2

I have a TMG 2010 (Forefront Threat Manager Gateway 2010) sitting on Windows Server 2003 R2 and I have several websites published through it. One of the websites is sitting on Windows Server 2012 R2. I know that Server 2003 R2 ships with TLS 1.0 and Server 2012 R2 ships with TLS 1.2. When I open the website from the internal network (not going through TMG) Google Chrome shows that the connection uses TLS 1.2. When, however, I open the published website from an external network (going through TMG), Google Chrome says the connection uses TLS 1.0.

How can I let the visitor not use TMG's TLS implementation but the version of the windows server on which the published site sits? Thanks in advance.

Cameron Kerr
  • 3,919
  • 18
  • 24
Kristiyan Nikolov
  • 23
  • 1
  • 6
  • This comes down to the capabilities of the TMG 2010 (whatever that is). It is possible that it may not implement TLS 1.1 or TLS 1.2 (I know of at least one load-balancing/reverse-proxy appliance where the software (VM) version doesn't support TLS 1.1 or 1.2, but the appliance version does. In short, check with your vendor. – Cameron Kerr Apr 24 '15 at 10:35

1 Answers1

1

There are a bunch of registry settings you can make, including to enable TLS 1.1 and 1.2 for TMG 2010, according to http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html

It’s also a good idea to enable new protocols such as Transport Layer Security (TLS) v1.1 and v1.2 for modern clients that support them. To do this, open the registry and navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols and create two new keys called TLS 1.1 and TLS 1.2. Under each of these keys create new keys called Client and Server. Within each Client and Server key under TLS 1.1 and TLS 1.2 create DWORD values called DisabledByDefault set to 0 and Enabled set to 1. Restart the TMG firewall for this change to take effect.

The rest of that page looks to be mandatory work for any current TMG deployment.

Cameron Kerr
  • 3,919
  • 18
  • 24
  • Thanks a lot for the advise. So you are saying that it doesn't matter if my underlying operating system is Windows Server 2003 R2? Because I've read that Windows Server 2003 and 2008 do not support TLS 1.1 and 1.2 due to its Schannel implementation. I just wanted to understand what defines the TLS version - the webserver or the underlying operating system. Do you know what defines it? – Kristiyan Nikolov Apr 24 '15 at 12:13
  • Sorry, I didn't consider the fact that it was Win2k3r2. The client only talks to the TMG, which opens an independent connection to the backend. Front end and backend connections are independent. Backend might even be unencrypted, or using different protocol or ciphers (for performance or compatibility) – Cameron Kerr Apr 24 '15 at 12:41
  • Thank you so much. That's what I needed to know. So I need to upgrade the underlying operating system to Windows Server 2008 R2 in order to be able to negotiate TLS 1.1 or 1.2? – Kristiyan Nikolov Apr 24 '15 at 12:48
  • Assuming that TMG 2010 works on that platform, yes. But why not 2012 R2 (I don't know about TMG 2010 requirements) – Cameron Kerr Apr 24 '15 at 21:16
  • Yes, it does work on Windows Server 2008 R2 but not on Server 2012 R2. Thanks a lot. – Kristiyan Nikolov Apr 30 '15 at 11:49
  • Windows settings tend to break out into Schannel client and server settings. When reverse proxying, it's my understanding you use TMG's Schannel Server settings when the client connects to you, and Schannel Client settings when connecting to the next hop - the tunnel is terminated and another tunnel is created to the target internal server which can be of any TLS version. So "fixing" TMG externally doesn't preclude it connecting to SSL 3.0 (or 2.0, or PCT etc) sites internally if the Client settings allow it. – TristanK May 02 '15 at 14:12