Reverse proxy TLS version

reverse-proxytlstmg

I have a TMG 2010 (Forefront Threat Manager Gateway 2010) sitting on Windows Server 2003 R2 and I have several websites published through it. One of the websites is sitting on Windows Server 2012 R2. I know that Server 2003 R2 ships with TLS 1.0 and Server 2012 R2 ships with TLS 1.2. When I open the website from the internal network (not going through TMG) Google Chrome shows that the connection uses TLS 1.2. When, however, I open the published website from an external network (going through TMG), Google Chrome says the connection uses TLS 1.0.

How can I let the visitor not use TMG's TLS implementation but the version of the windows server on which the published site sits? Thanks in advance.

Best Answer

There are a bunch of registry settings you can make, including to enable TLS 1.1 and 1.2 for TMG 2010, according to http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html

It’s also a good idea to enable new protocols such as Transport Layer Security (TLS) v1.1 and v1.2 for modern clients that support them. To do this, open the registry and navigate to HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols and create two new keys called TLS 1.1 and TLS 1.2. Under each of these keys create new keys called Client and Server. Within each Client and Server key under TLS 1.1 and TLS 1.2 create DWORD values called DisabledByDefault set to 0 and Enabled set to 1. Restart the TMG firewall for this change to take effect.

The rest of that page looks to be mandatory work for any current TMG deployment.

Related Topic