The KB980346 update published today by Microsoft upgrades the underlying Windows SChannel used by Forefront TMG 2010 to support the secure TLS renegotiation extension.
This should be available in both the reverse web proxy(web server publishing) and for forward web proxy scenarios(when the HTTPS Inspection is used).
How to check for it(bellow TMG was installed on Windows Server 2008 R2 SE) ?
- For the reverse web proxy(web server publishing) scenario simply download the latest version of Opera(on Windows shown bellow), access the published secure web site with Opera and click the SSL padlock icon. In case a web site does not support it, Opera will show this(see bellow). Or if you want a more detailed scan, use SSL Labs, which will tell you if the TLS secure or insecure renegotiations are supported. Or use in reverse the forward web proxy scenario procedure(with a client that supports the TLS secure renegotiation(may vary how the client signals the support for this extension) and watch for TMG’s response).
- For forward web proxy scenario(when the HTTPS inspection is used) take a Wireshark capture and note the 0x00ff “cipher suite”(TLS_EMPTY_RENEGOTIATION_INFO_SCSV) from the TLS 1.0 SSL 2.0 compatible TMG’s Client Hello.
The remote server, if supported, may reply with the 0xff01 extension.
