Exchange 2019 service/monitor down – time out during ssl handshake stage

Symptoms or Error

https monitor bound to Exchange 2019 service is DOWN – time out during ssl handshake stage.

Solution

1.Change following registry keys to 1 to downgrade security on Exchange server.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
“AllowInsecureRenegoClients”=dword:00000001
“AllowInsecureRenegoServers”=dword:00000001

More details refer to:
https://www.exchangelog.info/2020/02/netscaler-vs-exchange-2019-time-out.html

2. Or enable secure renegotiation in the SSL profile, or in global SSL parameters.
Example
> set ssl profile ns_default_ssl_profile_backend -denySSLReneg NONSECURE
> set ssl parameter -denySSLReneg NONSECURE

Note: Not all the ADC vsersions support secure renegotiation on the backend. Only 13.0.58.30+ supports.


Problem Cause

By default, ADC does not enable secure renegotiation on the backend.
Citrix ADC fails to communicate with the new Exchange Server 2019 because the default setting on Exchange Server 2019 is “secure renegotiation only”.

Secure renegotiation at backend is not currently supported on Citrix ADC on all platforms.

We can disable “secure renegotiation only” setting in Exchange Server 2019 as well as a workaround.

Support for Secure Renegoation has been added with 13.0 58.x and later (also for VPX, MPX N2/N3 and Intel Coleto). Refer to   https://docs.citrix.com/en-us/citrix-adc/current-release/ssl/ssl-profiles/ssl-enabling-the-default-profile.html#support-for-secure-renegotiation-at-the-back-end-of-a-citrix-adc-appliance

Archives