TMG 2010 SP1 introduces issue with HTTP custom port listener

We replaced a single TMG 2010 server with a pair of TMG 2010 servers using NLB for internal and external NIC’s.  That process in itself was somewhat of a challenge.  Along the way we found a bug that was introduced in TMG 2010 SP1.  On the single server (non SP1), we had a HTTP listener using a custom port of 8080 (this was for TFS just so you know).  On the new servers, we added SP1 for TMG 2010 before adding any rules and then tried to add the HTTP listener on port 8080.  However, in the listener properties,  as soon as we change the HTTP port and tried to apply we received this error: “This Web Listener is configured to use SSL.  You must specify a certificate for use in this Web Listener.”

You can duplicate this by simply creating a new listener, click on the Connections tab, change HTTP port to anything other than 80 and try to apply as shown below.

After seeing the error you may notice that without SP1, the Certificates tab will have all it’s options disabled if you don’t check Enable SSL on the Connections tab.  However, after applying SP1 those options on the Certificates tab are not getting disabled and I guess there’s code that keys off that resulting in the erroneous error message we received.

We opened a case with Microsoft and it was confirmed that this is a issue introduced with TMG 2010 SP1 and they are working on a fix.  Currently, I see two workarounds:

  1. Add you listeners with custom HTTP ports prior to applying TMG 2010 SP1.  I haven’t tested this but I’m fairly confident this will work.
  2. Select a SSL Certificate on the Certificates tab for this non-SSL enabled listener.  This is the real workaround (and the only workaround if you're already applied SP1) and will allow you to save the listener and everything will work just fine.  I already had a “real” SSL certificates on this TMG pair so this was easy.  Self-signed cert would probably also work as you’re not really using the cert but just selecting any cert to work around the GUI issue.

So there you have it.  Just select any SSL cert to get you going even though you may be adding a non-SSL rule/listener.  I hope this saves you some time and headache.

Return TopTrackbackPrintPermalink


Got something to say? Join the discussion »

leave a reply

 [Quick Submit with Ctrl+Enter]

Remember my details
Notify me of followup comments via e-mail