From: Edmonton, AB, CA
I have a couple ISA servers (2004 and 2006) that are used to publish a couple HTTPS web sites. We recently had a network audit and one of the things that came back was that the ISA servers were listing SSLv2 and >128-bit ciphers as available for use to web clients.
When I ran SSL Check from serversniff.net it seemed to confirm the results (posted below). Is there a way to specify that ISA only accept TLS1.X/SSLv3 connections? At the very least I need to ensure nothing less then 128-bit encryption is used but I noticed if I set the web listener in ISA 2006 to accept HTTP/HTTPS connections but redirect all incoming HTTP requests to HTTPS that the option in the web publishing rule to always use 128-bit encryption is greyed out, so I'm not sure if that means the ISA 2006 server will accept a 56-bit SSL connection, for example. Ideally I'd like to limit ISA to 128+ bit ciphers and TLS1.X/SSLv3 only.
For reference here is the results for the ISA 2006 server.
Preferred cipher: TLSv1/SSLv3, Cipher is RC4-MD5 RC4(128)
Available SSL2 ciphers: DES-CBC3-MD5 168 bit RC2-CBC-MD5 128 bit RC4-MD5 128 bit DES-CBC-MD5 56 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit
Available SSL3 ciphers: DES-CBC3-SHA 168 bit RC4-SHA 128 bit RC4-MD5 128 bit DES-CBC-SHA 56 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit
Available TLS1 ciphers: DES-CBC3-SHA 168 bit RC4-SHA 128 bit RC4-MD5 128 bit DES-CBC-SHA 56 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit SSL-Connection: SSL-Overhead: SSL handshake has read 1017 bytes and written 300 bytes New, TLSv1/SSLv3, Default Cipher is RC4-MD5 Length of public server-key: 1024 bit Default protocol : TLSv1 Default Cipher : RC4-MD5 • TLS 1.1 support... no • fallback from TLS 1.1 to... TLS 1.0 • TLS 1.0 support... yes • SSL 3.0 support... yes • server can accept Hello Extensions... yes • server can accept cipher suites not in SSL 3.0 spec... yes • server can accept a bogus TLS record version in the client hello... yes • server understands TLS closure alerts... partially • server supports session resumption... yes • ephemeral Diffie Hellman support... no • ZLIB compression support (TLS extension)... no • LZO compression support (GnuTLS extension)... no • SRP authentication support (TLS extension)... no • OpenPGP authentication support (TLS extension)... no =====================
< Message edited by Jack in the Box -- 23.Feb.2007 11:42:18 PM >
yep, there seems to be a little GUI problem with the checkbox 'Require 128-bit encryption for HTTPS traffic' if the radio button 'Redirect all traffic from HTTP to HTTPS' is enabled on the Web listener.
However, you can get it to work if you perform the following steps in sequence (I only tested it on ISA 2006): 1. go to the listener, tab Connections and make sure you select the radio button 'Do not redirect traffic from HTTP to HTTPS'. 2. next go to the rule, tab Traffic and you will see that the check box 'Notify HTTP users to use HTTPS instead' becomes available. Check that box. 3. by doing that the check box 'Require 128-bit encryption for HTTPS traffic' becomes also available. So, check that box too. 4. finally, go back to the listener, tab Connections and now select the radio button 'Redirect all traffic from HTTP to HTTPS'.