none
What could be the impact of disabling renegotiation feature on OCS 2007 r2 reverse proxy server.

    Pergunta

  • Hello,

               There's a very complicated issue coming up on me these days.

               We have deployed OCS 2007 R2 enterprise edt with 2 front end, 2 Edge and 2 backed server with 1 each of archiving CWA and reverse proxy.

               We also have one hardware load balancer configured on the frontend pool.

               We have ISA 2006 configured on the reverse proxy to publsh urls used for downloading meeting content and address book.

               We just received a mail from our security team stating they wanted to disable SSL renegotiation feature on the reverse proxy server.

               Well now after googling I did not find anything related but the following link from Microsoft:

                http://support.microsoft.com/kb/977377

               Now I am not sure and off course I lack the understanding that what would be the impact if we deploy this patch on the reverse proxy server.

               Need some extreme help to find a solution on this.

               Waiting for yor kind reply.

     

    Thank,

    Amit.

    sexta-feira, 13 de janeiro de 2012 11:09

Respostas

  • Hello Amit,

    As far the non working scenarios,

  • Windows 7 DirectAccess: The IP HTTPS interface will not function.
  • Exchange ActiveSync: Does not function when it uses certificate client authentication.
  • Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.
  • Internet Explorer: When you browse Web sites that require client certificate authentication, but not site-wide client certificate authentication, you may not successfully be able to connect

    It should not cause any issues with OCS clients, but it is better to test it out and if it breaks any features for OCS you can remove the patch.

    The kb also states

    This update disables TLS/SSL renegotiation, common protocol functionality that is required for specific applications. This may cause this software to no longer function as expected. If any side effects are experienced, customers should uninstall the workaround to resolve the issue

quarta-feira, 18 de janeiro de 2012 06:44

Todas as Respostas

  • Desperately waiting.

     

    Amit

    segunda-feira, 16 de janeiro de 2012 08:29
  • Hi,Amit,

    I am sorry I have no idea about your issue,I will escalate it to Microsoft Escalation Support team and the ETS engineer will help you figure out the question.

    Regards,

    Sharon


    Sharon Shen

    TechNet Community Support

    ******************************************************************************************************************************************************* Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community memb
    segunda-feira, 16 de janeiro de 2012 08:48
    Moderador
  • Hi Sharon,

                    Thanks for your attention.

     

    Thaks Again,

    Amit.

    segunda-feira, 16 de janeiro de 2012 12:06
  • Hello Amit,

    Do you know how the security team is planning to disable  SSL renegotiation  on the reverse proxy, are they using a registry key or referring some kb article

    The article http://support.microsoft.com/kb/977377  states that the following scenarios break with the

  • Windows 7 DirectAccess: The IP HTTPS interface will not function.
  • Exchange ActiveSync: Does not function when it uses certificate client authentication.
  • Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.
  • Internet Explorer: When you browse Web sites that require client certificate authentication, but not site-wide client certificate authentication, you may not successfully be able to connect

     

    OCS R2 clients do not use certificate authentication to download address book or meeting content, so disabling renegotiation should not affect OCS R2 features, but if the reverse proxy is also used for other purposes, there might be issues.

    It is advisable to test it out, implementing the changes during non business hours.

    This update disables TLS/SSL renegotiation, common protocol functionality that is required for specific applications. This may cause this software to no longer function as expected. If any side effects are experienced, customers should uninstall the workaround to resolve the issue

     

     

     

     

     

terça-feira, 17 de janeiro de 2012 05:42
  • Hello Jim,

     

                     Well the reverse proxy is dedicatedly used for OCS 2007 R2 reverse proxy purpose, do you think that if the mentioned patch is installed on the reverse proxy will that impact any way to ocs environment. Also the security team has asked us to disable the SSL renegotiation feature.

     

    Thanks,

    Amit.

    • Editado Amit Khamkar terça-feira, 17 de janeiro de 2012 06:52
    terça-feira, 17 de janeiro de 2012 06:52
  • Hello Amit,

    As far the non working scenarios,

  • Windows 7 DirectAccess: The IP HTTPS interface will not function.
  • Exchange ActiveSync: Does not function when it uses certificate client authentication.
  • Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.
  • Internet Explorer: When you browse Web sites that require client certificate authentication, but not site-wide client certificate authentication, you may not successfully be able to connect

    It should not cause any issues with OCS clients, but it is better to test it out and if it breaks any features for OCS you can remove the patch.

    The kb also states

    This update disables TLS/SSL renegotiation, common protocol functionality that is required for specific applications. This may cause this software to no longer function as expected. If any side effects are experienced, customers should uninstall the workaround to resolve the issue

  • quarta-feira, 18 de janeiro de 2012 06:44