Link to home
Start Free TrialLog in
Avatar of kswan_expert
kswan_expert

asked on

Failing SSL report at SSL Labs

Hi,

We’re getting an F: grade for our Webmail URL on  https://www.ssllabs.com/ssltest/analyze.html the reason being:

##############
This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F:
##############

The URL that’s failing is a link for OWA that’s goes our Firewall > TMG > Exchange 2010.  TMG and Exchange are both 2008 r2 SP1 x64 and fully MS patched.  I’ve done a bit of reading and found a tool that apparently should fix called "IIS Crypto"

https://www.nartac.com/Products/IISCrypto/

I’ve run on the TMG server and rebooted but it’s still failing. ):

What exactly should we be doing to fix this and on which server (e.g. TMG or Exchange)?


Cheers
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kswan_expert
kswan_expert

ASKER

Thanks, will have a look at the Exchanger server.  I'm a bit wary of running IIS crypto on our Prod Exchange VM so will see if i can find the reg changes to add manually. The URL mentioned in your link above for MITM is dead. ):
Sure keep us posted. Rather not introduce another lockdown tool unnecessarily
Fixed!!

If interested -

On TMG server under ---  HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\

added

DisableRenegoOnServer      1
AllowInsecureRenegoClients       0


See article but needed to add
http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html


Thanks breadtan
thanks for sharing!