Showing posts with label TMG. Show all posts
Showing posts with label TMG. Show all posts

TMG 2010 with HTTPS inspection enabled, unable to access some websites

In this case I'm going to point to two Microsoft KB articles that helped me to resolve the following issue: Microsoft TMG 2010 with HTTPS inspection enabled is used as proxy server and users are reporting that cannot access some https web sites.
Access to those https websites is possible when TMG is not used as a proxy server. Web server certificates are valid and issued by public certification authorities. TMG server also trusts the root certificates of those web server certificates. For testing purposes domain names of those websites were put into destinations exceptions for HTTPS inspection, and users were still unable to access those website. TMG logs were showing the following HTTP Error code when users were accessing those websites:
12030 The connection with the server was terminated abnormally
According from this log the destination web server was terminating the https connection, and reason for that behavior was that TMG server was trying to negotiate the session with destination web server using old protocols. In order to fix that behavior I used the following Microsoft KB articles:

FIX: You cannot access a website that does not support TLS v1.0 when you enable HTTPS inspection and set HTTPSiClientProtocols
FIX: You cannot access a website that is listed on the Destination Exception tab of the HTTPS Outbound Inspection dialog box in Forefront TMG 2010

Note: Before using these fixes please check the requirements for service pack and rollup updates of Microsoft Threat Management Gateway 2010.
 
at 2 comments:
Labels:

TMG with HTTPS Inspection enabled fails with 0x8009000a

In this case, if you're still using TMG 2010 as proxy server with HTTPS Inspection option enabled, users may experience blank page when accessing https web sites with CNG certificates (for example: coursera, booking, sendspace, dropbox, twitter ...) . The reason for this behavior is that default self signed certificate (or the certificate issued by CA) which is used by the TMG for HTTPS inspection feature is not compatible with suite B certificates. For more info about the CNG certificates please check http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx .

You can check TMG logs to see if you're experiencing this behavior by creating filter (for example: looking for http status code 0x8009000a in last hour ) :



To avoid this behavior change the certificate used by TMG HTTPS Inspection with CNG certificate (self signed or issued by CA). This certificate must be trusted by clients. For more info about this behavior and a script for creating self signed CNG certificate please check: http://blogs.technet.com/b/isablog/archive/2014/05/28/tmg-https-inspection-is-failing-if-the-target-web-site-is-using-a-cng-certificate.aspx .
 
at 1 comment:
Labels: ,

Creating Custom Queries For Searching TMG 2010 Logging Databases

In this case I was trying to find out unique client IP addresses that were accessing TMG published web site in last 3 days. TMG server was having locally installed logging database. One way to achieve this task is using SQL Server Management Studio, another way is using powershell. In this article, I'll show how I have found the ip addresses using powershell.
After importing the SQLServerCmdletSnapin100, Invoke-Sqlcmd cmdlet will be available for running:
Add-PSSnapin SQLServerCmdletSnapin100
Now it's time to create the SQL query using here-strings:
$query=@"
SELECT ClientIP as IPAddress from
(SELECT DISTINCT ClientIP
FROM [ISALOG_20130926_WEB_000].[dbo].[WebProxyLog] WHERE [WebProxyLog].[Rule] = 'TMG Rule Name'
UNION
SELECT DISTINCT ClientIP
FROM [ISALOG_20130925_WEB_000].[dbo].[WebProxyLog] WHERE [WebProxyLog].[Rule] = 'TMG Rule Name'
UNION
SELECT DISTINCT ClientIP
FROM [ISALOG_20130924_WEB_000].[dbo].[WebProxyLog] WHERE [WebProxyLog].[Rule] = 'TMG Rule Name')t1;
"@
The SQL query is simple, so I'm not going into details.
Now it's time to execute the query using invoke-sqlcmd :
Invoke-Sqlcmd -Query $query -ServerInstance localhost\msfw -QueryTimeout 300 | ft

The result will contain IP addresses in unfriendly readable format, something like:
C0A8018A-FFFF-0000-0000-000000000000 
The reason for this kind of logging, is that TMG is using same field for logging IPv4 and IPv6 addresses. One way for converting CAA8018A into 192.168.1.138 is using Excel formula which looks like this:

HEX2DEC(MID(A1,1,2)) &"."&HEX2DEC(MID(A1,3,2))&"."&HEX2DEC(MID(A1,5,2))&"."&HEX2DEC(MID(A1,7,2))


Happy IP addresses hunting :)
at No comments:
Labels: ,

Microsoft Forefront TMG 2010 invalid certificate

In this case Forefront TMG 2010 was installed on Windows Server 2008 R2, and for web publishing purposes (rule), server certificate from public CA was installed in local machine store. The certificate request was created with mmc using custom certificate request. Private key was successfully associated with certificate, but from TMG console this certificate was invalid with incorrect key type:


The reason for this behavior is that during custom certificate create wizard on custom request page for template was chosen CNG key instead Legacy key. Forefront TMG does not support certificates created with CNG http://technet.microsoft.com/library/ee796231.aspx?lc=1031#dfg9o9i8uuy6tre.

Another important worth to notice is that for Private Key (tab) options for the Key type usage must be selected Exchange instead the default one Signature :


Step by step instruction how to create certificate request using mmc can be found on one of my previous posts http://vstepic.blogspot.com/2011/12/how-to-request-san-certificate-using.html .
at No comments:
Labels: ,

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Official version available for download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=27603 .
at No comments:
Labels:

You can't access pages via TMG as proxy with https inspection enabled on port different than 443

So, if you try to access pages via https on port different than 443 via TMG with https inspection enabled and you check logs on TMG you can see the following error "12204 The specified Secure Sockets Layer (SSL) port is not allowed. Forefront TMG is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests".
As a solution to this error I have bumped on the following article http://technet.microsoft.com/en-us/library/cc302450.aspx . There are three scripts for managing tunnel port ranges (view,add,delete). In my case I should access 8443 for ssl. So, I have added new tunnel port range with single port 8443. Started the script like : "cscript addrange.vbs ssl8443 8443" . And, TMG started proxyng ssl requests to requested destination on 8443.
at 1 comment:
Labels:
Subscribe to: Posts (Atom)

How to check EMBG (Unique Master Citizen Number) using regex

In this post, I will share my implementation of how to check if some number looks like EMBG or Unique Master Citizen Number. For those of yo...