TMG with HTTPS Inspection enabled fails with 0x8009000a

In this case, if you're still using TMG 2010 as proxy server with HTTPS Inspection option enabled, users may experience blank page when accessing https web sites with CNG certificates (for example: coursera, booking, sendspace, dropbox, twitter ...) . The reason for this behavior is that default self signed certificate (or the certificate issued by CA) which is used by the TMG for HTTPS inspection feature is not compatible with suite B certificates. For more info about the CNG certificates please check http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx .

You can check TMG logs to see if you're experiencing this behavior by creating filter (for example: looking for http status code 0x8009000a in last hour ) :



To avoid this behavior change the certificate used by TMG HTTPS Inspection with CNG certificate (self signed or issued by CA). This certificate must be trusted by clients. For more info about this behavior and a script for creating self signed CNG certificate please check: http://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx .
 

No comments:

Post a Comment

How to check EMBG (Unique Master Citizen Number) using regex

In this post, I will share my implementation of how to check if some number looks like EMBG or Unique Master Citizen Number. For those of yo...