So you thought you and your security team would finally be best friends, as you’ve just deployed VMware’s Secure Email Gateway (SEGv2) to finally make Exchange ActiveSync a safer place.
Only to find out that same security team ran an SSL Labs test which came back with a B. There goes your friendship!
The issue you’re most likely facing is either the use of weak(er) ciphers or the fact that Forward Secrecy is not supported, which caps you at a B.
As you can read in the official documentation, it’s possible to edit the “seg-jvm-args.conf” file, which is located in the following location: /opt/vmware/docker/seg/container/config/.
This would require you to enable SSH access or use the vSphere console, which can become cumbersome if you have multiple UAG’s, especially when they are spread across several environments.
Luckily that same page tells you how to do it from a central location, configuring all your SEG’s at once.
It’s briefly covered in the “Configure Custom Gateway Settings” section, which states you can use a Key Value Pair (KVP) to configure the SEG appliances.
- From within the UEM console, go to Email and click Email Settings.
- On the configuration tab, click Advanced.
- Scroll down till you reach the Custom Gateway Settings section and click add row.
- Fill in the settings (don’t forget the hyphen) and edit the ciphers to your specific needs) shown in table 1.
- Click save.
|-Djdk.tls.disabledAlgorithms||String||MD5, RC4, TLSv1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384|
Once saved, the settings should propagate almost instantly to your SEG instances. This means it’s time to rerun the SSL Labs test!
And there you go, friends once more!