Unable to make outbound connections to SQL or LDAP where Transport Layer Security 1.0 is disabled
Last Modified: 2023-07-24 04:33:28 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Unable to make outbound connections to SQL or LDAP where Transport Layer Security 1.0 is disabled
Technical Articles ID:
KB90222
Last Modified: 2023-07-24 04:33:28 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.10
Summary
Starting with ePO 5.10, the Transport Layer Security (TLS) 1.0 protocol is disabled by default. Any outbound connections from ePO to another external system must support TLS 1.1 or higher. Examples of such outbound connections include, but aren't limited, to the following:
Problem
An upgrade to ePO 5.10 fails with the following error: A test connection on a registered server that uses TLS fails after an upgrade to ePO 5.10. Solution
Enable the TLS 1.1 or higher support on the server that's on the other end of the TLS handshake from ePO. For Microsoft SQL instructions, see this Microsft Support Document. NOTE: The link above applies only to an SQL Server, and is offered as the most common example of this issue. But, this issue can occur in any registered server that uses TLS. For example, a registered LDAP server. Workaround 1
As a temporary workaround, if you can't change the configuration on the other server, you can upgrade to ePO 5.10 with TLS 1.0 enabled. CAUTION: We strongly discourage enabling TLS 1.0 in ePO 5.10, because doing so reduces the security posture of your ePO server. This workaround is intended for temporary use. Use it only as a last resort until you can upgrade other servers in the environment to versions that work with a TLS 1.1 or 1.2 connection. Start the ePO 5.10 install or upgrade with the NOTE: The system property
Workaround 2
If you've already installed or upgraded to ePO 5.10 and you need to enable TLS 1.0, perform the steps below: CAUTION: We strongly discourage enabling TLS 1.0 in ePO 5.10, because doing so reduces the security posture of your ePO server. This workaround is intended for temporary use, and only as a last resort until you can upgrade other servers in the environment to versions that work with a TLS 1.1 or 1.2 connection.
Affected ProductsLanguages:This article is available in the following languages: |
|