Possible to specify which SSL protocols/ciphers ISA is allowed to use?

Possible to specify which SSL protocols/ciphers ISA is allowed to use? (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing

Message

Jack in the Box -> Possible to specify which SSL protocols/ciphers ISA is allowed to use? (23.Feb.2007 7:12:34 PM)
I have a couple ISA servers (2004 and 2006) that are used to publish a couple HTTPS web sites. We recently had a network audit and one of the things that came back was that the ISA servers were listing SSLv2 and >128-bit ciphers as available for use to web clients. When I ran SSL Check from serversniff.net it seemed to confirm the results (posted below). Is there a way to specify that ISA only accept TLS1.X/SSLv3 connections? At the very least I need to ensure nothing less then 128-bit encryption is used but I noticed if I set the web listener in ISA 2006 to accept HTTP/HTTPS connections but redirect all incoming HTTP requests to HTTPS that the option in the web publishing rule to always use 128-bit encryption is greyed out, so I'm not sure if that means the ISA 2006 server will accept a 56-bit SSL connection, for example. Ideally I'd like to limit ISA to 128+ bit ciphers and TLS1.X/SSLv3 only. For reference here is the results for the ISA 2006 server. ===================== Serversniff SSL-Check, using: OpenSSL 0.9.8c 05 Sep 2006 Preferred cipher: TLSv1/SSLv3, Cipher is RC4-MD5 RC4(128) Available SSL2 ciphers: DES-CBC3-MD5 168 bit RC2-CBC-MD5 128 bit RC4-MD5 128 bit DES-CBC-MD5 56 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit Available SSL3 ciphers: DES-CBC3-SHA 168 bit RC4-SHA 128 bit RC4-MD5 128 bit DES-CBC-SHA 56 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit Available TLS1 ciphers: DES-CBC3-SHA 168 bit RC4-SHA 128 bit RC4-MD5 128 bit DES-CBC-SHA 56 bit EXP-RC2-CBC-MD5 40 bit EXP-RC4-MD5 40 bit SSL-Connection: SSL-Overhead: SSL handshake has read 1017 bytes and written 300 bytes New, TLSv1/SSLv3, Default Cipher is RC4-MD5 Length of public server-key: 1024 bit Default protocol : TLSv1 Default Cipher : RC4-MD5 • TLS 1.1 support... no • fallback from TLS 1.1 to... TLS 1.0 • TLS 1.0 support... yes • SSL 3.0 support... yes • server can accept Hello Extensions... yes • server can accept cipher suites not in SSL 3.0 spec... yes • server can accept a bogus TLS record version in the client hello... yes • server understands TLS closure alerts... partially • server supports session resumption... yes • ephemeral Diffie Hellman support... no • ZLIB compression support (TLS extension)... no • LZO compression support (GnuTLS extension)... no • SRP authentication support (TLS extension)... no • OpenPGP authentication support (TLS extension)... no =====================

spouseele -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (24.Feb.2007 5:11:08 AM)
Hi Jack, yep, there seems to be a little GUI problem with the checkbox 'Require 128-bit encryption for HTTPS traffic' if the radio button 'Redirect all traffic from HTTP to HTTPS' is enabled on the Web listener. However, you can get it to work if you perform the following steps in sequence (I only tested it on ISA 2006): 1. go to the listener, tab Connections and make sure you select the radio button 'Do not redirect traffic from HTTP to HTTPS'. 2. next go to the rule, tab Traffic and you will see that the check box 'Notify HTTP users to use HTTPS instead' becomes available. Check that box. 3. by doing that the check box 'Require 128-bit encryption for HTTPS traffic' becomes also available. So, check that box too. 4. finally, go back to the listener, tab Connections and now select the radio button 'Redirect all traffic from HTTP to HTTPS'. BTW --- if you want to control which SChannel ciphers will be offered in the SSL/TLS negotiation by ISA server, check out http://support.microsoft.com/kb/245030/en-us. HTH, Stefaan

Jack in the Box -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (24.Feb.2007 12:06:02 PM)
Thank you very much. I've used that KB article before but I couldn't find it, thanks for the link and thanks for the instructions on how to force 128-bit connections, I'll implement it right away.

spouseele -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (24.Feb.2007 1:59:24 PM)
Hi Jack, glad to hear I could help! [:)] BTW --- I have opened a case with Microsoft PSS for this GUI weirdness. When I have new information about this case I will blog about it. Thanks, Stefaan

Jack in the Box -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (26.Feb.2007 9:20:07 PM)
If you hear something I bet a lot of us who have noticed that peculiar behavior in the GUI would love to see a post about it. Thanks.

LoZio -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (8.Nov.2008 7:16:58 AM)
I was also looking for solutions in setting up secure SSL connections and found this free tool http://www.gorlani.com/publicprj/CipherControl/ that sets the reg key locally or remotely with no hassle. Bye

Page: [1]