Category Archives: Security

A special Rpc error occurs on server xxxxx These certificates are tagged with following Send Connectors

So our SAN SSL certificate was coming up for renewal and I really wanted to expand what was covered by it to include more devices. In general anything internal was using a self signed certificate and anything external used the SAN SSL. That worked fine but when it came time for renewal I figured why not just get a wildcard SSL and assign it to anything I could. Also would keep me from having to update subject names when there was a change.

So I bought a Wildcard SSL from GoDaddy and started assigning it to everything. Switched out the certificate on our firewall and VPN clients, mail server, web server, etc. Everything seemed to work fine. Then it came time to remove the old one once things were tested. Removing from IIS was fine, removing from the firewalls likewise fine, but removing from Exchange Control Panel gave the error in the title.

Now we do have a Exchange Online Hybrid deployment setup with centralized mail transport. We use a cloud based Barracuda spam/malware filter so all email in and out of the company goes through them then to our internal mail server. Any mailbox on Exchange Online then goes from our mail server to it and back. Well apparently when I set this up it made a send connector to route mail to Exchange Online and since it uses TLS attached the certificate that was currently being used which I was now trying to delete.

Unfortunately you can’t just go into the Send Connector in the ECP and reassign the certificate but you can do it by following some steps based on the Microsoft Set-SendConnector page. First get the list of your send connectors and the list of your certificates:

Get-SendConnector
Get-ExchangeCertificate

Copy the send connector that was in the error message and also the thumbprint for your new certificate. Next we will use that certificate to pull out the information needed to assign to the send connector and assign it:

$cert = Get-ExchangeCertificate -Thumbprint (your thumbprint)
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

Once your send connectors are updated you should be able to remove the old certificate. Also if you are using TLS on your receive connectors you will want to do the exact same thing but using the Set-ReceiveConnector command.

Note: If your new certificate has the exact same subject name then it might not update. You’ll have to remove it first using:

Set-SendConnector -Identity <connector name> -TlsCertificateName $Null

See https://learn.microsoft.com/en-us/exchange/troubleshoot/mailflow/cannot-remove-installed-certificate for more information.

Sophos XG Firewall PCI Compliance Woes

Recently I deployed a Sophos XG firewall to replace my very much aging Microsoft Forefront TMG 2010 firewalls. For the most part, after lots of back and forth with Sophos tech support, I got it working correctly for things like Outlook Anywhere, Web and Mobile Access, protecting internal websites, and general web filtering. Everything seemed fine until our monthly PCI compliance scans came along and we failed miserably. TLS 1.0 was enable, HTTP Track/Trace was enabled, and 64 bit cyphers were enabled for each external IP that we were hosting a site on. I contacted Sophos and long story short there is currently no way to fix these through the UI (v16)….all required manually editing the appache httpd file on the box. So here is how to do it.

First telnet into your XG, log in, then go to 5 Device Management then 3 Advance Shell. Type in the following:

# mount -no remount,rw /
# vi /usr/apache/conf/httpd.conf

You should now be able to edit the file. Press “I” once to enter insert mode. Find the SSLCipherSuite line and remove any sections (between the colons) that have 3DES in them. For example the original cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS

Modified cypher line:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Now find the SSLProtocol list, usually right below the cyphers and remove support for whichever protocol by adding it with a minus. Here is the original line:

SSLProtocol all -SSLv2 -SSLv3

Modified protocols line:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Lastly for the tracking add a new line under these:

TraceEnable off

Hit ESC then :w and enter to write the file then :q and enter to quit. Then restart the services and mark things what I’m assuming is read only:

# service apache:restart -ds nosync
# service WAF:restart -ds nosync
# mount -no remount,ro /

Keep in mind any Outlook 2010 clients you have in the field might try to connect using TLS 1.0 and will fail with a cryptic proxy server error. You can follow this site to hopefully fix that: https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/