Today we are announcing the availability of the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU14). CU14 includes fixes for customer reported issues, a security change, and all previo...
Updated Feb 22, 2024
Version 11.0
Blog Post
okay, we could be (hopefully) getting closer to figuring out the certificate / bridging a.o. scenario / demands, the thing I am looking into right now is: which of the ExchangeExtendedProtectionManagement.ps1 -PreRequisitesCheckOnly - fail responses are to be corrected manually, and which will be done by the script - or by the CU14 installer?
the offloading/bridging part on load balancer: will figure that out with colleague, I hope.
probably bridging with different certificates at the moment, so I guess I'd have to replace either the Ex-IIS\Default Site certificate or the one on the "inner side" of the load balancer, facing towards the Exchange servers? with what exactly? specific demands for that certificate? like what type and, including all SAN's we already have for all that Exchange host names like autodisc., mail, ..., .. ? what about the outward facing side on the LB - and certificates there ?
will these (fullfilled) certificate req's - plus the fixes of the prereq check be enough for EP to work?
thanks a lot, guys..
some quest's further down as well ..
.\ExchangeExtendedProtectionManagement.ps1 -PrerequisitesCheckOnly
Version 24.02.21.1812
.. TLS Configuration below
RegistryName Location Value
------------ -------- -----
SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v2.0.50727
SystemTlsVersions SOFTWARE\Microsoft\.NETFramework\v2.0.50727
SchUseStrongCrypto SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SystemTlsVersions SOFTWARE\Microsoft\.NETFramework\v4.0.30319 1
SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
SystemTlsVersions SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
SchUseStrongCrypto SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
SystemTlsVersions SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 1
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client 1
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client 0
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 1
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 0
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 0
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client -1
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 0
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server -1
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 0
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client -1
DisabledByDefault SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 0
Enabled SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server -1
Test Failed: SchUseStrongCrypto is not configured as expected ***
System affected: ...
System affected: ...
Action required: Configure SchUseStrongCrypto for NETv4 as described here: https://aka.ms/ExchangeEPDoc
WARNING: Failed to pass the TLS prerequisites for the servers you are trying to enable Extended Protection. Unable to continue.
Servers trying to enable: ...
WARNING: '.....\RPC (Default Web Site)' has SSLOffloading set to true. Therefore, we can not configure Extended Protection. (yellow line)
WARNING: '.....\RPC (Default Web Site)' has SSLOffloading set to true. Therefore, we can not configure Extended Protection. (yellow line)
WARNING: Please address the following server regarding RPC (Default Web Site) and SSL Offloading: ....., .....
WARNING: The following cmdlet should be run against each of the servers: Set-OutlookAnywhere 'SERVERNAME\RPC (Default Web Site)' -SSLOffloading $false
-InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true
All servers that we are trying to currently configure for Extended Protection have RPC (Default Web Site) set to false for SSLOffloading. (gray line)
*** wait, now what? four lines up, it said the opposite?
WARNING: Unable to continue due to the required prerequisites to enable Extended Protection in the environment. Please address the above issues.
*** as mentioned, please tell, aot and the cert questions, what to fix myself and what will be handled by the script or instaler, thanks a lot in advance.
Robert