How to make sure CodeTwo Exchange Rules supports TLS 1.2 in hybrid environments

Problem:

Starting 31 October 2018, Microsoft makes TLS 1.2 the default security protocol in Office 365. TLS 1.0 and 1.1 still work, but Microsoft does not provide support in case of connection or compatibility issues.

This article explains how to ensure that the software from the CodeTwo Exchange Rules family supports TLS 1.2 for communication with Office 365 in hybrid environments, where mailboxes are stored both in Exchange on-premises and in Office 365. If you run a hybrid environment, we recommend following the guidelines below because TLS 1.2 provides better security and allows you to avoid any possible Office 365 connection issues in the future (when Microsoft disables the older TLS versions).

Warning

If you plan to disable TLS 1.0 and 1.1 in your hybrid environment and switch entirely to TLS 1.2, you need to update update your version of CodeTwo Exchange Rules to the version that supports TLS 1.2. Otherwise, the Sent Items Update service will not work in hybrid environments. For more information, see Troubleshooting.

Solution:

To ensure that software from the CodeTwo Exchange Rules family supports TLS 1.2 in your environment, you need to:

How to update CodeTwo Exchange Rules

To enable support for TLS 1.2 in CodeTwo Exchange Rules / Exchange Rules Pro, you need to update the software to the latest version by following these steps:

  1. Download the installer from the CodeTwo download page onto the machine where CodeTwo software is installed.
  2. Before you proceed, close the Administration Panel of your CodeTwo Exchange Rules software on this machine.
  3. Launch the downloaded installer and install the program.
  4. If you have more instances of the program in your environment, perform the update on each machine (both clients and servers) where CodeTwo Exchange Rules / Exchange Rules Pro is installed.
  5. After the update process is complete, you can launch the Administration Panel again. All of your settings and rules are retained.
  6. The program now supports Transport Layer Security 1.2.

(Optional) Enable TLS 1.2 for the .NET framework on your machine

If you cannot update your CodeTwo software to the latest version right away (which is our recommended solution), you can work around the problem manually by making the machine where the program is installed use TLS 1.2 for Secure Channel (Schannel) and .NET framework:

  • first, you need to manually set TLS 1.2 as the default security protocol in your system by modifying the Windows registry (Schannel);
  • then you need to set the .NET framework(s) on the machine to use your system's default TLS protocol. Learn how to check your .NET version

For more information and step-by-step guidelines, see this Microsoft blog article (the instructions provided in the article apply not only to the server versions of Windows, but also to the client versions of Windows, e.g. Windows 10).

Troubleshooting

This section describes problems that occur if your hybrid environment has TLS 1.0 and 1.1 disabled (TLS 1.2 is your only security protocol), and you're still using a version of CodeTwo Exchange Rules / Exchange Rules Pro that does not support TLS 1.2.

The Sent Items Update service stops working and you are not able to (re)configure it

If you have a hybrid environment and you have not updated your CodeTwo Exchange Rules software to the latest version, then you might experience the following problems with the Sent Items Update feature:

  • emails in the Sent Items folder are not updated with signatures (depending on your mail flow configuration, this issue might affect all of your users, not only those who have mailboxes in Office 365),
  • you are not able to configure the Sent Items Update service.

In the second case, when you configure the SIU service for the first time or when you edit an existing configuration, you get errors such as:

Impersonation rights are not working correctly on Office 365 servers.
The request failed. The underlying connection was closed: An unexpected error occurred on a receive.

Therefore, you are not able to successfully complete the SIU configuration wizard (Fig. 1.).

765-1
Fig. 1. SIU configuration shows errors related to lack of connection to Office 365.

You experience these problems because the software version that you have does not support TLS 1.2 and is therefore not able to connect to Office 365 to update emails in the users' Sent Items folders.

To fix these issues, you need to update the program to the latest version.

If these errors still occur after the update, you should make sure your environment supports TLS 1.2.

How do I check if TLS 1.2 is supported in my environment?

If you updated CodeTwo software to support TLS 1.2 but you still experience errors related to lack of TLS 1.2 connectivity, you should make sure your environment supports TLS 1.2 and has it enabled.

  • See this MSDN article to learn about TLS 1.2 availability in Windows.
  • If you're working in a server environment, see this Microsoft blog article for additional information. Some older systems (such as Windows Server 2008) have TLS 1.2 disabled or do not support it at all. The article shows how to ensure your Windows Server and Exchange Server version supports TLS 1.2.