Monday, September 26, 2011

TMG 2010 and enabling TLS 1.2

With the impending demise of TLS 1.0 on the web I figured it was a good time to make sure all my servers had TLS 2.0 enabled on them. The normal IIS 7.x servers wouldn't be a problem since I'd found a powershell script for turning those on a while ago but I wasn't sure about the TMG 2010 servers. Since they also function as ssl termination endpoints they also needed to support TLS 1.2. After a bit of searching I found only a few mentions of TLS 1.2 and TMG 2010 and they seemed to imply that it would track with whatever the OS had enabled on it. So I went ahead and ran the script to enable it, rebooted, and then tested my servers out with the SSL labs tester ( which reported back to me that my servers were now supporting TLS 1.2.

But they also reported back that my server still supported Insecure Negotiation. So I dug around a bit more and found some registry keys that need to be set in order to turn off Insecure Negotiation at . So I set these 3 DWORD values to zero:


Updated: I started getting an supplied sspi channel bindings were incorrect on servers that were published behind the TMG server so I deleted those keys and that went away.

The powershell script that I used for TLS 1.2 enabling can be found here: