Wednesday, January 6, 2021

PSA: Kemp Patch May Break Exchange Federation

In my Exchange 2016 environment, I run a Kemp LoadMaster VLM-2000 (which is awesome and their support is the best).

If you run a LoadMaster as well, and you're planning to update, please read my notes below:

I recently updated my LoadMaster to the latest build ( and along with it, the cipher set gets replaced with their new "bestpractices cipher set". 

You can see the release notes here, which lays out what is removed and what is kept.

Basically, they removed unsecure ciphers according to SSL guidelines, but what I found (the hard way) is that it may break your Exchange Free/Busy Federation you have with other organizations.

In my organization, we run two Resource Forests, one in Europe and one in the US (which I am responsible for). After updating the Kemp, I got reports from the EU users that they can no longer view US users' Free/Busy. 

Interestingly, this only affected Outlook, not OWA; the Scheduling Assistant in OWA worked fine.

In order to fix the issue, I had to set the cipher set back to default. 

**Note** The better fix is to actually friggin' update Outlook to support new ciphers, but my client is woefully behind on client patching.

Here's how to set Kemp ciphers:

In the Kemp, navigate to Virtual Services > View/Modify Services > click Modify:

Kemp Modify VSS

**Note** You'll need to modify the VSSs for both internal and external.

Next, expand the SSL Properties section and in the "Cipher Set" dropdown choose either "default" or "Default_NoRc4". 

Kemp Ciphers

**Note** "Default_NoRc4" is more secure, but may not work with legacy clients, so "Default" can work also.

Once done, your Federated partners should be able to view Free/Busy.

If you want to keep the new "best practice" ciphers, you can build your own custom cipher set to include both the old ones (which worked previously) and the new updated ones. Just make sure to backup your LM first!

Under the SSL Properties, next to the Cipher Set dropdown, click "Modify Cipher Set".

You can then cross reference your current cipher set with the Kemp article linked above, to add/remove the ciphers and save your own list.

No comments:

Post a Comment