Blog Post

Exchange Team Blog
4 MIN READ

Released: August 2022 Exchange Server Security Updates

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Aug 09, 2022
Microsoft has released security updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 IMPORTANT: Updates are released in a self-extrac...
Updated Aug 11, 2022
Version 8.0
announcements
security
setup
neilhoward84's avatar
neilhoward84
Copper Contributor
Sep 13, 2022

Can you please confirm that we all need to disable SSL Offloading for Outlook Anywhere, to enable EP?  The_Exchange_TeamLukasSMSFT , Nino_Bilic 

Is this the correct way, and I'm assuming this needs doing prior to running the EP script?
Set-OutlookAnywhere -Identity "EXCH1\rpc (Default Web Site)" -SSLOffloading $false -InternalClientsRequireSsl $true -ExternalClientsRequireSsl $true

https://docs.microsoft.com/en-gb/powershell/module/exchange/set-outlookanywhere?view=exchange-ps#example-3


The 'Exchange Server Support for Windows Extended Protection' article is incredibly hard to to follow!  So many prerequisites to check, which link off to more supporting technical articles for review, this has taken up too much time evaluating customer environments. (TLS, NTLM, Outlook anywhere SSL Offloading, Hybrid agent, Extended Protection)

 

I can't quite believe Microsoft have published a security article stating the requirement to enable EP to mitigate man in the middle CVE's.  Especially considering you can't enable EP if you use retention policy & tags to move to archive, as it effectively stops automated archiving from working!   Why haven't Microsoft fixed this basic functionality that countless customers use, prior to publishing advice on mitigation?  This now means that you either accept the loss of retention based archiving or you leave your environment susceptible to man in the middle based CVE's.   

Similar opinion around Modern Hybrid deployments and having to move mailboxes to another server and manually having to edit IIS virtual directories 

The August SU is a shambles in my honest opinion, it is yet another example of how poor Exchange security has been of late.  The need to enable EP fundamentally changes the default way Exchange client/server traffic is handled.  Expecting administrators to configure this following the install of an SU, with known issues, is not what we want. 

Perhaps Microsoft should start considering client/server connection security when actually developing the next iteration of Exchange Server.