none
Exch2010 - Disable 2.0 SSL, Enabale 3, TLS 1.0 RRS feed

  • Question

  • When it comes to Exchange i'm leary of making big changes for fear of never ending errors.

    That being said I need to disable 2.0 SSL and enable 3.0 and TLS 1.0 on an Exchange 2010 server running Windows 2008 R2.

    Found this guy and wanted to make sure this process wouldn't cause any issues or if anyone had a better solution. Seems this solution is all Regedit fixes and that makes me even more nervous.

    http://www.techieshelp.com/how-to-enable-ssl-3-0-server-2008-sbs-2008/

    Thanks in advance!

    Tuesday, February 4, 2014 2:35 PM

Answers

All replies

  • Anyone?
    Tuesday, February 4, 2014 7:55 PM
  • Hi,

    Based on my research, we can change some registry to disable or enable SSL and TLS:

    http://support.microsoft.com/kb/245030

    Additionally, since the issue is related to IIS, I recommend you ask for more professional help on our IIS forum:

    http://forums.iis.net/

    If you have any question, please feel free to let me know.

    Thanks,


    Angela Shi
    TechNet Community Support

    Thursday, February 6, 2014 8:51 AM
  • Anyone?
    The article looks fine and that's the process to do it.
    The support article also talks the same thing...

    Cheers,

    Gulab Prasad

    Technology Consultant

    Blog: http://www.exchangeranger.com    Twitter:   LinkedIn:
       Check out CodeTwo’s tools for Exchange admins

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, February 6, 2014 9:10 AM
  • I would say try this off hours so you can test thoroughly and monitor logs to see if any unexpected errors/issue come up.  Make a backup by exporting the registry keys you are changing before you begin.  That way if something doesn't go right, it's a simple right-click and import to revert the changes.
    Thursday, February 6, 2014 1:33 PM
  • Thanks all!

    V

    Thursday, February 6, 2014 2:07 PM
  • I disabled TLS 1.0 because of PCI requirement.  After which Exchange was not fully functional.  I called Microsoft and the tech said doing the following should fix it.  I will be trying it tonight.

    Please find the following steps that we did on the exchange server

     

    We can try the following steps:

     

    1. Open gpedit.msc. In the Local Group Policy Editor, double-click Windows Settings under the Computer Configuration node, and then double-click Security Settings.

     

    2. Under the Security Settings node, double-click Local Policies, and then click Security Options.

     

    3. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.

     

    4. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box. Close the Local Group Policy Editor.

     

     

    Tried the same in the Exchange 2010 Server and tried gpupdate /force and it did not work.

    Hence I went ahead and restarted the server and post that I was able to delete mails in owa and was able to set OOF in outlook  with TLS 1.0 and SSL 3.0 disabled.

     

    As of now it worked in lab and  are not sure about the behavior in Production Environment.

     

    Thursday, May 14, 2015 6:01 PM
  • You don't need to use sslv3 because of Poodle hack.

    Just follow this steps https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/ (you need SSLv3 section) Also check sslv2 disabled too.

    Also check this http://blogs.technet.com/b/samdrey/archive/2014/10/17/vulnerability-in-ssl-3-0-poodle-attack-and-exchange-2010-or-exchange-2013.aspx

    Thursday, May 14, 2015 6:35 PM