Monday, September 26, 2011

TMG 2010 and enabling TLS 1.2


With the impending demise of TLS 1.0 on the web I figured it was a good time to make sure all my servers had TLS 2.0 enabled on them. The normal IIS 7.x servers wouldn't be a problem since I'd found a powershell script for turning those on a while ago but I wasn't sure about the TMG 2010 servers. Since they also function as ssl termination endpoints they also needed to support TLS 1.2. After a bit of searching I found only a few mentions of TLS 1.2 and TMG 2010 and they seemed to imply that it would track with whatever the OS had enabled on it. So I went ahead and ran the script to enable it, rebooted, and then tested my servers out with the SSL labs tester (https://www.ssllabs.com/ssldb/index.html) which reported back to me that my servers were now supporting TLS 1.2.

But they also reported back that my server still supported Insecure Negotiation. So I dug around a bit more and found some registry keys that need to be set in order to turn off Insecure Negotiation at http://support.microsoft.com/kb/980436 . So I set these 3 DWORD values to zero:

AllowInsecureRenegoClients
AllowInsecureRenegoServers
UseScsvForTls

Updated: I started getting an supplied sspi channel bindings were incorrect on servers that were published behind the TMG server so I deleted those keys and that went away.


The powershell script that I used for TLS 1.2 enabling can be found here: