Background
The latest security recommendations promote the use of the more secure TLS 1.1 and TLS 1.2 protocols for all web traffic. Protocols older than TLS 1.1 and TLS 1.2 should be disabled on IIS web servers (including Triofox) as they are no longer considered secure by the security community. More info is available here: https://blogs.technet.microsoft.com/askpfeplat/2017/11/13/demystifying-schannel/
IIS Crypto Utility
The IIS Crypto tool from Nartac Software is designed to make it easy for the Windows Web Server administrator to change the SCHANNEL registry settings in order to use the most secure protocols according to the current best practices. The software is available here: https://www.nartac.com/Products/IISCrypto/Download
IIS Crypto supports a handful of "best practice" templates, the most stringent of which is PCI 3.1. If a template is loaded and applied, the web server must be rebooted in order for the changes to take affect. If the PCI 3.1 template is used, the server will ignore all SSL protocol versions earlier than TLS 1.1. A screenshot of the PCI 3.1 template settings in IIS Crypto is attached to this document.
Triofox Client Support for TLS 1.1 and TLS 1.2
If TLS 1.1 and TLS 1.2 are enforced, the following Microsoft KB article must be followed for Windows 7 clients (if still in use), else the Windows 7 clients will be unable to connect to the IIS web server: https://support.microsoft.com/en-za/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
It is important to note that the Windows 7 clients (if still in use) require a hotfix and a registry change in order to support TLS 1.1 and TLS 1.2.
Some Triofox customers have disabled the "SHA" (SHA-1) hash using IIS Crypto. If SHA-1 is disabled, this effectively disables TLS 1.1 and only TLS 1.2 will be available between the client and IIS web server. The Triofox client running on Windows 8 will be unable to connect and is not supported in this use case. Windows 7 (with the hotfix and registry change), Windows 8.1, and Windows 10 will be able to negotiate the TLS 1.2 handshake and are supported Triofox clients in the TLS 1.2 use-case.
Triofox Server Agent Support
Windows Server 2008
Windows Server 2008 requires an update to support TLS 1.1 and TLS 1.2: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276
By default, TLS 1.1 and TLS 1.2 are disabled, similar to Windows 7. See this article to enable TLS 1.1 and TLS 1.2 on Windows Server 2008: https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows
Windows Server 2008 R2
Windows Server 2008 R2 requires an update to support TLS 1.1 and TLS 1.2: http://www.catalog.update.microsoft.com/search.aspx?q=kb3140245
This article is also applicable: https://support.microsoft.com/en-za/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
New Server Agent >= 12.10.504.53083
New server agent management console uses .net framework to connect to Centrestack server. For the new server agent, to connect with the server only supports TLS 1.2, need to install the latest .net framework runtime. Right now, it is .net framework 4.8.
After that, download the registry file here: https://gladinet.sync4share.com/portal/s/208542589201717091633.reg
Double click to install it on the server where the server agent will be installed.
See the article here for details: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client
Comments
0 comments
Please sign in to leave a comment.