FIX: You cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set HTTPSiClientProtocols

Symptoms

Consider the following scenario:
  • In a Microsoft Forefront Threat Management Gateway (TMG) 2010 environment, you enable HTTPS Inspection.
  • You set the HTTPSiClientProtocols Const SE_VPS_VALUE value to 160. This value is mentioned in article 982876 in the Microsoft Knowledge Base.
  • You try to access an HTTPS website that does not support TLS v1.0.
In this scenario, you cannot access the website.

Cause

The issue occurs because TMG 2010 sends a client "hello" message that offers TLS. However, because the web server does not support TLS, it rejects the message and closes the connection. In this scenario, the client typically falls back to SSL v3.0. However, TMG does not fall back to SSL v3.0 when HTTPS Inspection is enabled.

Resolution

To resolve this issue, install the software update that is described in the following article in the Microsoft Knowledge Base:
2517957 Software Update 1 Rollup 4 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 1
To enable this fix, follow these steps:
  1. Start Notepad.
  2. Copy and paste the following script into Notepad:
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script disables the use of old client protocols like PCT and SSLv2
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "HTTPSiDontUseOldClientProtocols"
    Const SE_VPS_VALUE = TRUE
    Sub SetValue()
    ' Create the root object.
    Dim root
    ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")
    'Declare the other objects that are needed.
    Dim array ' An FPCArray object
    Dim VendorSets
    ' An FPCVendorParametersSets collection
    Dim VendorSet
    ' An FPCVendorParametersSet object
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets
    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    If Err.Number <> 0 Then
    Err.Clear ' Add the item.
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name
    Else
    WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
    End If
    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError
    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If
    End Sub
    Sub CheckError()
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    End Sub
    SetValue
  3. Save the Notepad file by using the .vbs file name extension. For example, use the following name when you save this file:
    EnableHTTPSiDontUseOldClientProtocols.vbs
  4. At a command prompt, run the script. For example, use the following syntax to run the script: 
    cscript.exe EnableHTTPSiDontUseOldClientProtocols.vbs

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Propriedades

ID do Artigo: 2545464 - Última Revisão: 21/06/2014 - Revisão: 1

Comentários