AnsweredAssumed Answered

TMG 2010 on Server 2008 R2 "B" rating

Question asked by Mark Haddon on Jul 20, 2018
Latest reply on Jul 20, 2018 by j-mailor

Hi

Dunno if anyone can help but I'm struggling to get an A rating for TMG 2010 reverse proxied sites.  I've disabled TLS v1.0 but I think that my issues are related to ciphers.

 

"This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B."

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

# TLS 1.1 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128

TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256

 

These are the Ciphers that I'm using configured in this order using gpedit.msc

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,

TLS_RSA_WITH_AES_256_GCM_SHA384,

TLS_RSA_WITH_AES_128_GCM_SHA256

 

My main issues are around which ciphers are safe to remove without trashing TMG.  Incidentally, the server is already running in FIPS mode because that's a requirement for TMG SQL express to function when you disable TLS v1.0

Outcomes