Exchange 2010 and TLS 1.2

In a previous blogpost I discussed an issue I had with Outlook 2010 and TLS 1.2. At the same time this reminded me that Microsoft will enable TLS 1.2 (and remove support for TLS 1.0 and TLS 1.1) in Office 365 on October 31, 2018 as communicated in https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365. This means that when you have communication issues with Office 365 because of an older and weaker protocol, you won’t get any support. Time to do some research….

Existing Exchange 2010 environment

As you may have seen on this side, I still am a big fan of Exchange 2010 and also have an pure Exchange 2010 hybrid environment up-and-running and it looks like this:

Inframan-hybrid

MX records is pointing to my Exchange 2010 Edge Transport Server (running on Windows 2008 R2), webmail and Autodiscover are routed via an F5 LTM load balancer to an Exchange 2010 CAS/HUB/Mailbox server (also running on Windows 2008 R2), and hybrid is configured directly on Exchange 2010 (for hybrid mail flow I’m using a separate FQDN, o365mail.inframan.nl) without any Exchange 2013 or Exchange 2016 server.

So, how do you test which TLS version is used by your Exchange 2010 server? In Exchange 2010 this should be done using the protocol logfiles. Message headers in Exchange 2010 do not contain enough information for showing this TLS information. So, you must enable protocol logging for the appropriate Receive Connectors and Send Connectors. In my environment this means the Default Receive Connector on the Exchange 2010 Edge Transport server (for O365 traffic from other tenants), the Default-First-Site-Name to Internet Send Connector, and both connectors between the Exchange 2010 server and Office 365 for hybrid. Analyzing the protocol logfiles can best be done in Excel (import as CSV files). When analyzing, look for a string like TLS protocol SP_PROT_TLS1_0_SERVER (when receiving) or TLS protocol SP_PROT-TLS1_0_CLIENT (when sending). When TLS 1.2 is used, look for a string like TLS protocol SP_PROT_TLS1_2_SERVER and TLS protocol SP_PROT-TLS1_2_CLIENT.

When sending an email from Exchange 2010 to Office 365 (in another tenant) we can see it’s routed from the Edge Transport server (smtphost.inframan.nl) to Exchange Online Protection (EOP) using TLS 1.0 as can be seen in the following screenshot (click to enlarge):

Edge-Inbound-TLS10

When sending an email from Exchange 2010 to Office 365 using the hybrid connector, we can see it’s using TLS 1.0 as well (click to enlarge):

Hybrid-Send-TLS10

You must trust me for the other protocol logfiles, but communications between Exchange 2010 and Office 365 is based on TLS 1.0 by default.

Enabling TLS 1.2

In Windows 2008 R2 SP1, TLS 1.2 is supported, but it is disabled by default. Of course the server should be fully patched, and should include KB3161949, KB3080079 and KB3154518 (for .NET Framework 3.5.1).

If you are running Exchange 2010 on Windows 2012 (where TLS 1.2 is the default security protocol) you should install KB3161949 and KB3154519 (for .NET Framework 3.5.1). Exchange 2010 itself should be configured with Rollup Update RU19 or higher to support TLS 1.2.

To enable TLS 1.2 in Exchange 2010, create the following registry entries on the server, in my example both the Exchange 2010 Edge Transport Server as well as the Exchange 2010 multi-role server:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

These entries are shown in the following screenshot (click to enlarge):

TLS12-Registry-Exchange2010

Once created, reboot the server to activate these changes.

The next step is to enable TLS 1.2 for .NET Framework 3.5.1. To do this, make the following registry changes:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001

Please note the differences between the two entries. The first one is in the SOFTWARE\Microsoft node (shown below), the second one in the SOFTWARE\Wow6432Node node!

TLS12-Registry-dotNet

Reboot the server and you should be good.

Testing the new TLS 1.2 settings is (of course) similar to the tests as outlined above. When sending an email from Exchange 2010 to Office 365 (different tenant) and checking the protocol logfile, it is clearly visible that TLS 1.2 is now used (click to enlarge).

Edge-Outbound-TLS12

And when receiving an email via the hybrid connection, TLS 1.2 is now used as well (click to enlarge):

Hybrid-Receive-TLS12

Summary

Exchange 2010 can use TLS 1.2, but it is disabled by default. By patching the Exchange 2010 server to the appropriate level and making the correct registry changes you can enable TLS 1.2. This way you should be good for the upcoming changes in Office 365.

Please note that we only enabled TLS 1.2 and not disabled TLS 1.0 and TLS 1.1 at this point.

More information

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s