exchange 2019 CU 14

Hi @Alex Ch,

Welcome to the Microsoft Technical Support Forum.

According to your description, you are currently preparing the client environment to enable Extended Protection in Exchange Server. I recommend that you follow these steps:

1. Check the prerequisites:

· Before installing Exchange 2019 CU14 (or later), or before enabling EP on Exchange 2016 or Exchange 2013, run the Microsoft Healthchecker.ps1 script.

· Ensure that TLS 1.2 is enabled on all Exchange servers.

2. Configure Extended Protection:

· Extended Protection is enabled by default when you install Exchange Server 2019 CU14 (or later).

__·__For older versions of Exchange Server (such as Exchange Server 2016), you can enable EP on some or all Exchange servers using the ExchangeExtendedProtectionManagement.ps1 script.

· The "Extended Protection" setting controls the behavior of checking the Channel Binding Token (CBT). Possible values ​​are:

• None: IIS does not perform CBT checks.
• Allow: CBT check is enabled but not required, allowing secure communication with EP-capable clients, and still supporting clients without EP.
• Require: CBT check is required, blocking clients that do not support EP.

· Ensure that the SSL flag is configured with SSL and SSL128 to enable EP.

3. Certificate considerations:

If using SSL bridging, ensure that the same SSL certificate is used on Exchange and the load balancer. Using different certificates may cause the EP channel binding token check to fail and prevent clients from connecting to the Exchange server.

Refer to: Exchange Server support for Windows Extended Protection | Microsoft Learn

Please feel free to contact me if you have any queries.

Best,

Jake Zhang