Wondering about result of Remote Connectivity Analyzer

0

Hi,

we migrated ActiveSync and Autodiscover from Microsoft WAP to Loadmaster.

Yes, we used the templates provided by KEMP. Also the certificates are the same and also the intermediate certificate is published.

ActveSync and Autodiscover works well with our smart phones, but Remote Conenctivity Analyzer always fails on the certificate. SSL Labs does a rating with A

Does anyone experience problems like this?

Georg

 

Here is the result from Microsoft:

 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.domain.tld on port 443.
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
 
Additional Details
 
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 243 ms.

 

6 comments

Avatar
0
itsystems

Have you had any luck with this issue?

Avatar
0
kempid

No. I will open a ticket to get an answrer

Avatar
0
Mike Shellenberger

Did you ever resolve this issue? In the same situation right now where OWA and other services work fine but Autodiscover check with RCA fails with the same error you reference.

Avatar
0
Mike Shellenberger

I believe we just resolved this issue by enabling TLS 1.0 as well as TLS 1.1 & TLS 1.2. I'm assuming the backwards compatibility is needed for the RCA checks due to legacy clients? Not sure but this seemed to fix it for us.

Avatar
0
kempid

Just had a look in VSs. They all have TLS 1.0 disabled due insecure SSLv3 and TLS 1.0.

I will try it at next maintenance

Is it a problem on KEMP or on RCA?

Anyway if this is the issue I will Keep TS 1.0 disabled and only enable it for new instaöötion for testing with RAC and afterwards disable TLS 1.0

Avatar
0
steven

I can confirm that one needs to enable TSL 1.0 to make the connectivity tester work. With just 1.1 and 1.2 actived, the tool will bark. Just don't forget to disable 1.0 afterwards ;-)