Pages

Saturday, June 30, 2018

Attempting to install Skype for Business server role onto Windows 2012 server fails with: "Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update"

Problem

You’re attempting to install a new role, such as mediation services, on an existing front end server but the process fails with the following message:

> Bootstrap-CsComputerLogging status to: C:\Users\a-tluk\AppData\Local\Temp\2\BootstrapFull-[2018_06_23][13_45_16].htmlChecking prerequisites for bootstrapper...Checking prerequisite WMIEnabled...prerequisite satisfied.Checking prerequisite NoBootstrapperOnBranchOfficeAppliance...prerequisite satisfied.Checking prerequisite SupportedOS...prerequisite satisfied.Checking prerequisite NoOtherVersionInstalled...prerequisite satisfied.Host name: drlyncstd01.contoso.comDisabling unused roles...Executing PowerShell command: Disable-CSComputer -Confirm:$false -Verbose -Report "C:\Users\a-tluk\AppData\Local\Temp\2\Disable-CSComputer-[2018_06_23][13_45_24].html"Checking prerequisites for roles...Checking prerequisite SupportedOS...prerequisite satisfied.Checking prerequisite SupportedOSNoDC...prerequisite satisfied.Checking prerequisite DotNet35...prerequisite satisfied.Checking prerequisite SupportedSqlRtcLocal...prerequisite satisfied.Checking prerequisite WMIEnabled...prerequisite satisfied.Checking prerequisite NoOtherVersionInstalled...prerequisite satisfied.Checking prerequisite PowerShell...prerequisite satisfied.Checking prerequisite SupportedServerOS...prerequisite satisfied.Checking prerequisite KB2533623Installed...prerequisite satisfied.Checking prerequisite SupportedSqlLyncLocal...prerequisite satisfied.Checking prerequisite SupportedSqlRtc...prerequisite satisfied.Checking prerequisite IIS...prerequisite satisfied.Checking prerequisite IIS7Features...prerequisite satisfied.Checking prerequisite KB2982006Installed...missingChecking prerequisite ASPNet...prerequisite satisfied.Checking prerequisite KB2646886Installed...prerequisite satisfied.Checking prerequisite BranchCacheBlock...prerequisite satisfied.Checking prerequisite WCF...prerequisite satisfied.Checking prerequisite WindowsMediaFoundation...prerequisite satisfied.Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, "IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2" at http://go.microsoft.com/fwlink/?LinkId=519376

image

You navigate to the provided URL:

http://go.microsoft.com/fwlink/?LinkId=519376

… which redirects you to the following KB:

IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2
https://support.microsoft.com/en-us/help/2982006/iis-crashes-occasionally-when-a-request-is-sent-to-a-default-document

Last Updated Dec 9, 2014

… download the update but realize that it will not install:

The update is not applicable to your computer.

image

Solution

The supplied KB is outdated and have since been updated with the following correct one:

Prerequisite (KB2982006) not satisfied when you try to install Skype for Business Server 2015
https://support.microsoft.com/en-us/help/4056288/can-t-install-skype-for-business-server-2015-due-to-missing-kb2982006

Cause

This issue occurs because the WMI query result of the prerequisite of KB2982006 isn't reliable.

To correct the issue, navigate to the following URL and install the January 2018 cumulative update 6.0.9319.514 for Skype for Business Server 2015, core components or later CU:
https://support.microsoft.com/en-us/help/4074705

I went ahead and installed the March 2018 CU:

Business Server 2015 Cumulative Update KB3061064 Mar 2018

image

… and was able to proceed with the install:

image

Tuesday, June 26, 2018

Running sysprep on Windows Server 2012 R2 server fails with: "A fatal error occurred while trying to sysprep the machine."

Problem

You have an existing Windows Server 2012 R2 server that you would like to manually sysprep:

image

So you proceed to navigate to the directory: C:\windows\system32\sysprep to execute the sysprep.exe:

image

Select the Generalize option and click OK:

image

The process starts but quickly fails with the error:

System Preparation Tool 3.14

A fatal error occurred while trying to sysprep the machine.

image

You navigate to the directory:

C:\windows\system32\sysprep\Panther

image

.. and find the following the content in the setuperr.log file:

2017-06-26 10:18:22, Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f

2017-06-26 10:18:22, Error SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f

2017-09-18 15:11:15, Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f

2017-09-18 15:11:15, Error SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f

2018-06-26 13:21:48, Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f

2018-06-26 13:21:48, Error SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f

2018-06-26 13:42:57, Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f

2018-06-26 13:42:57, Error [0x0f00ae] SYSPRP WinMain:Hit failure while processing sysprep cleanup external providers; hr = 0x8007001f

image

Solution

Most of the posts I found relating to this error message indicates that the rearm limit has been reached but executing slmgr.vbs /dlv to review the Remaining Windows rearm count does not appear to suggest this:

image

From there, I decided to try using the configuration that I usually use for a server that has exceed an arm count to see and it surprisingly corrects the issue.

Begin by launching the registry editor and navigating to:

HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus\

Verify that the CleanupState registry key is set to 2:

image

Verify that the GeneralizationState is set to 7:

imageimage

image

Uninstall and reinstall the MSDTC via the following commands:

msdtc -uninstall

msdtc –install

image

Proceed by navigating to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\

Locate the SkipRearm key and change the value to 1:

imageimage

Rerunning the sysprep.exe executable to start the sysprep process should work as expected now:

imageimage

Once the sysprep completes, use a utility such as PsGetsid64.exe to verify that a new SID was generated for the server.

Monday, June 25, 2018

VMware Horizon View Connection Server service starts and stops

Problem

You have a VMware Horizon View Connection Server 7.5.0 that was recently upgraded from 7.4.0 and you noticed that the VMware Horizon View Connection Server service does not start. Attempting to start the service shows that it starts but then stops a few seconds later:

imageimage

image

Navigating to the VMware Horizon View Connection server logs directory at:

C:\ProgramData\VMware\VDM\logs

image

… and reviewing the wsnm_starts.txt file:

image

… show that the service starts and stops:

image

Reviewing the most recent log file log-2018-06-25.txt:

image

… shows a series of errors:

image

Navigating to the bottom of the log file reveals the following errors as the service stops:

2018-06-25T10:42:47.052-03:00 INFO (0714-1280) <logloaded> [MessageFrameWork] Plugin 'ws_winauth - VMware Horizon View Framework Windows Authentication Support' loaded, version=7.5.0 build-8583568, buildtype=release

2018-06-25T10:42:47.052-03:00 INFO (0714-0E90) <Service Main Thread> [wsnm] The VMware View System Service is starting

2018-06-25T10:42:47.068-03:00 INFO (0A94-12E8) <logloaded> [MessageFrameWork] Plugin 'ws_java_bridgeDLL - VMware Horizon View Framework Java Bridge' loaded, version=7.5.0 build-8583568, buildtype=release

2018-06-25T10:42:47.068-03:00 INFO (0A94-123C) <Main Thread> [MessageFrameWork] Program 'ws_MessageBusService - VMware Horizon View Java Component Service' started, version=7.5.0 build-8583568, pid=0xA94, buildtype=release, usethread=1, closeafterwrite=0, sessionId=0

2018-06-25T10:42:47.068-03:00 INFO (0A94-12D4) <Service Main Thread> [ws_MessageBusService] The service 'MessageBusService' is started

2018-06-25T10:42:47.068-03:00 INFO (0A94-13E4) <logloaded> [MessageFrameWork] Plugin 'ws_javaview - VMware Horizon View Framework Java Diagnostics' loaded, version=7.5.0 build-8583568, buildtype=release

2018-06-25T10:42:47.070-03:00 INFO (0A94-0CE4) <logloaded> [MessageFrameWork] Plugin 'mfw_java - VMware Horizon View Framework Java Native Support (64-bit)' loaded, version=15.0.0 build-8440871, buildtype=release

2018-06-25T10:42:47.211-03:00 ERROR (0A94-112C) <javabridge> [mfw_java] Java Bridge Managed failed on tmp =jniEnv->FindClass("com/vmware/vdi/mfwj/binaryResp")

2018-06-25T10:42:47.211-03:00 ERROR (0A94-112C) <javabridge> [mfw_java] Exception in BagConv::Init

2018-06-25T10:42:47.211-03:00 WARN (0A94-112C) <javabridge> [ws_java_bridgeDLL] Exception

2018-06-25T10:42:47.211-03:00 WARN (0A94-112C) <javabridge> [ws_java_bridgeDLL] in thread "main"

2018-06-25T10:42:47.211-03:00 ERROR (0A64-09F4) <Service Main Thread> [ws_ConnectionServer] Wait for READY state FAILED for dependent 'wsmsgbus', error: The specified service is stopping

2018-06-25T10:42:47.243-03:00 INFO (0A94-123C) <Main Thread> [ws_MessageBusService] The service 'MessageBusService' is stopped

2018-06-25T10:42:47.726-03:00 ERROR (0A64-09F4) <Service Main Thread> [ws_ConnectionServer] wsnm OpenProcess FAILED, error: 87 (The parameter is incorrect.)

2018-06-25T10:42:47.726-03:00 ERROR (0A64-09F4) <Service Main Thread> [ws_ConnectionServer] wsnm OpenProcess FAILED, error: 87 (The parameter is incorrect.)

2018-06-25T10:42:47.726-03:00 INFO (0714-0E90) <Service Main Thread> [wsnm] The VMware View System Service is shutting down

2018-06-25T10:42:47.726-03:00 WARN (0A64-0D40) <NodeManagerWatcher> [MessageFrameWork] Connection to Node Manager lost

2018-06-25T10:42:47.898-03:00 INFO (0714-04B4) <Main Thread> [wsnm] The VMware View System Service has stopped

2018-06-25T10:42:47.960-03:00 INFO (0A64-0440) <Main Thread> [ws_ConnectionServer] The service 'Broker' is stopped

2018-06-25T10:43:21.813-03:00 WARN (07D4-0C84) <3204> [v4v_broker_agent_svc] SocketChannel: Unable to connect to contoVV02:32111

Solution

There wasn’t much information available only aside from this old KB listed for version 6.2.x and older:

View Administrator portal fails to launch after upgrading from VMware Horizon View 5.2 to 5.3 (2075114)

https://kb.vmware.com/s/article/2075114

The environment for this example did not have vRealize Operations Manager but I went ahead and uninstalled the VMware Horizon 7 Connection Server component:

image

Ensured that I left the AD LDS Instance VMwareVDMDS intact:

image

Then reinstalled VMware Horizon 7 as a replica server using the same AD LDS instance, which corrected the problem.

Thursday, June 21, 2018

Scoring an A grading from Qualys SSL Labs with VMware Horizon View 7.4.0 Security Server

Problem

I’ve been asked several times over the past year with how to configure VMware Horizon View to score a high rating on the Qualys SSL Labs (https://www.ssllabs.com/ssltest) portal because of the lack of information available on the internet so I thought I’d write this quick blog post to demonstrate one of the various ways you can achieve this.

Leaving a VMware Horizon View 7.4.0 security server with the default configuration would yield a B rating as shown here:

image

Note the following reasons why the rating is capped at B:

This server does not support Forward Secrecy with the reference browsers. Grade capped to B.

This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B.

Analysis

The way to obtain a better score is to control the Cipher Suites that the security server offers and to review what is currently being offered, scroll down to the Configuration section of the report and review the protocols and suites listed:

image

Due to the lack of information for this, my first approach was to review the ciphers I use to obtain an A+ rating for NetScaler configurations but realized this would not work because:

  1. Horizon View does not support all of these ciphers
  2. The format of the ciphers is not the same between the NetScaler and VMware Horizon (they’re written differently

Solution

Official instructions provided by VMware to control the ciphers allowed by the security server can be found here:

Configure Acceptance Policies on Individual View Servers
https://docs.vmware.com/en/VMware-Horizon-7/7.0/com.vmware.horizon-view.security.doc/GUID-7FA3EE31-2DFD-4979-A972-87B40695FFC5.html

The way to override the default ciphers offered to connections, navigate to the following directory on the security server:

install_directory\VMware\VMware View\Server\sslgateway\conf\

Create a new file named locked.properties:

imageimage

Open the file in notepad and paste the following:

# The following list should be ordered with the latest protocol first:

secureProtocols.1=TLSv1.2

secureProtocols.2=TLSv1.1

# This setting must be the latest protocol given in the list above:

preferredSecureProtocol=TLSv1.2

# The order of the following list is unimportant unless honorClientOrder is false:

enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

enabledCipherSuite.3=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

enabledCipherSuite.4=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

image

Restart the Security Server service to apply the changes.

Using the ciphers listed above would yield a score of A from the scan:

image

Scrolling down to the Configuration section will show that contains no weak ciphers are supported and TLSv1 is not supported:

image

It is also possible to support TLSv1 by using the following cipher configuration:

# The following list should be ordered with the latest protocol first:

secureProtocols.1=TLSv1.2

secureProtocols.2=TLSv1.1

secureProtocols.3=TLSv1

# This setting must be the latest protocol given in the list above:

preferredSecureProtocol=TLSv1.2

# The order of the following list is unimportant unless honorClientOrder is false:

enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

enabledCipherSuite.3=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

enabledCipherSuite.4=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

enabledCipherSuite.5=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

enabledCipherSuite.6=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

enabledCipherSuite.7=TLS_DHE_RSA_WITH_AES_256_CBC_SHA

enabledCipherSuite.8=TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Whether to support TLSv1 will be dependent on the clients connecting and my preference would be to omit it because it is a protocol that the world is deprecating.  The same can also be said with TLSv1.1 but I think it is safe to include that for now.

Why isn’t the score A+?

The reason why the score isn’t an A+ is is because of this line item:

Downgrade attack prevention

No, TLS_FALLBACK_SCSV not supported

image

I have yet to determine what changes to the configuration is required and will update this blog post when I do but the following is an interesting forum post about this topic that is worth reading:

https://security.stackexchange.com/questions/112531/is-tls-fallback-scsv-useless-if-only-tls-1-0-1-1-1-2-is-supported/112539#112539

To sum up: not supporting TLS_FALLBACK_SCSV is not necessarily a serious issue, depending on how well the client and server implement TLS 1.0 (by not supporting SSL 3.0 you already avoid the most glaring problems). However, good implementations cannot be guaranteed, and not supporting TLS_FALLBACK_SCSV is formally a weakness, even if it is not necessarily a vulnerability. That the weakness cannot be turned into a full exploit by attackers does not mean it does not exist.

In any case, you won't implement TLS_FALLBACK_SCSV because you want security; you will implement TLS_FALLBACK_SCSV because you want an A+. If you do not, then you will spend inordinate amounts of time explaining to many people that the "A+" grade is meaningless in that respect and that you can afford not to take it. In the long term, not howling with the wolves is too expensive.

Tuesday, June 19, 2018

Azure AD synchronization fails with: "user_realm_discovery_failed: User realm discovery failed" and "The remote server returned an error: (407) Proxy Authentication Required."

Problem

You’ve noticed that your Azure AD synchronization has stopped synchronizing for a period of time:

image

Launching the Synchronization Service Manager indicates the export job is failing with stopped-extension-dll-exception:


image

Reviewing the event logs show the following three events consistently logged:

  • Event ID: 6900
  • Event ID: 659
  • Event ID: 906

image

Log Name: Application
Source: ADSync

Event ID: 6900

Level: Error

The server encountered an unexpected error while processing a password change notification:

"user_realm_discovery_failed: User realm discovery failed

at InitializeAndGetTargetExtension(Object lockObject, TargetTaskScheduler taskScheduler, Dictionary`2 targetExtensions, ECMAInformation* ecmaInformation)

at TargetExtensionManager.ExportPasswords(TargetExtensionManager* , ECMAInformation* ecmaInformation, DynamicArray<ActiveDirectoryPasswordChange \*>* targetPasswordChanges, Char* forestInfo)

InnerException=>

The remote server returned an error: (407) Proxy Authentication Required.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.IdentityModel.Clients.ActiveDirectory.UserRealmDiscoveryResponse.<CreateByDiscoveryAsync>d__0.MoveNext()

InnerException=>

none

"

image

Log Name: Application
Source: Directory Synchronization

Event ID: 659

Level: Error

Error while retrieving password policy sync configuration. Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: user_realm_discovery_failed: User realm discovery failed ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.IdentityModel.Clients.ActiveDirectory.UserRealmDiscoveryResponse.<CreateByDiscoveryAsync>d__0.MoveNext()

--- End of inner exception stack trace ---

at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)

at Microsoft.Online.Coexistence.ProvisionHelper.GetADALToken(String userName, String userPassword, MSOInstance adalServiceResource)

at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken(String userName, String userPassword, MSOInstance adalServiceResource)

at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.InitializeProvisionHelper()

at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.Initialize()

at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.GetCompanyConfiguration()

at Microsoft.Azure.ActiveDirectory.Connector.PasswordPolicy.RefreshPasswordPolicySyncSettings()

ErrorCode: user_realm_discovery_failed

StatusCode: 0

image

Log Name: Application
Source: Directory Synchronization

Event ID: 906

Level: Error

GetADALToken [user_realm_discovery_failed]: unexpected authentication failure. STS endpoint (https://login.windows.net), userName (Sync_DIRSYNC01_d5b89680b957@contoso.onmicrosoft.com), tenantName (contoso.onmicrosoft.com), adalAuthority(https://login.windows.net/contoso.onmicrosoft.com) user_realm_discovery_failed: User realm discovery failed | The remote server returned an error: (407) Proxy Authentication Required..

image

Solution

One of the possible causes to this error is if the DirSync service is attempting reach Azure via a proxy server and is unable to authenticate. In the case of this example, the DirSync server was able to synchronize directly via the internet but had inadvertently inherited proxy settings due to a network misconfiguration. Changing the proxy settings did not correct the problem as DirSync continued to connect to the proxy. To correct this problem, you’ll need to edit a configuration file for the synchronization service manager to stop it from using a proxy.  Navigate to the following directly:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config

.. and locate the machine.config file:

image

Duplicate the file to create a backup:

image

Open the file and navigate to the end of the configuration:

image

Add the following under the </system.web> tag:

<system.net>

<defaultProxy enabled="false"></defaultProxy>

</system.net>

image

Save the file, restart the Azure synchronization services and rerun the synchronization.

Friday, June 15, 2018

Update June 2018: Securing Citrix NetScaler VPX to score A+ rating on SSL Labs

This post serves as an update to my previous blog post:

Update: Securing Citrix NetScaler VPX to score A+ rating on SSL Labs

http://terenceluk.blogspot.com/2017/09/update-securing-citrix-netscaler-vpx-to.html

… which will no longer score an A+ rating because the ciphers are now out of date.

In order to score an A+ rating:

image

… we’ll need to update the ciphers to the following:

TLS1-ECDHE-RSA-AES256-SHA

TLS1-ECDHE-RSA-AES128-SHA

TLS1-DHE-RSA-AES-256-CBC-SHA

TLS1-DHE-RSA-AES-128-CBC-SHA

TLS1-AES-256-CBC-SHA

TLS1-AES-128-CBC-SHA

TLS1.2-ECDHE-RSA-AES-256-SHA384

TLS1.2-ECDHE-RSA-AES-128-SHA256

TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

TLS1.2-DHE-RSA-AES256-GCM-SHA384

TLS1.2-DHE-RSA-AES128-GCM-SHA256

TLS1-ECDHE-ECDSA-AES256-SHA

TLS1-ECDHE-ECDSA-AES128-SHA

image

The command to execute on the NetScaler are as follows:

add ssl cipher Custom-VPX-Cipher

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES256-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-RSA-AES128-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-256-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-DHE-RSA-AES-128-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-256-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-AES-128-CBC-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-256-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES-128-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1.2-DHE-RSA-AES128-GCM-SHA256

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-ECDSA-AES256-SHA

bind ssl cipher Custom-VPX-Cipher -cipherName TLS1-ECDHE-ECDSA-AES128-SHA

The ciphers above were tested on a NetScaler NS12.1 48.13.nc and verified to score an A+.

image