If you are using a Palo Alto firewall to do inbound SSL decryption, you might have run in to issues with decryption on Windows Server 2016 running IIS.

For us, this was due to the server using a key exchange not supported for SSL decryption in PANOS 8.1.

You probably don’t want to disable all ECDH key exchanges, so this one will just disable x25519 and will allow your Palo Alto firewall to do decryption.

Open up Powershell, type the following command:

Disable-TlsEccCurve -Name curve25519

If you run Get-TlsEccCurve before and after running the command you should be able to see if it’s been disabled or not.

After a reboot, IIS should not use x25519 for encryption.

For a complete list of supported ciphers in PANOS 8.1, see Palo Alto’s documentation.