Mail Security for Microsoft Exchange (SMSMSE) support for TLS 1.2.

book

Article ID: 171878

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

 

With the release of the following Exchange updates Microsoft has announced TLS 1.2 can be strictly enabled on Exchange Server and earlier TLS/SSL versions can now be disabled.

  • Exchange 2013 CU 20
  • Exchange 2016 CU 9

After disabling TLS 1.0 and TLS 1.1 on the system  Symantec Mail Security for Microsoft Exchange (SMSMSE) can no longer perform Manual/Scheduled scans.

 

Once TLS 1.0 is disabled on the Exchange server, SMSMSE will be unable to contact Autodiscover to determine the EWS URL.  This will result in SMSMSE failing to retreive the URL and being unable to contact EWS.

DebugView (SMSMSE Debug logging):


[13528] SMSMSE EWS Client: The Autodiscover service couldn't be located.
[13528]  Source: Symantec.MailSecurity.EWS.Client.SMSMSEEWSClient::AutodiscoverUrl
[13528] AutodiscoverUrl at offset 462 in file:line:column <filename unknown>:0:0
[13528]  
[13528] SMSMSE EWS Client: Autodiscovery try 20 failed
[13528]  Source: Symantec.MailSecurity.EWS.Client.SMSMSEEWSClient::AutodiscoverUrl
[13528] AutodiscoverUrl at offset 462 in file:line:column <filename unknown>:0:0

 

Additionally, with SMSMSE being unable to contact EWS, Manual or Scheduled scans will result in the following Windows events:

Event Viewer Application logs:


Log Name:      Application
Source:        Symantec Mail Security for Microsoft Exchange
Date:          28-05-2018 12:27:47
Event ID:      396
Task Category: Manual and Scheduled Scanning
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      e16-sms-lab-mb2.smse16.com
Description:
The scan Manual could not be completed as Microsoft Exchange's Client Access Server is not reachable.

Error code: 0x80004005

 

Log Name:      Application
Source:        Symantec Mail Security for Microsoft Exchange
Date:          28-05-2018 12:27:47
Event ID:      394
Task Category: Manual and Scheduled Scanning
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      e16-sms-lab-mb2.smse16.com
Description:
Scan Failed: Manual.

 

 

Resolution

 

Portions of Symantec Mail Security for Microsoft Exchange (SMSMSE) were compiled using .NET 2.0.  The prerequisites for installation of SMSMSE indicate .NET 3.5 is required due to the inclusion of .NET 2.0 for Server 2008R2 and later.  By default .NET 2.0 does not have TLS 1.2 support enabled.

To allow .NET 2.0 compiled applications to communicate using TLS 1.2, first apply the appropriate patch for your operating system to allow .NET applications to communicate using TLS 1.2:  

 

 

Next, follow the steps outlined below to enable TLS 1.2 for .NET 2.0.

  1. Open "Run" and launch the registry editor (regedit.exe)
  2. Navigate to:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
  3. Create/Modify DWORD: "SystemDefaultTlsVersions" to the value of "1"
  4. Navigate to:  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
  5. Create/Modify DWORD: "SystemDefaultTlsVersions" to the value of "1"

 

 

For more information on enabling strict usage of TLS 1.2  in Microsoft Exchange see the following Microsoft articles:

TLS 1.2 for .NET 2.0:

  • https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework

TLS/SSL Protocols by Windows OS:

  • https://msdn.microsoft.com/en-us/library/windows/desktop/mt808159(v=vs.85).aspx

Exchange strict usage of TLS 1.2 only.

  • https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/
  • https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/
  • https://blogs.technet.microsoft.com/exchange/2018/05/23/exchange-server-tls-guidance-part-3-turning-off-tls-1-01-1/