Access fails to SNI SSL websites through Threat Management Gateway 2010 if HTTPS Inspection is enabled

To resolve this problem, apply this hotfix on all Threat Management Gateway array members. This hotfix is not enabled by default. After you install this hotfix, you must follow these steps to enable the fix:

1. Copy the following script to a text editor such as Notepad, and then save it as UseOriginalHostNameInSslContex.vbs:
   
   

   '
   ' Copyright (c) Microsoft Corporation. All rights reserved.
   ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
   ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
   ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
   ' HEREBY PERMITTED.
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ' This script forces TMG to use original host name for SSL context when connecting to target server via upstream proxy
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
   Const SE_VPS_NAME = "UseOriginalHostNameInSslContex"
   Const SE_VPS_VALUE = TRUE
   Sub SetValue()
       ' Create the root object.
       Dim root
       ' The FPCLib.FPC root object
       Set root = CreateObject("FPC.Root")
       'Declare the other objects that are needed.
       Dim array       ' An FPCArray object
       Dim VendorSets
       ' An FPCVendorParametersSets collection
       Dim VendorSet
       ' An FPCVendorParametersSet object
       Set array = root.GetContainingArray
       Set VendorSets = array.VendorParametersSets
       On Error Resume Next
       Set VendorSet = VendorSets.Item( SE_VPS_GUID )
       If Err.Number <> 0 Then
           Err.Clear        ' Add the item.
           Set VendorSet = VendorSets.Add( SE_VPS_GUID )
           CheckError
           WScript.Echo "New VendorSet added... " & VendorSet.Name
       Else
           WScript.Echo "Existing VendorSet found... value: " &  VendorSet.Value(SE_VPS_NAME)
       End If
       if VendorSet.Value(SE_VPS_NAME)  <>  SE_VPS_VALUE Then
           Err.Clear
           VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
           If Err.Number <> 0 Then
               CheckError
           Else
               VendorSets.Save false, true
               CheckError
               If Err.Number = 0 Then
                   WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
               End If
           End If
       Else
           WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
       End If
   End Sub
   Sub CheckError()
       If Err.Number <> 0 Then
           WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
           Err.Clear
       End If
   End Sub
   SetValue

2. Copy the script file to a Threat Management Gateway array member, and then double-click the file to run the script.

To revert to the default behavior, follow these steps:

1. Locate the following line of the script:
   
   

   Const SE_VPS_VALUE = true

2. Change this line to the following:
   
   

   Const SE_VPS_VALUE = false

3. Rerun the script on one of the Threat Management Gateway array members.

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010 installed to apply this hotfix.

Restart information

You may have to restart the computer after you apply this hotfix rollup.

Replacement information

This hotfix rollup does not replace a previously released hotfix rollup.