Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Access fails to SNI SSL websites through Threat Management Gateway 2010 if HTTPS Inspection is enabled


View products that this article applies to.

Symptoms

Consider the following scenario:
  • You try to access a Secure Sockets Layer (SSL) website through Microsoft Forefront Threat Management Gateway 2010.
  • The website uses Server Name Indication (SNI) to determine which certificate to serve.
  • Threat Management Gateway HTTPS Inspection is enabled.
  • The Threat Management Gateway server uses web chaining to send outgoing web requests to an upstream proxy server.
  • The HTTPSiDontUseOldClientProtocols vendor parameter set is enabled (per KB 2545464 ).
In this scenario, you cannot access the website.

↑ Back to the top


Cause

This problem occurs because the Threat Management Gateway builds an incorrect SNI header that causes connectivity errors or web server errors.

↑ Back to the top


Resolution

To resolve this problem, apply this hotfix on all Threat Management Gateway array members. This hotfix is not enabled by default. After you install this hotfix, you must follow these steps to enable the fix:
  1. Copy the following script to a text editor such as Notepad, and then save it as UseOriginalHostNameInSslContex.vbs:

    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script forces TMG to use original host name for SSL context when connecting to target server via upstream proxy
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "UseOriginalHostNameInSslContex"
    Const SE_VPS_VALUE = TRUE
    Sub SetValue()
    ' Create the root object.
    Dim root
    ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")
    'Declare the other objects that are needed.
    Dim array ' An FPCArray object
    Dim VendorSets
    ' An FPCVendorParametersSets collection
    Dim VendorSet
    ' An FPCVendorParametersSet object
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets
    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    If Err.Number <> 0 Then
    Err.Clear ' Add the item.
    Set VendorSet = VendorSets.Add( SE_VPS_GUID )
    CheckError
    WScript.Echo "New VendorSet added... " & VendorSet.Name
    Else
    WScript.Echo "Existing VendorSet found... value: " & VendorSet.Value(SE_VPS_NAME)
    End If
    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    Err.Clear
    VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    If Err.Number <> 0 Then
    CheckError
    Else
    VendorSets.Save false, true
    CheckError
    If Err.Number = 0 Then
    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
    End If
    End If
    Else
    WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
    End If
    End Sub
    Sub CheckError()
    If Err.Number <> 0 Then
    WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
    Err.Clear
    End If
    End Sub
    SetValue
  2. Copy the script file to a Threat Management Gateway array member, and then double-click the file to run the script.
To revert to the default behavior, follow these steps:

  1. Locate the following line of the script:

    Const SE_VPS_VALUE = true
  2. Change this line to the following:

    Const SE_VPS_VALUE = false
  3. Rerun the script on one of the Threat Management Gateway array members.

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010 installed to apply this hotfix.

Restart information

You may have to restart the computer after you apply this hotfix rollup.

Replacement information

This hotfix rollup does not replace a previously released hotfix rollup.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

File nameFile versionFile sizeDateTimePlatform
Authdflt.dll7.0.9193.650252,76822-Apr-159:46x64
Comphp.dll7.0.9193.650257,91222-Apr-159:46x64
Complp.dll7.0.9193.650108,03222-Apr-159:46x64
Cookieauthfilter.dll7.0.9193.650682,76022-Apr-159:46x64
Dailysum.exe7.0.9193.650186,28822-Apr-159:46x64
Diffserv.dll7.0.9193.650162,61622-Apr-159:46x64
Diffservadmin.dll7.0.9193.650310,40022-Apr-159:46x64
Empfilter.dll7.0.9193.650711,08822-Apr-159:46x64
Empscan.dll7.0.9193.650267,66422-Apr-159:46x64
Gwpafltr.dll7.0.9193.650191,45622-Apr-159:46x64
Httpadmin.dll7.0.9193.650242,94422-Apr-159:46x64
Httpfilter.dll7.0.9193.650251,20822-Apr-159:46x64
Isarepgen.exe7.0.9193.65079,70422-Apr-159:46x64
Ldapfilter.dll7.0.9193.650189,89622-Apr-159:46x64
Linktranslation.dll7.0.9193.650418,59222-Apr-159:46x64
Managedapi.dll7.0.9193.65080,75222-Apr-159:46x64
Microsoft.isa.reportingservices.dll7.0.9193.650876,32822-Apr-159:46x64
Microsoft.isa.rpc.managedrpcserver.dll7.0.9193.650172,44022-Apr-159:46x64
Microsoft.isa.rpc.rwsapi.dll7.0.9193.650136,92022-Apr-159:46x64
Mpclient.dll7.0.9193.650128,63222-Apr-159:46x64
Msfpc.dll7.0.9193.6501,079,30422-Apr-159:46x64
Msfpccom.dll7.0.9193.65013,446,02422-Apr-159:46x64
Msfpcmix.dll7.0.9193.650569,44822-Apr-159:46x64
Msfpcsec.dll7.0.9193.650386,65622-Apr-159:46x64
Msfpcsnp.dll7.0.9193.65017,112,84822-Apr-159:46x64
Mspadmin.exe7.0.9193.6501,121,55222-Apr-159:46x64
Mspapi.dll7.0.9193.650130,68022-Apr-159:46x64
Msphlpr.dll7.0.9193.6501,279,13622-Apr-159:46x64
Mspmon.dll7.0.9193.650150,23222-Apr-159:46x64
Mspsec.dll7.0.9193.65084,87222-Apr-159:46x64
Pcsqmconfig.com.xmlNot applicable137,10313-Feb-1220:24Not applicable
Preapi.dll7.0.9193.65021,53622-Apr-159:46x64
Radiusauth.dll7.0.9193.650138,40822-Apr-159:46x64
Ratlib.dll7.0.9193.650148,18422-Apr-159:46x64
Reportadapter.dll7.0.9193.650723,88822-Apr-159:46x86
Reportdatacollector.dll7.0.9193.6501,127,64822-Apr-159:46x86
Softblockfltr.dll7.0.9193.650143,55222-Apr-159:46x64
Updateagent.exe7.0.9193.650211,52022-Apr-159:46x64
W3filter.dll7.0.9193.6501,409,41622-Apr-159:46x64
W3papi.dll7.0.9193.65021,02422-Apr-159:46x64
W3pinet.dll7.0.9193.65035,43222-Apr-159:46x64
W3prefch.exe7.0.9193.650341,31222-Apr-159:46x64
Webobjectsfltr.dll7.0.9193.650170,32022-Apr-159:46x64
Weng.sys7.0.9193.572845,44012-Dec-1221:31x64
Wengnotify.dll7.0.9193.572154,28012-Dec-1221:31x64
Wploadbalancer.dll7.0.9193.650203,84022-Apr-159:46x64
Wspapi.dll7.0.9193.65049,84022-Apr-159:46x64
Wspperf.dll7.0.9193.650131,19222-Apr-159:46x64
Wspsrv.exe7.0.9193.6502,464,13622-Apr-159:46x64


↑ Back to the top


More Information

SNI is an SSL Transport Layer Security (TLS) feature that enables a client to send a header in the SSL client "Hello" message that indicates which fully qualified domain name (FQDN) is being accessed. This action enables a server to determine which certificate to send to the client based on the SNI header.

When Threat Management Gateway SSL Inspection is enabled, Threat Management Gateway handles the SSL negotiation to the target web server and is identified as the client by the web server SSL negotiation.

Threat Management Gateway builds the SNI header incorrectly by using the name of the upstream server and not the target web server name if the following conditions are true:
  • Threat Management Gateway is a downstream proxy server.
  • Threat Management Gateway chains outgoing requests to an upstream Threat Management Gateway server.
  • The HTTPSiDontUseOldClientProtocols vendor parameter set is enabled per KB 2545464 .
This can cause connectivity errors or web server errors, depending on how the web server reacts to the incorrect SNI header.

↑ Back to the top


Keywords: kbqfe, kbsurveynew, kbautohotfix, kbhotfixserver, kbfix, kbexpertiseinter, kb

↑ Back to the top

Article Info
Article ID : 3058679
Revision : 1
Created on : 1/7/2017
Published on : 5/28/2015
Exists online : False
Views : 327