Exchange EPA enabling

[Max Coder]

Hi,

Here is my environment.

Exchange 2019 CU13 on 2022 OS

I am using the same SSL certificate on my load balancer and Exchange servers.

We are not using HMA (Hybrid Modern Authentication) and Public Folders

Already enabled for TLS 1.0 and TLS 1.1 and TLS 1.2

We have Exchange Hybrid environment.

I will install CU14. I have some questions.

1 - Do I have to disable TLS 1.0 , TLS 1.1 ? and TLS is configured correctly with .NET 4.X set up properly?

2 - I use Defender ATP as AV. is there a problem with this AV?

3 - outlook anywhere SSL offloading is already enabled. If I disable it, will there be a problem on the client side?

4 - LmCompatibilityLevel :5 on all change servers.

      but, default domain controller policy Level 1 

Will that cause problems? Outlook credentials prompt?

[Michael B. Smith]

CU15 has been released. I would install that instead.

 

[1] no

[2] no

[3] [4] Either could potentially cause an auth prompt, but shouldn’t if you are running Outlook 365.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/5a5fb239-c0ac-493a-ba01-c9da740af545n%40googlegroups.com.

[maxcoder1]

I am using the same SSL certificate on my load balancer and Exchange servers.  F5 Load Balancer is running in SSL bridging mode.

I will run the following command as a prerequisite for EPA. i think this should not cause a problem. correct ?

Set-OutlookAnywhere "EX01-2019\RPC (Default Web Site)" -SSLOffloading $false

Also , Can you give some detailed information for 4 items? What should be the minimum Default Domain Controller policy as NTLM?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/51d335ff240f4a8db51afea360cde954%40smithcons.com.

[Belanger, Xavier B]

Hi,

 

Max Coder wrote:

 

> 1 - Do I have to disable TLS 1.0 , TLS 1.1 ? and TLS is configured correctly with .NET 4.X set up properly?

 

TLS 1.0 and 1.1 are officially deprecated since 2021:

 

[ https://www.ietf.org/rfc/rfc8996.html ]

 

If you’re using any vulnerability scanner in your environment, this will be very likely reported.

 

In this day and age, you should use TLS 1.2, and 1.3 if possible. Exceptions for old clients and applications could exist, but should only be exceptions.

 

Sincerely,

--

Xavier Belanger

IT Security Architect | CISSP | Office of Information Security

University of North Carolina Wilmington

[Michael B. Smith]

Exchange 2019 CU15 supports TLS 1.3 for all protocols EXCEPT SMTP. Support for SMTP will be added in a later patch.

 

TLS 1.3 is used preferentially for all protocols, except SMTP, unless the connecting remote requests a lower level of TLS. The admin can choose to disable those, but it can cause issues.

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CH2PPFC6B831EFCC85BF4FAC9F4FACBB640C3C42%40CH2PPFC6B831EFC.namprd06.prod.outlook.com.

[Michael B. Smith]

I’m pretty sure that your Set-OutlookAnywhere will require more parameters than that. This is covered in detail by the Exchange deployment assistant.

 

I don’t know the details of your environment. I can’t make comments as to what you “should” configure things to be. Windows is complicated.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rA06v3agq4%3D3AY64wc9LghmSWnjpcOqiU%2BXuFV0hJfwgg%40mail.gmail.com.