Skip to content
vJAL.nl
  • Partners
    • BDRSuite by Vembu
  • About me
  • Home
  • Search Icon
Quick tip: Controlling SEGv2 cipher suites and scoring an A+ at SSL Labs

Quick tip: Controlling SEGv2 cipher suites and scoring an A+ at SSL Labs

18 August 2021 Jesper Alberts Comments 1 comment

So you thought you and your security team would finally be best friends, as you’ve just deployed VMware’s Secure Email Gateway (SEGv2) to finally make Exchange ActiveSync a safer place.
Only to find out that same security team ran an SSL Labs test which came back with a B. There goes your friendship!

The issue you’re most likely facing is either the use of weak(er) ciphers or the fact that Forward Secrecy is not supported, which caps you at a B.

As you can read in the official documentation, it’s possible to edit the “seg-jvm-args.conf” file, which is located in the following location: /opt/vmware/docker/seg/container/config/.
This would require you to enable SSH access or use the vSphere console, which can become cumbersome if you have multiple UAG’s, especially when they are spread across several environments.

Luckily that same page tells you how to do it from a central location, configuring all your SEG’s at once.
It’s briefly covered in the “Configure Custom Gateway Settings” section, which states you can use a Key Value Pair (KVP) to configure the SEG appliances.

  1. From within the UEM console, go to Email and click Email Settings.
  2. On the configuration tab, click Advanced.
  3. Scroll down till you reach the Custom Gateway Settings section and click add row.
  4. Fill in the settings (don’t forget the hyphen) and edit the ciphers to your specific needs) shown in table 1.
  5. Click save.
KeyTypeValue
-Djdk.tls.disabledAlgorithmsStringMD5, RC4, TLSv1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
Table 1. Custom Gateway Settings


Once saved, the settings should propagate almost instantly to your SEG instances. This means it’s time to rerun the SSL Labs test!

And there you go, friends once more!

Please follow and like us:
Tweet

Secure Email Gateway, UAG
ITQ, SEG, SEGv2, SSL, SSLLABS, UAG

Post navigation

PREVIOUS
Parallel upgrading of Horizon Connection Servers (Horizon 8 2006+)
NEXT
Deploying and configuring the NVIDIA DLS licensing appliance

One thought on “Quick tip: Controlling SEGv2 cipher suites and scoring an A+ at SSL Labs”

  1. Pingback: Service – Week 34-2021 Workspace ONE Updates – Julius Lienemann

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s stay in touch!

Twitter
LinkedIn

Blog sponsors

Recent Posts

  • Introducing BDRSuite v5.5.0 [sponsored]
  • Vembu Backup for Endpoints [sponsored]
  • Renewing your NVIDIA licenses on the DLS appliance
Avatar Jesper Alberts @jesperalberts ·
20h

De volgende editie van de #vEUCTechCon komt snel dichterbij! De CfP is de gehele maand april geopend, zodat je tijdig weet of je op dit te gekke event mag presenteren. Zo heb je voldoende tijd om een kickass sessie voor te bereiden! 😉

vEUC TechCon @vEUCtechcon

Nu we een nieuwe look hebben, zijn we ook op zoek naar nieuwe content voor de volgende editie van de #vEUCTechCon! De CfP is geopend en we hopen ook dit jaar weer te gekke content te ontvangen. Jouw sessie indienen? Dat kan hier: https://www.papercall.io/veuctechcon2023 #vExpert #EUC

Reply on Twitter 1641015191725912064 Retweet on Twitter 1641015191725912064 Like on Twitter 1641015191725912064 3 Twitter 1641015191725912064
Avatar Jesper Alberts @jesperalberts ·
27 Mar

My website was being nuked with sign in attempts for the past couple of days. Time to up its security posture and move everything to @Cloudflare. Thanks to @technicalvguy for the help! #vExpert

Reply on Twitter 1640416061680959500 Retweet on Twitter 1640416061680959500 Like on Twitter 1640416061680959500 6 Twitter 1640416061680959500
Avatar Jesper Alberts @jesperalberts ·
24 Mar

I hate the feeling of going into the weekend without having solved an issue on which I’ve spent the last two days.

Reply on Twitter 1639317298669404193 Retweet on Twitter 1639317298669404193 Like on Twitter 1639317298669404193 4 Twitter 1639317298669404193
Avatar Jesper Alberts @jesperalberts ·
11 Mar

This nightly #VCDX thing isn't my thing. I had only one cup of coffee, and my eyes finally adapted to the brightness. My mind hasn't, if I type branch officers instead of offices one more time, I swear I'll start screaming. #OneNightofVCDX

Reply on Twitter 1634425824358150144 Retweet on Twitter 1634425824358150144 Like on Twitter 1634425824358150144 14 Twitter 1634425824358150144
Avatar Jesper Alberts @jesperalberts ·
11 Mar

I was planning on upping my #VCDX game to a whole new level for the coming weeks. Though I wasn't sure this meant sitting behind my computer at 4:30 in the night.

Reply on Twitter 1634401730396815361 Retweet on Twitter 1634401730396815361 Like on Twitter 1634401730396815361 7 Twitter 1634401730396815361
Load More

Archives

  • December 2022
  • October 2022
  • August 2022
  • July 2022
  • June 2022
  • March 2022
  • August 2021
  • January 2021
  • October 2020
  • August 2020

Categories

  • BCDR
  • Certification
  • Dynamic Environment Manager
  • Horizon
  • NVIDIA vGPU
  • Partners
  • Personal
  • PowerCLI
  • Secure Email Gateway
  • UAG
  • Uncategorized

Tags

Back-up BCDR Certificates Certification DEM Dynamic Environment Manager Horizon Identity Manager ITQ Job Licensing Microsoft 365 NVIDIA Personal PowerCLI Replication SEG SEGv2 SSL SSLLABS Troubleshooting True SSO UAG Upgrading VCAP VCIX Vembu vGPU VMware Tools VMware vSphere Workspace One Access
© 2023   All Rights Reserved.
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}