New Certificate Chain and TMG Reverse Proxy

After you install or upgrade the new CA and certificate chain in your environment, you need to verify that all the servers and network devices trust the new authorities.  This also applies to the reverse proxy and sometimes it gets little more complicated.

This is a scenario that the client certificate was issued by the new issuing CA.  When user tried to access ActiveSync published by Microsoft Forefront TMG, the browser got this:

12221

On the TMG side, it showed a similar error.  The description from Microsoft is the same for error 12221 and 12321: The client certificate used to establish the SSL connection with the Forefront TMG computer is not trusted.

But when you checked the chain that installed in TMG, they look fine.  Also the client certificate itself is okay.  So where could be the problem?  First, it is almost sure that the error was given from the listener in the publishing policy in TMG.  In the listener, you can choose the client authentication method.  The client certificate part is in Advanced Options.  There, if you go to Client Certificate Trust List, you will see what the existing setting is.  Double check if the listener accepts any client cert trusted by TMG, or only from those checked in the list below.  If your new root CA is not there, check it and test again.

What’s next?  My test gave me HTTP code 500 -  The certificate is revoked with error code 0x80092010.

http500

That’s not possible, right?  The TMG has a system policy that allows local to all destination on port 80, it is specifically for CRL communication.  So is there anywhere else we can check in TMG?  Yes, there is.  We can loose the setting a bit on TMG, it is not a good idea for security, but at least we can move forward and verify something further to the CA.  Here is the setting that you can uncheck in TMG Console – Web Access Policy – Tasks – Configure Certificate Revocation.

clientcertrevokecheck

After this, you should be able to reach the site, then focus on the CRL Delta issue in the new CA, according this TechNet article: http://blogs.technet.com/b/sooraj-sec/archive/2013/09/19/activesync-on-some-smartphones-in-this-scenario-iphones-with-client-certificate-authentication-does-not-work-it-works-for-some-other-phones-including-iphones-and-windows-phones-as-well-as-android-phones.aspx

Advertisements

Microsoft should release something officially about TMG, otherwise it’s losing customers.

Have the reports of TMG’s death been greatly exaggerated?

Back last spring, we reported – with more than a little concern – Gartner’s Magic Quadrant Report that stirred up a tempest in a teapot when they said Microsoft had informed them that they wouldn’t be shipping another full version of TMG and no longer intended to compete head-to-head with other vendors in the secure web gateway/firewall space. I wrote about it in my blog on this site and even did an editorial about it over on TechRepublic. In case you missed it, you’ll find it here.

The whole thing was exacerbated by the fact that Microsoft would neither confirm nor deny all the rumors that were swirling around in response to Gartner’s statement. As time has gone on, the confusion and consternation has deepened.  Customers and MVPs have been asking questions about the future of TMG and not getting many answers. In some ways that seems ominous – but some of us have started wondering if maybe it’s actually a good sign.

Certainly there have been some encouraging developments. In October, Microsoft released Service Pack 2 for TMG 2010, which was more than just a bug fix; it introduced several new functionalities, with a new Site Activity report, new look and feel for error pages, and the ability to use Kerberos authentication when deploying an array using NLB.

Why would Microsoft come out with a Service Pack for a product that had been declared “as good as dead” months before? As with all Microsoft products, the company will continue to support TMG for at least ten years from the date of this service pack, so it seems there’s some life in the old gal yet.

Last month, Richard Hicks reminded us that TMG was celebrating its second birthday.

But it’s important to remember that number refers only to the product named Threat Management Gateway. TMG actually has a much longer history than that, as the successor to the very popular ISA Server 2006, which itself evolved out of Microsoft Proxy Server.  So saying it’s two years old is, in some ways, like saying that if you go to court and get a name change, you can reset your age to zero and start all over again. Much as some of us who are getting up in years might wish we could do that, it really doesn’t work that way. TMG has been around for a while and it has matured into an excellent product.  Abandoning it at this point wouldn’t be like dumping the Kin because you realize you’ve made a mistake.

But this whole name change thing has me wondering if maybe we didn’t take Gartner’s statement literally enough. Just because Microsoft might have said they wouldn’t be shipping another full version of their Threat Management Gateway, does that mean the product itself is necessarily going away? They could have said they weren’t going to ship another version of ISA Server after 2006, too – and that would have been technically correct.

Who knows? Maybe TMG is just getting ready to undergo another evolutionary cycle. It’s hard for me to believe that Microsoft would really just throw away the technology after working so hard to get it right. That would be almost like suddenly deciding to get out of the web browser business after coming from behind to overtake Netscape.

Another thing that has me rethinking the “demise of TMG” is Microsoft’s all-in commitment to the cloud. There have been a number of security breaches this past year that have thrown concerns over cloud security into the limelight. If Microsoft hopes to be a serious contender for top cloud provider status, it’s imperative that they demonstrate their commitment to security. And they already have the technology, in TMG, to do that.

Now, I don’t have any inside information on this; if Tom knows anything, he’s sworn to secrecy. So it’s all speculation on my part, and maybe it’s just wishful thinking during a season when wishes rule, but sometimes no news really is good news. And it wouldn’t be unthinkable if all the outcry from those otherwise happy TMG customers (and potential customers who were considering deploying TMG) over the Gartner report caused Microsoft to take a second look at the decision (if there ever was a decision to begin with). So, at least while ‘tis the season to be jolly (and optimistic), I’m going to dare to hope that we’ll eventually find out that TMG is next year’s comeback kid.

Happy holidays to all who celebrate.

See you next month (or should I say “next year”?)  – Deb.
dshinder@isaserver.org

ISA, TMG. No more.

Heard this news after vendor visited us yesterday.  This vendor has been developing proxy-kind products instead of just Microsft plug-in for several years and they keep promoting their software and appliance to us, also another vendor has been on the same track for a while although they are not so much actively selling.  But Microsoft’s roadmap for Forefront or TMG proxy product was not very clear in the past few years, TMG, UAG and codename ‘Stirling’ are always confusing, even to a technical guy like me; and there’s no exposure in any recent Microsoft events.  Also I heard Microsoft didn’t really make money from ISA/TMG, maybe that is one of the main reason behind the whole story.

Still trying to swallow this news as Mrs. Shinder did, although this may not be a news anymore after two months since it’s revealed by Gartner (not Microsoft!).

Here are some links I found informative and helpful:

http://blogs.isaserver.org/shinder/2011/05/27/death-of-tmg/

http://www.techrepublic.com/blog/window-on-windows/the-demise-of-threat-management-gateway-is-microsoft-backing-away-from-the-edge/4387

http://spanougakis.wordpress.com/2011/06/01/no-more-tmg/

http://blog.konab.com/2011/05/what-will-happen-with-tmg/

http://blogs.gusac.net/post/Microsoft-to-discontinue-TMG-(ISA-Server).aspx

A summary of Gartner’s report can be downloaded from McAfee site, link in this blog, I am not sure if that is the $1995 one.

http://proxyupdate.blogspot.com/2011/07/microsoft-planning-to-phase-out.html#links