Forefront TMG HTTPS Inspection Issues with SHA256 / CNG Certificates

I'd like to share an important issue I discovered recently that many Forefront TMG administrators may be experiencing. The problem affects accessing popular HTTPS websites when the Forefront TMG HTTPS Inspection feature is enabled.

As you may know, many public websites were affected by the recent Heartbleed vulnerability. Fortunately, Heartbleed  had no consequences for  people using Microsoft applications such as IIS and Forefront TMG.

However, after reading a message from my colleague Mason Fan (Microsoft Engineer from China), I realized we need to take care with Forefront TMG's HTTPS Inspection feature.

On a recent case, Mason found that Forefront TMG's HTTPS inspection did not work for certain HTTPS websites such as Twitter. After some investigation, he found that the issue was caused by the latest version of the website's SSL certificate.

One major consequence of the Heartbleed vulnerability is that an attacker may have had the opportunity to retrieve a website certificate's private key. Therefore, most of the affected sites, including popular applications like Dropbox, Twitter, and Facebook, decided to change their certificate.

If the website changed to a SHA256 certificate, users will no longer be able to access the websites from behind a Forefront TMG proxy with HTTPS inspection enabled. This is because SHA256 certificates are CNG (Cryptography Next Generation) certificates and Forefront TMG does not support them (See https://technet.microsoft.com/en-us/library/ee796231.aspx#u56fdssd)

To work around this problem, you can use a certificate generated by your own internal CA (using Active Directory Certificate Services) rather than using a certificate generated by Forefront TMG itself.  These internal certificates are supported by Forefront TMG, including the new ones using CNG.

If you are still experiencing problems, open a case with Microsoft. They can help you with some scripts that cannot be shared publicly (so far), but will certainly solve the issue.

UPDATE Microsoft have now published an article on resolving this issue, including the PowerShell Script to create CNG certificates: https://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx

 

For information on the Heartbleed vulnerability as it relates to Microsoft products and services, I recommend reading Yuri Diógenes Curah page: https://curah.microsoft.com/64131/heartbleed-vulnerability-and-microsoft-productsservices

You may also be interested in Etienne Liebetrau's related article on How to Enable and Disable SSL / TLS Versions on Forefront TMG.

Microsoft have also published a comprehensive article on How to create a CNG HTTPSi cert using a 2008r2 CA.