Mandating level of port encryption

Starting in 14.5, when setting up clients or servers, NRPC port encryption is enabled for increased security level.

Mandated port encryption works in the following ways:

Enables and enforces NRPC port encryption on both the client and server. If configured by an administrator, encryption needs to be enforced even if the other side does not want to use encryption.

Allows the administrator to manage the enablement state of NRPC port encryption.
Enforces mandated NRPC port encryption level for all authenticated NRPC sessions.

Prerequisites

To enable and use this feature, the primary administration server needs to be 14.5. Note that NRPC encryption is mandated on 14.5 or later client/servers only.

Configuring server ports

For the new mandated port encryption feature, the following existing and new configurations are available:

An administrator can update the following ini settings on the server:


Setting	Description
TCPIP =TCP,0,15,0,,45056	encryption
TCPIP =TCP,0,15,0,,12320	compression
TCPIP =TCP,0,15,0,,45088	encryption + compression
TCPIP =TCP,0,15,0,,12288	no encryption, no compression

The "Port_ENC_ADV" ini is used to configure newer settings. There is no user interface for this configuration. Refer to Table 1 in Configuring the level of port encryption and authentication.

Client settings can be controlled via policy in Preferences > Network Ports. Currently, there is no option to enable or disable port encryption.
A Notes client user can change port settings from User Preferences > Ports.

Configuring ini settings

The following ini settings are available for the new mandated port encryption:


Setting	Description
DEBUG_MANDATED_ENCRYPTION=1	Enables debug logging, which is useful for troubleshooting.
ENABLE_MANDATED_ENCRYPTION=1	Enables mandated port encryption checking for inbound NRPC connections.
ENABLE_OUTBOUND_MANDATED_ENCRYPTION=1	Enables mandated port encryption checking for outbound NRPC connections.
MANDATEDENC_ACTIVE_REFRESH_TIME=<# of seconds>	Defines how often mandated port encryption configuration is refreshed on server. The default is every 24 hours, and server polls are every 60 minutes.
DEBUG_PORT_ENC_ADV=1	Enables port encryption debug, which is useful for troubleshooting.

Configuring mandated NRPC port encryption settings

New Directory Profile option

For servers, a new setting for mandated NRPC port encryption will be added to the directory profile. An administrator can edit the current setting in Actions > Edit Directory Profile.

Mandated port encryption settings

The DirectoryProfile form in the server address book allows Domino administrators to manage mandated NRPC port encryption settings. The following image shows the default values.

Administrators can enable logging through Mandated port encryption logging level, only to check and fix any configuration issues prior to enforcing port encryption mandate.

Modifications to any of these mandated encryption settings will set the configuration state to "Pending".

New scheduled agent

A new scheduled agent "CheckPortEncryption" is included in the server address book. The administrator needs to sign and enable this agent to automate configuration updates on servers prior to 14.5.

This agent runs on all servers in the domain and sets encryption ini's, if needed, on all pre-14.5 servers.

Administrators can choose to do this manually on all servers, if needed, by executing the server command mndenc refreshconfig on the primary admin server. Alternatively, you can just wait until the next configuration refresh. The server poll thread refreshes configuration every 24 hours.