TLS cipher is blocking in firewall TLS_DH_anon_WITH_RC4_128_MD5
We have configured federation access ( screensharing access ) via microsoft office communicator R2 from our organization to the customer. The federation access is allowed from my companies OCS edge server to customer edge server. My companies edge servers are located in main office. Users from main office are able to perform screensharing with external customers. The problem comes , when users from branch office try to perform screensharing it is not working.
Microsoft has been involved in this case and they have shared observation on this.
Initial three way handshake is happening fine from ocs clinet to server over 443, but some thing is failing after this.
+ Client is sending the Client Hello Packets and the CiPher suit being used is TLSCipherSuites: TLS_DH_anon_WITH_RC4_128_MD5
+ however we are not getting the Response from the Edge Server at all (Server Hello is missing)
This could happen if we have the requests that are getting blocked on the Firewall.
Please ensure that the TLS Protocol Suite : TLSCipherSuites: TLS_DH_anon_WITH_RC4_128_MD5 is allowed on the Firewalls between Brach office Client Network and Main office Edge Server Network and vice versa "
from OCS client to server its a strait connection. Like Access switch -> Distribution Switch -> core switch -> Firewall -> WAN router at branch---------WAN router at MAIN office -> Main firewall -> core switch ->DMZ firewall -> Ocs server.
WE are not doing any application inspection in any firewalll. and there is no IPS in between.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...