Hello

We have Exchange 2013 w/ CU8 and everything patched up from Windows update.  

Recently our PCI scanner has required that TLS 1.0 not be used to pass compliance. So using Qualys IIS Crypto I used the PCI template and unchecked TLS 1.0. Restart the server. After restart I can get to OWA/ECP login screen just fine. It shows it is using TLS 1.2. However if I login it I get a blank page.

If I try Outlook 2013 it will not load the profile. If I try to test the AutoConfiguration I get unable to determine settings.

If I go back recheck TLS 1.0 and reboot, everything works fine again.

There seems to be no errors in the event logs related to this.  If I go into the HttpPrpxy log I see:

2015-05-02T20:28:34.695Z,3d4032db-5e41-471d-8b7d-8e9d428400bf,15,0,1076,0,,Ecp,mail1.XXXXXX.net,/ecp/,,FBA,true,
XXXXXX\Administrator,,ServerVersion~Version 15.0 (Build 0.0),Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) 
like Gecko,10.100.100.155,MAIL1,503,SendFailure,SendFailure,GET,Proxy,mail1.XXXXXX.net,15.00.1076.000,IntraForest,ExchClientVer-UrlQuery,,,,
0,,1,,25,0,,0,,0,,0,0,,0,39,0,,,,5,1,,,0,1,13,1,7,8,9,34,39,,?ExchClientVer=15,,BeginRequest=2015-05-02T20:28:34.664Z;CorrelationID=<empty>;P
roxyState-Run=None;FEAuth=BEVersion-1941996596;NewConnection=::1&0;BeginGetResponse=2015-05-02T20:28:34.695Z;NewConnection=10.100.100.230&0;
OnResponseReady=2015-05-02T20:28:34.695Z;EndGetResponse=2015-05-02T20:28:34.695Z;ProxyState-Complete=WaitForServerResponse;EndRequest=2015-05-02T20:28:34.695Z;,
WebExceptionStatus=SendFailure;WebException=System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> 
System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> 
System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host    at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)    --- 
End of inner exception stack trace ---    at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)    at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)    --- 
End of inner exception stack trace ---    at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)    
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<>c__DisplayClass2c.<OnResponseReady>b__2b();

Any help would be great.

hi Bryan,

not sure about this 3rd party Qualys IIS Crypto. usually you would manage cryptography by configuring the Cryptography providers from the OS, so if you check the protocols enabled under HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ (as per https://technet.microsoft.com/en-us/library/security/3009008.aspx?f=255&MSPPError=-2147217396) you may find the protocols are enabled / disabled on your operating system, so it will also not be used by Exchange. Thi is OK for ExchangeServer --> (load balancer like Kemp or Netscaler) --> Outlook / ActiveSync/OWA 

Did you already try this approach? If this is working for you, I suggest to check your Qualys IIS documentation, if you really need to use that.

Regards,
Martin

Hi,

From your description, in order to determine whether the issue is related to the third-party software Qualys IIS Crypto, I recommend you disable it temporarily and check if OWA and ECP can work well. If yes, I recommend you contact the third-party vendor to troubleshoot this issue.

Hope this can be helpful to you.

Best regards,

IIS Crypto simply sets the Schannel settings in the registry.  It's a fairly common program to do this with.

I have tried to manually set the settings as well and the result is the same.  With TLS 1.0 disabled I can't get in.  Re-enabled and it works.

I probably show add these facts.  

The internal domain and the external domain are not the same.  The mail server is set to answer the external domain requests for everything.

It uses a wildcard cert.

When TLS 1.0 is disabled the Exchange Management Shell will not connect either.

This is the only Exchange server we have.

It's on Windows 2012 R2

BUMP

I am seeing the exact same issue and related log data as above, on our Exchange 2013 CU8 fully patched Windows Server 2012 (NOT R2).  To pass our PCI Certification scan, we must disable TLS 1.0 and are unable to do so.  With TLS 1.0 DISABLED, Exchange 2013-CU8 mail-flow stops, the OWA or ECP sites are blank after logging in and the Exchange Management shell will not connect.  If I re-enable TLS 1.0, all is fine.  Ive also tried using the Nartac IISCrypto AND the MANUAL registry method with the same results.

I've been doing a lot of internet searching and have come up with nothing so far.

It should not be this hard to disable t security protocol.

I would stop trying.

We are on week 4 with our open ticket to MS.  It's been painful getting to this point but I think they finally fully understand the issue and what is required.  However I believe that it's not fully supported despite their claims.

Supposedly they have reproduced the problem in the lab and their next level techs working on it.  But that has been the answer for the last 2 weeks.  I keep pressuring them to resolve it, telling them its a PCI requirement.  But I keep getting this we don't care about that attitude back.

In the mean time we asked for a temp compliance exception as that's all we can do.

I will update this post once they have a solution.  But I bet it will take a rollup or CU to correct this.

Thank you so much for responding Bryan!  This makes me feel a little better!

Have a wonder weekend!

So I got a response and its like I figured.  

We have confirmed with our Product Team and confirmed that TLS 1.0 needed to be enabled on Exchange Servers.

Disabling TLS 1.0 on Exchange Server is not unsupported.

They seem to be suggesting they are not going to do anything, which is crazy.  When someone like NIST and PCI puts out documents saying that it needs to be gone, I hope it tells them they can't ignore this problem forever.  

So I guess since we are the tiny minority right now, there is nothing we can do but wait until someone large like the US Government or a major retailer comes along and forces them to do something.

This is absolutely absurd to me. I am in the same boat, and also have this problem with SQL Server 2008, as it will not start without TLS 1.0. We are caught in the middle between PCI's rigorous demands and a software vendor who does not care.

gms_bruce,

The only option currently is to submit a mitigation plan with your PCI vendor.  You have until middle of next year to remove TLS 1.0 per PCI standards and as long as it was an existing system in place, you are covered.  If you use Trustwave, as many people do, their support will walk you through what paperwork must be submitted to allow the use of TLS 1.0 until the mandatory cutoff next year.

Hope that helps.

I have submitted my plan with my QSA but I just don't have a good feeling that Microsoft is going to provide updates by then that will allow my current systems to be upgraded. I have a feeling they'll tell me I need to buy all new versions of SQL and Exchange.