Symptoms
Consider the following scenario:
-
You try to access a Secure Sockets Layer (SSL) website through Microsoft Forefront Threat Management Gateway 2010.
-
The website uses Server Name Indication (SNI) to determine which certificate to serve.
-
Threat Management Gateway HTTPS Inspection is enabled.
-
The Threat Management Gateway server uses web chaining to send outgoing web requests to an upstream proxy server.
-
The HTTPSiDontUseOldClientProtocols vendor parameter set is enabled (per KB 2545464).
In this scenario, you cannot access the website.
Cause
This problem occurs because the Threat Management Gateway builds an incorrect SNI header that causes connectivity errors or web server errors.
Resolution
To resolve this problem, apply this hotfix on all Threat Management Gateway array members. This hotfix is not enabled by default. After you install this hotfix, you must follow these steps to enable the fix:
-
Copy the following script to a text editor such as Notepad, and then save it as UseOriginalHostNameInSslContex.vbs:
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script forces TMG to use original host name for SSL context when connecting to target server via upstream proxy
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "UseOriginalHostNameInSslContex"
Const SE_VPS_VALUE = TRUE
Sub SetValue()
' Create the root object.
Dim root
' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects that are needed.
Dim array ' An FPCArray object
Dim VendorSets
' An FPCVendorParametersSets collection
Dim VendorSet
' An FPCVendorParametersSet object
Set array = root.GetContainingArray
Set VendorSets = array.VendorParametersSets
On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
Err.Clear ' Add the item.
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
WScript.Echo "Existing VendorSet found... value: " & VendorSet.Value(SE_VPS_NAME)
End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError
If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
SetValue -
Copy the script file to a Threat Management Gateway array member, and then double-click the file to run the script.
To revert to the default behavior, follow these steps:
-
Locate the following line of the script:
Const SE_VPS_VALUE = true
-
Change this line to the following:
Const SE_VPS_VALUE = false
-
Rerun the script on one of the Threat Management Gateway array members.
Hotfix information
A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
You must have Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010 installed to apply this hotfix.
Restart information
You may have to restart the computer after you apply this hotfix rollup.
Replacement information
This hotfix rollup does not replace a previously released hotfix rollup.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Authdflt.dll |
7.0.9193.650 |
252,768 |
22-Apr-15 |
9:46 |
x64 |
Comphp.dll |
7.0.9193.650 |
257,912 |
22-Apr-15 |
9:46 |
x64 |
Complp.dll |
7.0.9193.650 |
108,032 |
22-Apr-15 |
9:46 |
x64 |
Cookieauthfilter.dll |
7.0.9193.650 |
682,760 |
22-Apr-15 |
9:46 |
x64 |
Dailysum.exe |
7.0.9193.650 |
186,288 |
22-Apr-15 |
9:46 |
x64 |
Diffserv.dll |
7.0.9193.650 |
162,616 |
22-Apr-15 |
9:46 |
x64 |
Diffservadmin.dll |
7.0.9193.650 |
310,400 |
22-Apr-15 |
9:46 |
x64 |
Empfilter.dll |
7.0.9193.650 |
711,088 |
22-Apr-15 |
9:46 |
x64 |
Empscan.dll |
7.0.9193.650 |
267,664 |
22-Apr-15 |
9:46 |
x64 |
Gwpafltr.dll |
7.0.9193.650 |
191,456 |
22-Apr-15 |
9:46 |
x64 |
Httpadmin.dll |
7.0.9193.650 |
242,944 |
22-Apr-15 |
9:46 |
x64 |
Httpfilter.dll |
7.0.9193.650 |
251,208 |
22-Apr-15 |
9:46 |
x64 |
Isarepgen.exe |
7.0.9193.650 |
79,704 |
22-Apr-15 |
9:46 |
x64 |
Ldapfilter.dll |
7.0.9193.650 |
189,896 |
22-Apr-15 |
9:46 |
x64 |
Linktranslation.dll |
7.0.9193.650 |
418,592 |
22-Apr-15 |
9:46 |
x64 |
Managedapi.dll |
7.0.9193.650 |
80,752 |
22-Apr-15 |
9:46 |
x64 |
Microsoft.isa.reportingservices.dll |
7.0.9193.650 |
876,328 |
22-Apr-15 |
9:46 |
x64 |
Microsoft.isa.rpc.managedrpcserver.dll |
7.0.9193.650 |
172,440 |
22-Apr-15 |
9:46 |
x64 |
Microsoft.isa.rpc.rwsapi.dll |
7.0.9193.650 |
136,920 |
22-Apr-15 |
9:46 |
x64 |
Mpclient.dll |
7.0.9193.650 |
128,632 |
22-Apr-15 |
9:46 |
x64 |
Msfpc.dll |
7.0.9193.650 |
1,079,304 |
22-Apr-15 |
9:46 |
x64 |
Msfpccom.dll |
7.0.9193.650 |
13,446,024 |
22-Apr-15 |
9:46 |
x64 |
Msfpcmix.dll |
7.0.9193.650 |
569,448 |
22-Apr-15 |
9:46 |
x64 |
Msfpcsec.dll |
7.0.9193.650 |
386,656 |
22-Apr-15 |
9:46 |
x64 |
Msfpcsnp.dll |
7.0.9193.650 |
17,112,848 |
22-Apr-15 |
9:46 |
x64 |
Mspadmin.exe |
7.0.9193.650 |
1,121,552 |
22-Apr-15 |
9:46 |
x64 |
Mspapi.dll |
7.0.9193.650 |
130,680 |
22-Apr-15 |
9:46 |
x64 |
Msphlpr.dll |
7.0.9193.650 |
1,279,136 |
22-Apr-15 |
9:46 |
x64 |
Mspmon.dll |
7.0.9193.650 |
150,232 |
22-Apr-15 |
9:46 |
x64 |
Mspsec.dll |
7.0.9193.650 |
84,872 |
22-Apr-15 |
9:46 |
x64 |
Pcsqmconfig.com.xml |
Not applicable |
137,103 |
13-Feb-12 |
20:24 |
Not applicable |
Preapi.dll |
7.0.9193.650 |
21,536 |
22-Apr-15 |
9:46 |
x64 |
Radiusauth.dll |
7.0.9193.650 |
138,408 |
22-Apr-15 |
9:46 |
x64 |
Ratlib.dll |
7.0.9193.650 |
148,184 |
22-Apr-15 |
9:46 |
x64 |
Reportadapter.dll |
7.0.9193.650 |
723,888 |
22-Apr-15 |
9:46 |
x86 |
Reportdatacollector.dll |
7.0.9193.650 |
1,127,648 |
22-Apr-15 |
9:46 |
x86 |
Softblockfltr.dll |
7.0.9193.650 |
143,552 |
22-Apr-15 |
9:46 |
x64 |
Updateagent.exe |
7.0.9193.650 |
211,520 |
22-Apr-15 |
9:46 |
x64 |
W3filter.dll |
7.0.9193.650 |
1,409,416 |
22-Apr-15 |
9:46 |
x64 |
W3papi.dll |
7.0.9193.650 |
21,024 |
22-Apr-15 |
9:46 |
x64 |
W3pinet.dll |
7.0.9193.650 |
35,432 |
22-Apr-15 |
9:46 |
x64 |
W3prefch.exe |
7.0.9193.650 |
341,312 |
22-Apr-15 |
9:46 |
x64 |
Webobjectsfltr.dll |
7.0.9193.650 |
170,320 |
22-Apr-15 |
9:46 |
x64 |
Weng.sys |
7.0.9193.572 |
845,440 |
12-Dec-12 |
21:31 |
x64 |
Wengnotify.dll |
7.0.9193.572 |
154,280 |
12-Dec-12 |
21:31 |
x64 |
Wploadbalancer.dll |
7.0.9193.650 |
203,840 |
22-Apr-15 |
9:46 |
x64 |
Wspapi.dll |
7.0.9193.650 |
49,840 |
22-Apr-15 |
9:46 |
x64 |
Wspperf.dll |
7.0.9193.650 |
131,192 |
22-Apr-15 |
9:46 |
x64 |
Wspsrv.exe |
7.0.9193.650 |
2,464,136 |
22-Apr-15 |
9:46 |
x64 |
More Information
SNI is an SSL Transport Layer Security (TLS) feature that enables a client to send a header in the SSL client "Hello" message that indicates which fully qualified domain name (FQDN) is being accessed. This action enables a server to determine which certificate to send to the client based on the SNI header.
When Threat Management Gateway SSL Inspection is enabled, Threat Management Gateway handles the SSL negotiation to the target web server and is identified as the client by the web server SSL negotiation.
Threat Management Gateway builds the SNI header incorrectly by using the name of the upstream server and not the target web server name if the following conditions are true:
-
Threat Management Gateway is a downstream proxy server.
-
Threat Management Gateway chains outgoing requests to an upstream Threat Management Gateway server.
-
The HTTPSiDontUseOldClientProtocols vendor parameter set is enabled per KB 2545464.
This can cause connectivity errors or web server errors, depending on how the web server reacts to the incorrect SNI header.