[isalist] Re: ISA - Exchange and PCI Compliance

  • From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 Jun 2010 11:43:16 -0400

Bret, I believe I had this same issue over a year ago (memory is going....).  I 
followed the outlines here:
http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx

Now, that being said, I also can't remember if I had to do both the ISA server 
and my Exchange Server (IIS portion for webmail), or just ISA.  I think ISA 
only as I remember doing all 4 of my ISAs at all my sites but only have 
webmail/activesync on my main site.  It wasn't a difficult change outside of 
the reboot window.

I just looked at my ISA server and the changes are there for sure.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image002.png@01CB0D49.1C187650]
  [cid:image004.jpg@01CB0D49.1C187650]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Bret Hanson
Sent: Wednesday, June 16, 2010 11:23 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] ISA - Exchange and PCI Compliance

We are running ISA 2006 EE publishing Exchange 2007 OWA & Outlook Anywhere.  
Recently we had a vulnerability scan done by a 3rd party as required by the Pay 
Card Industry (PCI).

The report came back with two problems on the public IP of the mail server.


1.   SSLv2 Supported

2.   SSL Weak Encryption Algorithms

Researching a solution to this issue has made me even more confused.  Some say 
this needs to be fixed on the ISA box and other say on both.  Anyone else dealt 
with this - can ya help a guy out?


Thanks!

Bret



***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 

PNG image

JPEG image

Other related posts: