Skip to main content

Netscaler vs Exchange 2019 "time out during ssl handshake stage

If you are using Citrix Netscaler as load balancer in front of Exchange 2019 server you must know this:

Microsoft Exchange 2019 is secured by default and allows only TLS 1.2. Therefore default schannel settings are as follows (using IISCrypto tool from Nartac Software):



While Citrix Netscaler offers following Cipher Suites:

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5
TLS_DH_anon_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA

Now, you will find that you also need to change following registry keys to 1 to downgrade security on your Exchange server (read more)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"AllowInsecureRenegoClients"=dword:00000001
"AllowInsecureRenegoServers"=dword:00000001

But if you do just that Citrix Netscaler will still not work with your Exchange 2019 server. You need to enable TLS 1.1 and the Cipher Suites that accompany TLS 1.1




Comments

Popular posts from this blog

Change SMTP port 25 in Exchange 2007, 2010

For some reason you might want to change default SMTP port number 25 Exchange 2007 is using. Exchange 2007 uses RECEIVE AND SEND connectors, one for receiving mails and other for sending mails (obviously ;) So you need to change ports on those connectors. I will not say those two, because you might be using more than two. You change Receive connector port by opening the connector properties in Exchange Management Console --> Hub Transport --> RECEIVECONNECTORNAME --> Properties --> Network --> Local IP Addresses (Edit Receive Connector Binding) Just to clarify what "Local IP Addresses" and "Remote Servers" are (from Exchange 2007 help), because I find it little bit confusing: Use these local IP Addresses to receive mail Use this list to specify the IP addresses and port numbers on which this Receive connector listens for incoming mail. Receive mail from remote servers which have these IP addresses Use this list to specify the

The attempt to connect to http://yourserver/PowerShell using "Kerberos" authentication failed

The error you get: The attempt to connect to http://yourserver/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found If you removed Exchange server from the machine and installed it again, you can get following error when you open Exchange Management Console: The following error occurred while attempting to connect to the specified Exchange server 'yourserver.domain.com': The attempt to connect to http://yourserver.domain.com/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found. Possible causes are:   -The user name or password specified are invalid.   -Kerbero

Error "<#5.5.2 smtp;554 5.5.2 Invalid data in message> #SMTP#" when you send attachment in your mail

Some users were receiving error <#5.5.2 smtp;554 5.5.2 Invalid data in message> #SMTP# when they sent message with attachment. The problem is when attached document name is longer than 50 characters . Some Firewalls have header size restriction and that limit blocks this messages to be sent. To correct this, change header limit on affected Firewall or shorten the name of the document you are sending (which is probably not good permanent solution). ****** Update #1 : Default header size limit in Exchange 2007 is 64K . Update #2: It might be the SMTP version problem. Mail is rejected with CONTENT-DISPOSITION error (overly long message header field for CONTENT-DISPOSITION) but not for all SMTP servers (same mail sent through different SMTP servers). If you send mail with attachment that has name longer than 50 characters from Exchange 2007 directly through DNS you may encounter this error, but if you send same mail from Exchange 2007 through smart host (other than Exch