Hi, Guys.

Good Day!

Need your assistance on this.

Do you know how to disable SSLv3 on Lync Edge server? Any considerations and/or procedures to do this? Please advise.

Thank you.

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

• Proposed as answer by Mark Vale 20 hours 31 minutes ago

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

• Proposed as answer by Mark Vale Tuesday, September 01, 2015 10:55 AM

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

• Proposed as answer by Mark Vale Tuesday, September 01, 2015 10:55 AM

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

• Proposed as answer by Mark Vale Tuesday, September 01, 2015 10:55 AM

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

• Proposed as answer by Mark Vale Tuesday, September 01, 2015 10:55 AM
• Marked as answer by Eric_YangKMicrosoft contingent staff, Moderator 1 hour 6 minutes ago

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

• Proposed as answer by Mark Vale Tuesday, September 01, 2015 10:55 AM
• Marked as answer by Eric_YangKMicrosoft contingent staff, Moderator Wednesday, September 09, 2015 6:17 AM

Hi,

In registry editor, go to

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

• Proposed as answer by Mark Vale Tuesday, September 01, 2015 10:55 AM
• Marked as answer by Eric_YangKMicrosoft contingent staff, Moderator Wednesday, September 09, 2015 6:17 AM

Hi, Yoav.

Do you have any supporting MS article for this? Please advise.

Thank you.

Hi lrwinBats,

 

Please check the following KB.

https://support.microsoft.com/en-us/kb/245030?wa=wsignin1.0

 

These keys might not exist so they need to be created prior to setting values.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

 

Best regards,

Eric

Hi, Guys. Do I need to do something after applying this [i.e Restart of IIS, Lync Services Restart]? Please advise. Thank you.

HI

You will need to reboot the server for it to take effect

thanks

Hi, Guys.

As what you have said, this registry key is not present in our Lync Edge server. Due to this, can you share any procedures / articles on how to create this key and disable it as well? Please advise.

When I navigate to 

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

I only see under this a folder SSL 2.0 then under that is a Client folder

Further, do I need to create all of these 3 as well so that the change will take effect?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

Thank you.

Hi

You will need to create the Keys and Entries manually for 3.0 and TLS 1.0

http://disablessl3.com/

and

https://support.microsoft.com/en-us/kb/187498

TechNet one has a nice friendly fixit tool to just run and reboot :)

thanks

Do I need to create TLS 1.0 given that I only need to disable SSL 3.0? Please advise.

Not specifically to protect against POODLE. But some people want to force TLS 1.2 as the only protocol as it offers the strongest protection. Entirely down to your choice.

thanks

Hi, Guys. Good Day! Could you please share your experience after you apply the registry settings for the server to disable SSLv3? Did you encounter any issues like the server didn't come back from restart? How long would it take you to complete this task? Please advise. Thank you.

Hi

This is a pretty easy task usually, with a reboot the server should come back online without excessive waiting. 

I have seen excessive server reboots when the server fails to ping the default gateway, but thats unrelated to this specific task.

thanks

Hi, Guys.

Good Day!

How do you disable SSLv2 on Lync Edge? Is the same approach as when we change registry key for SSLv3? Please advise.

Thank you.

Hi lrwinBats.

Yes, it's same.

Best regards,

Eric