In this case I'm going to point to two Microsoft KB articles that helped me to resolve the following issue: Microsoft TMG 2010 with HTTPS inspection enabled is used as proxy server and users are reporting that cannot access some https web sites.
Access to those https websites is possible when TMG is not used as a proxy server. Web server certificates are valid and issued by public certification authorities. TMG server also trusts the root certificates of those web server certificates. For testing purposes domain names of those websites were put into destinations exceptions for HTTPS inspection, and users were still unable to access those website. TMG logs were showing the following HTTP Error code when users were accessing those websites:
FIX: You cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set HTTPSiClientProtocols
FIX: You cannot access a website that is listed on the Destination Exception tab of the HTTPS Outbound Inspection dialog box in Forefront TMG 2010
Note: Before using these fixes please check the requirements for service pack and rollup updates of Microsoft Threat Management Gateway 2010.
Access to those https websites is possible when TMG is not used as a proxy server. Web server certificates are valid and issued by public certification authorities. TMG server also trusts the root certificates of those web server certificates. For testing purposes domain names of those websites were put into destinations exceptions for HTTPS inspection, and users were still unable to access those website. TMG logs were showing the following HTTP Error code when users were accessing those websites:
12030 The connection with the server was terminated abnormallyAccording from this log the destination web server was terminating the https connection, and reason for that behavior was that TMG server was trying to negotiate the session with destination web server using old protocols. In order to fix that behavior I used the following Microsoft KB articles:
FIX: You cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set HTTPSiClientProtocols
FIX: You cannot access a website that is listed on the Destination Exception tab of the HTTPS Outbound Inspection dialog box in Forefront TMG 2010
Note: Before using these fixes please check the requirements for service pack and rollup updates of Microsoft Threat Management Gateway 2010.
This error was haunting me for months and with your tips it is finally solved!
ReplyDeleteThank you very much, Vladimir!
I'm glad I helped.
ReplyDelete