none
Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later For Lync server 2010

    Question

  • Hello everybody

    One of the pen test findings requires to upgrade Lync 2010 server OpenSSL version 1.0.1t / 1.0.2h or later.

    The environment as the following:

    • Edge servers.
    • FrontEnd servers.
    • Lync Monitoring
    • Group Chat server

    OS windows server 2008 R2

    Lync 2010

    My question is there's any concerns regarding this change !! Is there's any impact on the user or server side?


    Cheers,

    Mahmoud Hanafi

    Senior Exchange|Lync Administrator

    Blog: Twitter:   LinkedIn:   Facebook:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.




    Sunday, June 18, 2017 1:41 PM

Answers

  • We have passed this change with some observations, 

    • If you apply this changes on the back-end SQL DB, then you need to check the SQL server version because there's some SQL version doesn't support the new security algorithms. 

    Cheers,

    Mahmoud Hanafi

    Senior Exchange|Lync Administrator

    Blog: Twitter:   LinkedIn:   Facebook:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Mahmoud.Hanafi Wednesday, August 30, 2017 2:44 PM
    Wednesday, August 30, 2017 2:44 PM

All replies

  • Why do you use OpenSSL and not a internal PKI for your Lync environment? Management should be easier.

    regards Holger Technical Specialist UC

    Thursday, June 29, 2017 7:14 AM
  • Hello Holger

    We already have an internal PKI, this was just the result and the findings of the windows server penetration test that required to disable all weak protocols such as what it relied on OpenSSL.

    However, this has now been resolved, and there's no effect of this change.


    Cheers,

    Mahmoud Hanafi

    Senior Exchange|Lync Administrator

    Blog: Twitter:   LinkedIn:   Facebook:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, June 29, 2017 5:04 PM
  • Ok, thats correct you should disable old versions like ssl3, rc4 on all Lync servers for higher security.

    regards Holger Technical Specialist UC

    Friday, June 30, 2017 6:16 AM
  • We have passed this change with some observations, 

    • If you apply this changes on the back-end SQL DB, then you need to check the SQL server version because there's some SQL version doesn't support the new security algorithms. 

    Cheers,

    Mahmoud Hanafi

    Senior Exchange|Lync Administrator

    Blog: Twitter:   LinkedIn:   Facebook:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Mahmoud.Hanafi Wednesday, August 30, 2017 2:44 PM
    Wednesday, August 30, 2017 2:44 PM