I have added below mentioned entries in the destination exception tab of HTTP expection in the TMG:-

*.866seminars.com

*.trainingandseminars.com

866seminars.com

trainingandseminars.com

www.866seminars.com

www.trainingandseminars.com

But still this site wont open. If i see the error in the TMG logs and it shows a failed connection attempt, log type web proxy (forward) with status as 0x80090332.

The netmon logs on the client computer is showing error code: 502 Proxy Error. The target principal name is incorrect. 

Any help will be appreciated?