kswan_expert
asked on
Failing SSL report at SSL Labs
Hi,
We’re getting an F: grade for our Webmail URL on https://www.ssllabs.com/ssltest/analyze.html the reason being:
##############
This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F:
##############
The URL that’s failing is a link for OWA that’s goes our Firewall > TMG > Exchange 2010. TMG and Exchange are both 2008 r2 SP1 x64 and fully MS patched. I’ve done a bit of reading and found a tool that apparently should fix called "IIS Crypto"
https://www.nartac.com/Products/IISCrypto/
I’ve run on the TMG server and rebooted but it’s still failing. ):
What exactly should we be doing to fix this and on which server (e.g. TMG or Exchange)?
Cheers
We’re getting an F: grade for our Webmail URL on https://www.ssllabs.com/ssltest/analyze.html the reason being:
##############
This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F:
##############
The URL that’s failing is a link for OWA that’s goes our Firewall > TMG > Exchange 2010. TMG and Exchange are both 2008 r2 SP1 x64 and fully MS patched. I’ve done a bit of reading and found a tool that apparently should fix called "IIS Crypto"
https://www.nartac.com/Products/IISCrypto/
I’ve run on the TMG server and rebooted but it’s still failing. ):
What exactly should we be doing to fix this and on which server (e.g. TMG or Exchange)?
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sure keep us posted. Rather not introduce another lockdown tool unnecessarily
ASKER
Fixed!!
If interested -
On TMG server under --- HKLM\System\CurrentControl Set\Contro l\Security Providers\ SChannel\
added
DisableRenegoOnServer 1
AllowInsecureRenegoClients 0
See article but needed to add
http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html
Thanks breadtan
If interested -
On TMG server under --- HKLM\System\CurrentControl
added
DisableRenegoOnServer 1
AllowInsecureRenegoClients
See article but needed to add
http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html
Thanks breadtan
thanks for sharing!
ASKER