Issue: Unable to access HTTPS website through Microsoft TMG 2010 server with HTTPs Inspection enabled.

Behaviour: - When users try to access SNI based website with HTTPS inspection enabled on TMG 2010 they get error “This page cannot be displayed”.





These websites use server name indication (SNI) to determine which certificate should be served. The problem happens because TMG server does not send SNI header information when HTTP’s Inspection is enabled.

The issue occurs because Microsoft TMG 2010 server sends “Client Hello" message that offers SSLv2 header protocol. However, because the web server does not support SSLv2, it rejects the message and closes the connection

We see the following logs in the TMG 2010 live logging

Data analysis and Troubleshooting.

We collected a Netmon capture on the TMG server while accessing the HTTP’s website and observed that TMG 2010 server sends an “SSLv2 RecordLayer compatible” in “Client Hello” which does not contain the SNI header.

Resolution 1: We can use the following Script to fix the issue.

You Cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set "HTTPSiClientProtocols".

This script disabled all old client protocol like SSLv2.

Link: -  https://support.microsoft.com/en-us/kb/2545464

Resolution 2: Enabled FIPS compliant algorithms for encryption on TMG 2010 server.

We can also use FIPS group policy option to disable the weaker SSL protocols used by TMG 2010.

System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption. hashing and signing algorithms.

For the SCHANNEL Security Service Provider (SSP). This security setting disables, the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server. If this setting is enabled. Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms.

To Enable FIPS Compliant algorithm: -

We can enable FIPS mode on TMG by using the Local group policy editor: “Use FIPS 140 compliant algorithms for encryption, hashing and signing.

Type “gpedit.msc” in “run” and navigate to Local Computer->Windows Settings->Security Settings->Local Policies-> “System Cryptography “Use FIPS 140 compliant algorithms for encryption, hashing and signing.”

Netmon Capture after enabling FIPS compliant algorithms on TMG 2010 or Running Script kb2545464.

In above network capture we see that now client is communicating using “TLS Rec Layer-1” protocol while sending “Client Hello” message.

Now, it also sends the information about the server name “SNI” in “Client Hello” message which is build TMG 2010 server based on information provided by web server.

Reference Articles: -

https://support.microsoft.com/en-us/kb/3058679

https://support.microsoft.com/en-us/kb/2545464