Messaging Gateway

 View Only
Back to discussions
Expand all | Collapse all

Possible other impact to check when turning on FIPS mode in SMG 10.6.x

  • 1.  Possible other impact to check when turning on FIPS mode in SMG 10.6.x

    Posted Jul 13, 2016 06:03 AM

    Hi,

    we are required to disable the RC4 cipher in SMG. Currently this can only be accomplished by enabling FIPS mode.

    What possible other impact do I have to test for (access via SSH, HTTPS access to quarantine for users, LDAP? etc.) when enabling FIPS mode (http://www.symantec.com/docs/HOWTO77710)?

    Has anybody here experience with a transition from a non FIPS mode to a FIPS mode production environment?



  • 2.  RE: Possible other impact to check when turning on FIPS mode in SMG 10.6.x

    Posted Jul 21, 2016 04:35 AM

    Hi Thomas,

    I tried FIPS in our test environment at version 10.6.0 in dec last year, not familiar with fips changes in the meantime.

    My test cases included: ldaps (beware of current errors changing a data source) to ad, edir and notes for recipient validation incl custom queries, starttls opportunistic and forced in- and outbound (beware of rfc limitations of office365 and others if you offer client certs), different ms exchange versions (2010, 2013, 2016) on different versions of windows (2k8, 2k12) with different cipher settings (default, tls1.x enabled, ...), different other "clients" like sendmail, notes, etc. tcpdump will be your friend ;-)

    But usually it shouldnt be a big deal except TLS and supported ciphers.

    And there is still no public documentation of the used ciphers. https://support.symantec.com/en_US/article.TECH156249.html has a incomplete list, is not up2date and does not include fips.

    Please let us know how and what you did.

    Kind regards

    Thomas