none
Disable SSLv3 on Lync Edge server RRS feed

 , 
 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, Guys.

    Good Day!

    Need your assistance on this.

    Do you know how to disable SSLv3 on Lync Edge server? Any considerations and/or procedures to do this? Please advise.

    Thank you.



    Monday, August 31, 2015 8:31 AM
    |

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    In registry editor, go to

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

    Monday, August 31, 2015 8:55 AM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi

    You will need to create the Keys and Entries manually for 3.0 and TLS 1.0

    http://disablessl3.com/

    and

    https://support.microsoft.com/en-us/kb/187498

    TechNet one has a nice friendly fixit tool to just run and reboot :)

    thanks

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Thursday, September 3, 2015 10:58 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi lrwinBats,

     

    Please check the following KB.

    https://support.microsoft.com/en-us/kb/245030?wa=wsignin1.0

     

    These keys might not exist so they need to be created prior to setting values.

     

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

     

    Best regards,

    Eric

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Tuesday, September 1, 2015 2:46 AM
    |
    Moderator

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    In registry editor, go to

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

    Monday, August 31, 2015 8:55 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, Yoav.

    Do you have any supporting MS article for this? Please advise.

    Thank you.

    Tuesday, September 1, 2015 12:09 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi lrwinBats,

     

    Please check the following KB.

    https://support.microsoft.com/en-us/kb/245030?wa=wsignin1.0

     

    These keys might not exist so they need to be created prior to setting values.

     

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

     

    Best regards,

    Eric

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Tuesday, September 1, 2015 2:46 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi, Guys. Do I need to do something after applying this [i.e Restart of IIS, Lync Services Restart]? Please advise. Thank you.
    Tuesday, September 1, 2015 10:29 AM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote

    HI

    You will need to reboot the server for it to take effect

    thanks

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Tuesday, September 1, 2015 10:55 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, Guys.

    As what you have said, this registry key is not present in our Lync Edge server. Due to this, can you share any procedures / articles on how to create this key and disable it as well? Please advise.

    When I navigate to 

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

    I only see under this a folder SSL 2.0 then under that is a Client folder

    Further, do I need to create all of these 3 as well so that the change will take effect?

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

    Thank you.

    Thursday, September 3, 2015 10:30 AM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi

    You will need to create the Keys and Entries manually for 3.0 and TLS 1.0

    http://disablessl3.com/

    and

    https://support.microsoft.com/en-us/kb/187498

    TechNet one has a nice friendly fixit tool to just run and reboot :)

    thanks

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Thursday, September 3, 2015 10:58 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    Do I need to create TLS 1.0 given that I only need to disable SSL 3.0? Please advise.
    Thursday, September 3, 2015 1:06 PM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote

    Not specifically to protect against POODLE. But some people want to force TLS 1.2 as the only protocol as it offers the strongest protection. Entirely down to your choice.

    thanks

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Thursday, September 3, 2015 1:25 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi, Guys. Good Day! Could you please share your experience after you apply the registry settings for the server to disable SSLv3? Did you encounter any issues like the server didn't come back from restart? How long would it take you to complete this task? Please advise. Thank you.
    Sunday, September 6, 2015 8:11 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

    This is a pretty easy task usually, with a reboot the server should come back online without excessive waiting. 

    I have seen excessive server reboots when the server fails to ping the default gateway, but thats unrelated to this specific task.

    thanks

    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Sunday, September 6, 2015 8:24 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, Guys.

    Good Day!

    How do you disable SSLv2 on Lync Edge? Is the same approach as when we change registry key for SSLv3? Please advise.

    Thank you.

    Sunday, September 13, 2015 2:02 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi lrwinBats.

    Yes, it's same.


    Best regards,

    Eric


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Sunday, September 13, 2015 3:04 PM
    |
    Moderator