
I have a site published with Forefront TMG as HTTPS website. It has a valid SSL certificate (EV). The site displays correctly on all browsers except Safari, Midori and Dolphin.

The problem is on Safari there is no connection at all to the website. Like the site doesn't respond to the request at all. No file is transferred. The connection is completely dead. At least for a long time (30 seconds to a couple of minutes).

I have several different websites configured over HTTPS. Different domains, different IPs and different certificates. The certificates are from different issuers.

The problem exists with all my HTTPS websites, ONLY with Safari, Midori and Dolphin browsers, all 3 sites work correctly on every other browser. No lags, no problems reported.

I tried to disable HTTP to HTTPS redirection at TMG listener to rule out the certificate problem. I cannot access my websites over http too. They however perfectly accessible from Firefox, Opera, Chrome, IE, Vivaldi, Slimjet and Edge browsers.

Sometimes I can display a single page on Safari, but it takes over 30 seconds to show, but with some images (and / or CSS) missing. Then - the website fails because AJAX on the page fails, though the CORS headers are correctly configured and referenced URL-s can even respond (with huge lags).

It looks like this: you enter the URL and get a message about the site is inaccessible. Then if you refresh the page several times it finally appear, but badly broken (like many files were inaccessible).

On other browsers there are no lags. All files are accessible immediately.

In my Web Access Policy tab I have all the inspection and proxy options disabled.

What's the most weird of all - I have an other site (HTTP) on the same server, but published on different IP. The site works on ALL browsers without problems. All IPs and routing seems to be properly configured, and if they weren't, how would the other browsers display the sites?

BTW, it's 100% not on the websites themselves. Even if I try to open a single HTML file or an image from the site it cannot be fetched with Safari.

IMPORTANT: The site SSL certificate information is displayed correctly, this is the only thing which is downloaded from those sites. So I see the padlock icon, site information, but no content. After allowing HTTP connections it doesn't work either over HTTP. Works over HTTP on some browsers.

IMPORTANT: The mentioned sites are all accessible on all browsers when TMG is ommited (over VPN, when directly referencing my NLB IP).

The problem started when we moved our virtual servers to new hosts on new network. On the old network it all worked. But then again - what has internal network configuration to sites being inaccessible only on certain browsers?


I've tried many things, like changing MTU on CISCO ASA firewall, but it didn't help. I tried to update my SSL configuration on TMG using this tutorial:

Improving SSL security on Forefront TMG

I ended with the test doesn't even complete. Plus I get a warning about "inconsistent server configuration". And it stops with "Long handshake workaround: hanshake not longer than 0x200 bytes: 132" message. Well, I have domain www.example.com and example.com set to different addresses. It's on purpose. And there is a couple of redirections between 2 of them. BTW, www site has its own certificate in case someone typed its URL with https. But it's mostly not used. And yes, I replaced the non-www server's certificate, but the www remain without update. It's an error, but it should affect only www site. But the one which is misbehaving is https://example.com, not https://www.example.com.

What is wrong? Since it worked well last time I had the same TMG VM on different host. I had my sites on different (older) IIS servers. I had different external IPs and no DMZ. And the certificate was different, older, with 128bit key instead of 256. There was no CISCO ASA firewall. After we moved all websites to new machines it happened. They work on any browser except Safari, Midori and Dolphin.


Here's how it looks like...:

I'm connected to internal network via VPN, via ASA. If I set my site domain IP straight to internal NLB address - it works. If I set to DMZ IP - it doesn't. And of course on external IP - it doesn't. Of course - all 3 paths work perfectly on most browsers, only Safari, Midori and Dolphin are affected.

BTW, the very same CISCO ASA routes my web requests to public network.

BTW2: Pure HTTP site (no certificate) from the very same IIS->NLB->TMG->DMZ->ASA - works with Safari with no lags or other problems. The only thing I haven't tested was removing certificate and setting HTTP access only. It's a production website, if I would go for it, I should do it at night and in a huge hurry.

  • 169
  • 1
  • 1
  • 8

1 Answers1


This sounds like a basic network connectivity problem. The symptoms are typically what happens with a misconfigured MTU. Alternatively TGM may be throwing something off but I don't know enough about it to say.

I'd recommend first testing with a reduced MTU - setting either the server or client or both to a MTU of 1200 would be a good place to start. Alternatively, you could wireshark the connection to see what sort of TCP parameters are being negotiated and go from there.

[Edit] Changing MTU on Windows depends slightly on what version of Windows you are running, as it's not specified I've just provided the generic Google result:


  • 606
  • 3
  • 13
  • I don't know where to set MTU. From the server external point there is CISCO ASA firewall. I tried to change MTU there - 1200, 1480, 1500, 1520. Didn't help. I haven't figured out how to change it on Windows Servers. There are 4 physical interfaces on host machine, several virtual switches on VM with TMG. BTW, when I connect via VPN the same physical connection through ASA is made. And it works well. It works well on my other site without SSL certificate. I cannot change client configuration, because it's not meant to work on my PC but on thousands of client PCs and phones. – Harry Jun 18 '15 at 07:12
  • @Harry: See above re. MTU. Thing with VPN is that VPNs themselves impose a smaller MTU inside the tunnel so often if a VPN works that's actually a sign of an MTU related issue (could be PMTU-autodiscovery is broken, which means changing it on anything but the server will just make it worse) – noitsbecky Jun 18 '15 at 09:26
  • But where should I change it? I tried to change it on the most outside part of the network, final firewall. It didn't help. I changed it too via registry change on TMG VM, but it didn't help either. I mean - the TMG is a virtual machine. It's interface is virtual switch. There? Or on host? But there are 2 interfaces working with NIC teaming. Should I change it for the team, or for single NIC-s? – Harry Jun 18 '15 at 16:49