Skip to content
vJAL.nl
  • Partners
    • BDRSuite by Vembu
  • About me
  • Home
  • Search Icon
Quick tip: Controlling SEGv2 cipher suites and scoring an A+ at SSL Labs

Quick tip: Controlling SEGv2 cipher suites and scoring an A+ at SSL Labs

18 August 2021 Jesper Alberts Comments 1 comment

So you thought you and your security team would finally be best friends, as you’ve just deployed VMware’s Secure Email Gateway (SEGv2) to finally make Exchange ActiveSync a safer place.
Only to find out that same security team ran an SSL Labs test which came back with a B. There goes your friendship!

The issue you’re most likely facing is either the use of weak(er) ciphers or the fact that Forward Secrecy is not supported, which caps you at a B.

As you can read in the official documentation, it’s possible to edit the “seg-jvm-args.conf” file, which is located in the following location: /opt/vmware/docker/seg/container/config/.
This would require you to enable SSH access or use the vSphere console, which can become cumbersome if you have multiple UAG’s, especially when they are spread across several environments.

Luckily that same page tells you how to do it from a central location, configuring all your SEG’s at once.
It’s briefly covered in the “Configure Custom Gateway Settings” section, which states you can use a Key Value Pair (KVP) to configure the SEG appliances.

  1. From within the UEM console, go to Email and click Email Settings.
  2. On the configuration tab, click Advanced.
  3. Scroll down till you reach the Custom Gateway Settings section and click add row.
  4. Fill in the settings (don’t forget the hyphen) and edit the ciphers to your specific needs) shown in table 1.
  5. Click save.
KeyTypeValue
-Djdk.tls.disabledAlgorithmsStringMD5, RC4, TLSv1, SSLv2Hello, SSLv3, DSA, DESede, DES, 3DES, DES40_CBC, RC4_40, MD5withRSA, DH, 3DES_EDE_CBC, DHE, DH keySize < 1024, EC keySize < 224, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
Table 1. Custom Gateway Settings


Once saved, the settings should propagate almost instantly to your SEG instances. This means it’s time to rerun the SSL Labs test!

And there you go, friends once more!

Please follow and like us:
Tweet

Secure Email Gateway, UAG
ITQ, SEG, SEGv2, SSL, SSLLABS, UAG

Post navigation

PREVIOUS
Parallel upgrading of Horizon Connection Servers (Horizon 8 2006+)
NEXT
Deploying and configuring the NVIDIA DLS licensing appliance

One thought on “Quick tip: Controlling SEGv2 cipher suites and scoring an A+ at SSL Labs”

  1. Pingback: Service – Week 34-2021 Workspace ONE Updates – Julius Lienemann

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s stay in touch!

Twitter
LinkedIn

Blog sponsors

Recent Posts

  • Introducing BDRSuite v5.5.0 [sponsored]
  • Vembu Backup for Endpoints [sponsored]
  • Renewing your NVIDIA licenses on the DLS appliance
Twitter feed is not available at the moment.

Archives

  • December 2022
  • October 2022
  • August 2022
  • July 2022
  • June 2022
  • March 2022
  • August 2021
  • January 2021
  • October 2020
  • August 2020

Categories

  • BCDR
  • Certification
  • Dynamic Environment Manager
  • Horizon
  • NVIDIA vGPU
  • Partners
  • Personal
  • PowerCLI
  • Secure Email Gateway
  • UAG
  • Uncategorized

Tags

Back-up BCDR Certificates Certification DEM Dynamic Environment Manager Horizon Identity Manager ITQ Job Licensing Microsoft 365 NVIDIA Personal PowerCLI Replication SEG SEGv2 SSL SSLLABS Troubleshooting True SSO UAG Upgrading VCAP VCIX Vembu vGPU VMware Tools VMware vSphere Workspace One Access
© 2023   All Rights Reserved.
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}