I’d like to share an important issue I discovered recently that many Forefront TMG administrators may be experiencing. The problem affects accessing popular HTTPS websites when the Forefront TMG HTTPS Inspection feature is enabled.
As you may know, many public websites were affected by the recent Heartbleed vulnerability. Fortunately, Heartbleed had no consequences for people using Microsoft applications such as IIS and Forefront TMG.
However, after reading a message from my colleague Mason Fan (Microsoft Engineer from China), I realized we need to take care with Forefront TMG’s HTTPS Inspection feature.
On a recent case, Mason found that Forefront TMG’s HTTPS inspection did not work for certain HTTPS websites such as Twitter. After some investigation, he found that the issue was caused by the latest version of the website’s SSL certificate.
One major consequence of the Heartbleed vulnerability is that an attacker may have had the opportunity to retrieve a website certificate’s private key. Therefore, most of the affected sites, including popular applications like Dropbox, Twitter, and Facebook, decided to change their certificate.
If the website changed to a SHA256 certificate, users will no longer be able to access the websites from behind a Forefront TMG proxy with HTTPS inspection enabled. This is because SHA256 certificates are CNG (Cryptography Next Generation) certificates and Forefront TMG does not support them (See http://technet.microsoft.com/en-us/library/ee796231.aspx#u56fdssd)
To work around this problem, you can use a certificate generated by your own internal CA (using Active Directory Certificate Services) rather than using a certificate generated by Forefront TMG itself. These internal certificates are supported by Forefront TMG, including the new ones using CNG.
If you are still experiencing problems, open a case with Microsoft. They can help you with some scripts that cannot be shared publicly (so far), but will certainly solve the issue.
UPDATE
Microsoft have now published an article on resolving this issue, including the PowerShell Script to create CNG certificates: http://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx
For information on the Heartbleed vulnerability as it relates to Microsoft products and services, I recommend reading Yuri Diógenes Curah page:
http://curah.microsoft.com/64131/heartbleed-vulnerability-and-microsoft-productsservices
You may also be interested in Etienne Liebetrau’s related article on How to Enable and Disable SSL / TLS Versions on Forefront TMG.
Microsoft have also published a comprehensive article on How to create a CNG HTTPSi cert using a 2008r2 CA.
Hi!
Thanks for a great article.
Do you know is there any way to get TMG to understand CNG certificates in reverse proxy scenarios?
Hi Antti,
TMG won´t work with CNG certificates, but, you can try from your internal CA or opening a ticket to Microsoft.
We have some script´s to help on this, but, I have no permissions to publish it so far, that´s why you´ll need to give us a call.
For me it still doesn’t work, although I imported a certificate signed by our inhouse CA. I used the template for subordinate CAs and tried SHA1 and SHA256. Are there any special requirements for the certificate or are there any other TMG settings that have to be changed?
Felix, please give a call to Microsoft and we will help you on this.
The script our program managerns developed for this issue can not be shared so far.
Hey Guys,
It looks like Microsoft has now published an article on resolving this issue including the Powershell script to create CNG certificates:
http://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx