Good morning,

I have a question or I rather I need confirmation of the correct way to disable SSLv3 support in TMG. We've finally reached a point where we can actually get this done and be done with POODLE and BEAST. All of our browsers and other clients have been upgraded so that they can support TLS 1.0 or higher (I'm pushing to be free of 1.0), so now we can start to tell the servers to ignore SSL altogether. On to TMG... from everything that I've seen in various places the method is the standard registry edit to change DWORD values, is that correct? So there is nothing to actually configure within TMG, if so where can I find that?

I'm not the admin for this system, but I am the security guy and if I want this done I have to give them the instructions how to do it... that whole "plausible dependability" or CYA thing.

Thanks everyone!

Hello,

Maybe this could be helpfull: http://tmgblog.richardhicks.com/2014/10/21/mitigating-the-poodle-ssl-3-vulnerability-on-forefront-tmg-2010/

Regards,

Yes, I've seen that, which brings me back to my question is a registry edit to disable SSLv3 all that's required to affect the TMG?

Hi,

Forefront TMG uses the underlying Crypto-API (Crypto subsystem) from Windows. You must change the SSL/TLS crypto behaviour with the Registry editor. There is no way to change this in the TMG MMC

Hi,

Please check the steps below. Those are what I saw in a similar case that is trying to enable TLS v 1.2 and stop using SSL3. 

TMG and SSLv3

TMG does not have an own SSL stack it relies on the SSL stack of the operating system (It is implemented in SCHANNEL). SSLv3 is enabled by default on the Microsoft operating systems.

To disable SSLV3 you have to follow these steps:

Microsoft Security Advisory 3009008

https://technet.microsoft.com/en-us/library/security/3009008.aspx

For the server component: (for incoming SSL connections)

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

1. Click Start, click Run, type regedt32 or type regedit, and then click OK.

2. In Registry Editor, locate the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.

3. On the Edit menu, click Add Value.

4. In the Data Type list, click DWORD.

5. In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value.

6. In the Edit DWORD (32-bit) Value dialog box, type 0 .

7. Click OK. Restart the computer.

For client component: (for outgoing SSL connections)

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

1. Click Start, click Run, type regedt32 or type regedit, and then click OK.

2. In Registry Editor, locate the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client

Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.

3. On the Edit menu, click Add Value.

4. In the Data Type list, click DWORD.

5. In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value.

6. In the Edit DWORD (32-bit) Value dialog box, type 0 .

7. Click OK. Restart the computer.

TLS 1.2

TLS 1.2 is enabled by default on Windows Server 2008 R2.

Please note that you can override this via registry.

Registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

Client\TLS 1.2 or Server\TLS 1.2

Key (DWORD)

Enabled

0 disabled

1 enabled

Disabling Ciphers

If you want to disable additional Ciphers please follow this article:

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

http://support.microsoft.com/kb/245030

If you want to disable RC4 ciphers you can just install the patch from the KB article below:

Microsoft security advisory: Update for disabling RC4

http://support.microsoft.com/kb/2868725

Best Regards,

Joyce

Thanks to everyone for responding to my request for assistance, it's very much appreciated!