Cisco Cisco Email Security Appliance C650 Guía Del Usuario

LDAPS. TLS transactions between the Email Security appliance and LDAP 
servers, including using an LDAP server for external authentication, use TLS 
version 1 and FIPS cipher suites. If the LDAP server uses MD5 hashes to 
store passwords, the SMTP authentication query will fail because MD5 is not 
FIPS-compliant.

Logs. SSH2 is the only allowed protocol for pushing logs via SCP. For error 
messages related to FIPS management, read the FIPS Logs at the INFO level.

Console serial port. If you are accessing an Email Security appliance via a 
serial connection, the session times out 30 minutes after the connection to the 
Serial Console port is terminated.

Centralized Management. For clustered appliances, FIPS mode can only be 
turned on at the cluster level.

AsyncOS for Email includes the 

fipsconfig

 CLI command to switch the 

appliance over to FIPS mode. You also use the 

fipsconfig

 CLI command to 

switch the appliance back to non-FIPS mode. Only administrators can use this 
command.

The appliance displays a warning if there are any non-FIPS compliant certificates 
or DKIM keys in use. You cannot switch the appliance to FIPS mode until you 
remove these keys and certificates.

A reboot is required after switching the appliance from non-FIPS mode to FIPS 
mode or from FIPS mode to non-FIPS mode.

AsyncOS restricts the sslconfig command to only printing tis configured settings 
when the appliance is in FIPS mode.

AsyncOS allows you to encrypt communications between the appliance and 
external machines by using a certificate and private key pair. You can upload an 
existing certificate and key pair, generate a self-signed certificate, or generate a