Archive

Posts Tagged ‘SQL Express’

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

December 27, 2016 Comments off

When performing SSL and TLS hardening on Microsoft Forefront Threat Management Gateway (TMG) 2010 or Forefront Unified Access Gateway (UAG) 2010 servers, disabling SSL 3.0 and TLS 1.0 is often required to meet regulatory and compliance guidelines for security. However, disabling SSL 3.0 and TLS 1.0 causes the SQL Server (ISARS) and SQL Server Express services to fail on start up.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

Switching from SQL logging to text file logging can be employed as a workaround. However, when using text file logging, generating historical reports in the TMG management console is no longer supported.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

To restore full functionality for SQL logging and reporting when SSL 3.0 and TLS 1.0 are both disabled, an update to the local security policy of the server is required. Open the Local Security Policy editor by clicking on the Start button and navigating to Administrative Tools and Local Security Policy. Expand Local Policies and click on Security Options. Double-click on System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Click Enabled and then click OK.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

Restart the computer for the changes to take effect. Once complete, all SQL services should start and run without issue.

Disable SSL 3.0 and TLS 1.0 on Forefront TMG and UAG 2010

Note: If Remote Desktop Services (RDS) is used to manage the Forefront TMG firewall it will be necessary to install update KB3080079.

 

Categories: Forefront TMG 2010, Forefront UAG 2010, Logging and Reporting, Security, Threat Management Gateway, Troubleshooting, Unified Access Gateway Tags: , , , , , , , , , , , , , , ,

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

November 20, 2014 5 comments

When performing POODLE attack mitigation on the Forefront TMG 2010 firewall by disabling SSL 3.0, you may encounter a scenario in which TMG’s SQL services fail to start after a reboot.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Looking through the Windows system event log you may see an error message logged by the Service Control Manager with event ID 36871 which states:

A fatal error occurred while creating an SSL server credential.
The internal error state is 10013.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

In addition you may also see an error message logged by the Service Control Manager with event ID 7024 which states:

The SQL Server (ISARS) service terminated with service-specific
error %%-2146893007.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

This can occur when SSL 3.0 is disabled at the same time that TLS 1.0 is also disabled. Even though TLS 1.1 and 1.2 might be enabled, TMG requires that TLS 1.0 specifically be enabled for SQL server services to function properly when SSL 3.0 is disabled.

To resolve this issue, enable TLS 1.0 Server in the registry by changing the value of Enabled to 1, as shown here. If these registry keys do not exist, create them.

Forefront TMG 2010 SQL Services Fail to Start After Disabling SSL 3.0

Restart the server for the change to take effect.

Categories: Forefront TMG 2010, Forefront UAG 2010, Security, Security Updates, Threat Management Gateway, Unified Access Gateway Tags: , , , , , , , , , , , , ,