Access fails to SNI SSL websites through Threat Management Gateway 2010 if HTTPS Inspection is enabled

Applies to: Microsoft Forefront Threat Management Gateway 2010 Service Pack 2Microsoft Forefront Threat Management Gateway 2010 Service Pack 2Forefront Threat Management Gateway 2010 Enterprise

Symptoms


Consider the following scenario:
  • You try to access a Secure Sockets Layer (SSL) website through Microsoft Forefront Threat Management Gateway 2010.
  • The website uses Server Name Indication (SNI) to determine which certificate to serve.
  • Threat Management Gateway HTTPS Inspection is enabled.
  • The Threat Management Gateway server uses web chaining to send outgoing web requests to an upstream proxy server.
  • The HTTPSiDontUseOldClientProtocols vendor parameter set is enabled (per KB 2545464 ).
In this scenario, you cannot access the website.

Cause


This problem occurs because the Threat Management Gateway builds an incorrect SNI header that causes connectivity errors or web server errors.

Resolution


To resolve this problem, apply this hotfix on all Threat Management Gateway array members. This hotfix is not enabled by default. After you install this hotfix, you must follow these steps to enable the fix:
  1. Copy the following script to a text editor such as Notepad, and then save it as UseOriginalHostNameInSslContex.vbs:

    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script forces TMG to use original host name for SSL context when connecting to target server via upstream proxy
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "UseOriginalHostNameInSslContex"
    Const SE_VPS_VALUE = TRUE
    Sub SetValue()
    ' Create the root object.
    Dim root
    ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")
    'Declare the other objects that are needed.
    Dim array ' An FPCArray object
    Dim VendorSets
    ' An FPCVendorParametersSets collection
    Dim VendorSet
    ' An FPCVendorParametersSet object
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets
    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    If Err.Number <> 0 Then
    Err.Clear ' Add the item.
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name
    Else
    WScript.Echo "Existing VendorSet found... value: " & VendorSet.Value(SE_VPS_NAME)
    End If
    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError
    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If
    End Sub
    Sub CheckError()
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    End Sub
    SetValue
  2. Copy the script file to a Threat Management Gateway array member, and then double-click the file to run the script.
To revert to the default behavior, follow these steps:

  1. Locate the following line of the script:

    Const SE_VPS_VALUE = true
  2. Change this line to the following:

    Const SE_VPS_VALUE = false
  3. Rerun the script on one of the Threat Management Gateway array members.

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010 installed to apply this hotfix.

Restart information

You may have to restart the computer after you apply this hotfix rollup.

Replacement information

This hotfix rollup does not replace a previously released hotfix rollup.

More Information


SNI is an SSL Transport Layer Security (TLS) feature that enables a client to send a header in the SSL client "Hello" message that indicates which fully qualified domain name (FQDN) is being accessed. This action enables a server to determine which certificate to send to the client based on the SNI header.

When Threat Management Gateway SSL Inspection is enabled, Threat Management Gateway handles the SSL negotiation to the target web server and is identified as the client by the web server SSL negotiation.

Threat Management Gateway builds the SNI header incorrectly by using the name of the upstream server and not the target web server name if the following conditions are true:
  • Threat Management Gateway is a downstream proxy server.
  • Threat Management Gateway chains outgoing requests to an upstream Threat Management Gateway server.
  • The HTTPSiDontUseOldClientProtocols vendor parameter set is enabled per KB 2545464 .
This can cause connectivity errors or web server errors, depending on how the web server reacts to the incorrect SNI header.