About SSL bridging and publishing
When a user requests a URL containing the HTTPS protocol in a Web browser, the Web browser sends an HTTP CONNECT request containing the host name specified in the URL in order to establish an encrypted SSL connection with the target host. If Microsoft Forefront Threat Management Gateway publishes the Web site specified in the URL the request is directed to the Forefront TMG computer, and an SSL connection is established between the client computer and the Forefront TMG computer. The client computer then sends encrypted requests over this SSL connection, and Forefront TMG decrypts these requests and forwards them to the published Web server.
You can configure a Web publishing rule to forward client requests to the published Web over an unencrypted connection or over an encrypted SSL connection. This is true for both encrypted client requests that are sent from the client computer to the Forefront TMG computer over an SSL connection and for client requests that are sent from the client computer to the Forefront TMG computer over an unencrypted connection.
Forefront TMG performs SSL bridging whenever it terminates or initiates an SSL connection on a segment between a client and the published Web server. The following SSL bridging scenarios are possible:
HTTPS-to-HTTPS bridging—A request arriving on an SSL connection is forwarded over an SSL connection. In this scenario, the client sends an encrypted request. Forefront TMG decrypts the request, encrypts it again, and forwards it to the Web server. The Web server returns the encrypted object to the Forefront TMG computer. Forefront TMG decrypts the object, encrypts it again, and sends it to the client.
Note
When possible, we recommend that you configure bridging for SSL requests.
**HTTPS-to-HTTP bridging—**A request arriving on an SSL connection is forwarded as an unencrypted request. In this scenario, the client sends an encrypted request. Forefront TMG decrypts the request and forwards it to the Web server. The Web server returns the HTTP object to the Forefront TMG computer. Forefront TMG encrypts the object and sends it to the client.
**HTTP-to-HTTPS bridging—**An HTTP request is forwarded over an SSL connection. In this scenario, the client sends an unencrypted request for an HTTP object. Forefront TMG encrypts the request and forwards it to the Web server. The Web server returns the encrypted object to the Forefront TMG computer. Then, Forefront TMG decrypts the object and sends it to the client.
In Web access scenarios, SSL tunneling can be used when a client browser (from the local, Internal network) sends a request to port 8080 for an SSL connection to a Web server through the Forefront TMG computer. If the access policy allows HTTP requests to be sent from the source to the destination requested, Forefront TMG forwards the request to establish a direct SSL tunnel between the client computer and the target Web server. After the SSL tunnel is established, the client communicates directly with the Web server by sending encrypted requests through the SSL tunnel without any mediation by Forefront TMG.