These websites use server name indication (SNI) to determine which certificate should be served. The problem happens because TMG server does not send SNI header information when HTTP’s Inspection is enabled.
The issue occurs because Microsoft TMG 2010 server sends “Client Hello" message that offers SSLv2 header protocol. However, because the web server does not support SSLv2, it rejects the message and closes the connection
We see the following logs in the TMG 2010 live logging
We collected a Netmon capture on the TMG server while accessing the HTTP’s website and observed that TMG 2010 server sends an “SSLv2 RecordLayer compatible” in “Client Hello” which does not contain the SNI header.
You Cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set "HTTPSiClientProtocols".
This script disabled all old client protocol like SSLv2.
Link: - https://support.microsoft.com/en-us/kb/2545464
We can also use FIPS group policy option to disable the weaker SSL protocols used by TMG 2010.
System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption. hashing and signing algorithms.
For the SCHANNEL Security Service Provider (SSP). This security setting disables, the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server. If this setting is enabled. Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms.
We can enable FIPS mode on TMG by using the Local group policy editor: “Use FIPS 140 compliant algorithms for encryption, hashing and signing.
Type “gpedit.msc” in “run” and navigate to Local Computer->Windows Settings->Security Settings->Local Policies-> “System Cryptography “Use FIPS 140 compliant algorithms for encryption, hashing and signing.”
In above network capture we see that now client is communicating using “TLS Rec Layer-1” protocol while sending “Client Hello” message.
Now, it also sends the information about the server name “SNI” in “Client Hello” message which is build TMG 2010 server based on information provided by web server.