Forum Discussion
Recommended Exchange 2016 ciphers settings?
Hi Per,
I think it is pretty reasonable from F5 not to provide "recommended" settings for a product which they are not the product owner. How should F5 keep a list of recommended settings for each and every software on the market. Even for the most popular ones (thinking Exchange/SharePoint in versions 2010, 2013, 2016, 2019, SAP ERP, etc.) it would be challenging.
Microsoft provides some insights on the supported / recommended cipher settings, though they are also not giving a definite list. First off all Microsoft (from October 31st, 2018) stopped support for TLS 1.0 and TLS 1.1 for Office 365. It does not mean that you must disable TLS 1.0 and / or 1.1, but it means you won't get support when you are using one of these. See here: Preparing to use TLS 1.2 in Office 365
And they are providing you with a list of checks that should be performed in advance. See Part 1 to 3 of this series: Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2
Regarding your issue. Why don't you try with an iRule to figure out what kind of client traffic you receive. From that analysis you can probably rule out some SSL versions and cipher suites that you don't want to have. Then you could try to figure out if and which of your clients are using legacy SSL versions and cipher suites and decide how to cope with these.
A logging iRule could like something like this:
when CLIENTSSL_HANDSHAKE {
switch [SSL::cipher version] {
"TLSv1" {
log local0. "TLS1.0 Session - Client: [IP::client_addr] successfully negotiated [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
"TLSv1.1" {
log local0. "TLS1.1 Session - Client: [IP::client_addr] successfully negotiated [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
"TLSv1.2" {
log local0. "TLS1.2 Session - Client: [IP::client_addr] successfully negotiated [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
default {
log local0. "Legacy SSL Session - Client: [IP::client_addr] successfully negotiated [SSL::cipher version] - [SSL::cipher name] - [SSL::cipher bits] - For the VIP - [virtual name]"
}
}
You can test your iRule with cURL:
curl -v --tlsv1 owa.mydomain.com
curl -v --tlsv1.0 owa.mydomain.com
curl -v --tlsv1.1 owa.mydomain.com
curl -v --tlsv1.2 owa.mydomain.com
curl -v --sslv3 owa.mydomain.com
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com