FIX: You cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set HTTPSiClientProtocols

Symptoms
Consider the following scenario:
  • In a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment, you enable HTTPS Inspection.
  • You set the HTTPSiClientProtocols Const SE_VPS_VALUE value to 160. This value is mentioned in article 982876 in the Microsoft Knowledge Base.
  • You try to access an HTTPS website that does not support TLS v1.0.
In this scenario, you cannot access the website.
Cause
The issue occurs because TMG 2010 sends a client "hello" message that offers TLS. However, because the web server does not support TLS, it rejects the message and closes the connection. In this scenario, the client typically falls back to SSL v3.0. However, TMG does not fall back to SSL v3.0 when HTTPS Inspection is enabled.
Resolution
To resolve this issue, install the software update that is described in the following article in the Microsoft Knowledge Base:
2517957 Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
To enable this fix, follow these steps:
  1. Start Notepad.
  2. Copy and paste the following script into Notepad:
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Copyright (c) Microsoft Corporation. All rights reserved.' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS' HEREBY PERMITTED.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' This script disables the use of old client protocols like PCT and SSLv2''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"Const SE_VPS_NAME = "HTTPSiDontUseOldClientProtocols"Const SE_VPS_VALUE = TRUESub SetValue()    ' Create the root object.    Dim root    ' The FPCLib.FPC root object    Set root = CreateObject("FPC.Root")    'Declare the other objects that are needed.    Dim array       ' An FPCArray object    Dim VendorSets    ' An FPCVendorParametersSets collection    Dim VendorSet    ' An FPCVendorParametersSet object    Set array = root.GetContainingArray    Set VendorSets = array.VendorParametersSets    On Error Resume Next    Set VendorSet = VendorSets.Item( SE_VPS_GUID )    If Err.Number <> 0 Then        Err.Clear        ' Add the item.        Set VendorSet = VendorSets.Add( SE_VPS_GUID )        CheckError        WScript.Echo "New VendorSet added... " & VendorSet.Name    Else        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)    End If    if VendorSet.Value(SE_VPS_NAME)  <>  SE_VPS_VALUE Then        Err.Clear        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE        If Err.Number <> 0 Then            CheckError        Else            VendorSets.Save false, true            CheckError            If Err.Number = 0 Then                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"            End If        End If    Else        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"    End IfEnd SubSub CheckError()    If Err.Number <> 0 Then        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description        Err.Clear    End IfEnd SubSetValue
  3. Save the Notepad file by using the .vbs file name extension. For example, use the following name when you save this file:
    EnableHTTPSiDontUseOldClientProtocols.vbs
  4. At a command prompt, run the script. For example, use the following syntax to run the script: 
    cscript.exe EnableHTTPSiDontUseOldClientProtocols.vbs
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
TMG2010 TLS
Properties

Article ID: 2545464 - Last Review: 06/21/2014 15:57:00 - Revision: 2.0

Microsoft Forefront Threat Management Gateway 2010 Enterprise, Microsoft Forefront Threat Management Gateway 2010 Standard

  • kbqfe kbfix kbexpertiseinter kbsurveynew kbbug KB2545464
Feedback