Secure message delivery to DLP fails when FIPS mode is enabled

book

Article ID: 158610

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When Symantec Messaging Gateway (SMG) is set to run in FIPS compliant mode, TLS secured message delivery to the configured DLP server fails.  All outbound messages are queued in the delivery queue with an error indicating that TLS negotiation has failed.

 451 4.7.5 [internal] tls negotiation failed

Cause

 When in FIPS mode, the SMG appliance is unable to negotiate a secure, TLS encrypted connection to the DLP Prevent server fail due to increased security requirements of running in FIPS-2 compliant mode. This occurs regardless of whether the DLP Prevent server was installed with the FIPS compliant options.

Resolution

This is a known issue and has been fixed in SMG 10.5.2. Please update when able.

This issue can be worked around by either

  • Reconfiguring the DLP Connect option to use plaintext delivery rather than TLS secured delivery
  • Disable FIPS mode via the CLI fipsmode off command

If neither of these options is compatible with your internal security policies, please contact Symantec Customer Support to discuss other potential workarounds.


Applies To

Messaging Gateway
DLP Prevent