Arne Weinmann Posted December 3, 2018 Share Posted December 3, 2018 (edited) Hi, I have a virtual Netscaler (firmware NS12.0 59.9.nc) for securely publishing internal server websites. It was configured after the best practice documentation and works just fine with Exchange 2013 and 2016. However, I can't publish any Exchange 2019 websites. The 2019 server itself works internally and it also works if I publish it via NAT over the firewall. It doesen't work when I add it to the service groups in Netscaler. The error message is "time out during ssl handshake stage". I suspect it has something to do with Exchange 2019 only accepting TLS 1.2: "We also built Exchange Server 2019 to only use TLS 1.2 out of the box, and to remove legacy ciphers and hashing algorithms." (Source: https://blogs.technet.microsoft.com/exchange/2018/10/22/exchange-server-2019-now-available/). I tried activating TLS 1.0 and 1.1 on the Exchange 2019 server, but with no success. Does anyone have a idea, how to fix this? Edit: Don't be confused about the first picture, the Exchange 2019 server was only added to OWA and ECP. All other servers (with healthy state) only terminate on the Exchange 2016 server. They would also not work with Exchange 2019, I tested this. Edited December 3, 2018 by a.weinmann@werkstattschule.info Link to comment Share on other sites More sharing options...
Kai Thorsrud1709157845 Posted December 3, 2018 Share Posted December 3, 2018 Read this thread: https://discussions.citrix.com/topic/388325-netscaler-12-rfc-5746-on-backend-bug-limitation/?page=0#comment-1975755 1 Link to comment Share on other sites More sharing options...
Arne Weinmann Posted December 3, 2018 Author Share Posted December 3, 2018 Wow, thank you very much! This was the perfect workaround to my problem, I just set "AllowInsecureRenegoClients" & "AllowInsecureRenegoServers" to "1". But it is really time for Citrix to patch this! Link to comment Share on other sites More sharing options...
Kai Thorsrud1709157845 Posted December 4, 2018 Share Posted December 4, 2018 I Agree. tls in netscaler has been a mess for a while for customers without cavium nitrox 3 ssl cards. Netscaler 12 solves most of the headaches with tls but this remains as my main headache with tls 1.2 Link to comment Share on other sites More sharing options...
Torsten Lueckhardt Posted July 30, 2019 Share Posted July 30, 2019 You can set SSL Renegotiation for backend inside the ssl profile for backend That resolve the problem and is working with ADC 13 I'm not sure but it should work with last ADC12.1 to. Regards Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now