Working with a non-profit customer that has a Server 2016 Essentials server. Customer is utilizing almost all of the features in Essentials - workstations are running Essentials "connector" and backup nightly to the server, Anywhere Access is enabled and used, etc.
Problem is... they added a credit card processing terminal on the LAN and now they are failing PCI Compliance scans due to Server 2016 Essentials' use of TLS 1.0 protocol, as well as 64-bit block ciphers, RC4 Ciphers, and the use of "clickjacking" URLs (they cite https://public IP/connect as an example).
My typical go-to fix for this is to add a Public IP, segregate the credit card terminal on a VLAN, route the new public IP to the VLAN and call it good. PCI compliance scans no longer see the server and we don't need to break the server's features.
But, this customer has no funds to add an additional public IP, and my understanding is that if we use something like IIS Crypto to harden the server, it will break the Server 2016 Essentials connector and thus break workstation backups, the ability to join workstations to the domain with the connector tool, and pieces of "Anywhere Access."
Anyone have any other ideas for dealing with this?