TLS protocol, cipher suite, and SChannel requirements for ePolicy Orchestrator 5.10
Technical Articles ID:
KB91519
Last Modified: 2023-02-03 05:08:41 Etc/GMT
Environment
ePolicy Orchestrator (ePO) 5.10.x
Summary
Contents:
Click to expand the section you want to view:
ePO 5.10 has several components that interact with each other using TLS-encrypted communications. The primary components are as below:
ePO Application Server service (also known as Tomcat)
ePO Server service (also known as Apache)
ePO Agent Handler service on a remote agent handler (Apache)
ePO Event Parser service (Eventparser)
SQL Server instance that hosts the ePO databases
Some of these components only act as servers (they accept only incoming connections). The SQL Server is an example.
Some components act as both servers and clients (they both accept incoming connections and make outgoing connections). The ePO Server service or Agent Handler service is an example. Both accept incoming connections from McAfee Agents on client systems, and also make outbound connections to the ePO application server service and the SQL Server.
A TLS communication has several configurable parameters, such as protocol, cipher, hash function, key digest, and cipher suite. For the communication to succeed, the client that initiates the connection and the server that receives it must be able to agree on a set of parameters that they both support.
Windows systems use a Security Support Provider (SSP) called SChannel to implement TLS connections. Several of the components of ePO use this SSP for some of their connections. Thus, their TLS connections are controlled via the SChannel Settings of the system that they're present on. These connections are as follows:
SQL Server for inbound connections
ePO Server service for outbound connections
ePO Agent Handler service for outbound connections
ePO Event Parser service for outbound connections
The ePO Application Server service for some outbound connections to epo.trellix.com and s-download.trellix.com.
For ePO to function correctly, all components must be able to successfully negotiate a TLS connection, which in turn means that the SChannel settings of all computers involved must be correct.
The SChannel settings are configured in two ways: by registry settings, which are the most common method, or by Group Policy. It's important to note that Group Policy settings take precedence over registry settings, so it's impossible to determine the SChannel settings by examining the registry. Instead, for a definitive answer, scan the relevant computer and port using the NMAP tool. For details, see KB91115 - How to use the 'nmap' tool to determine which protocols and cipher suites are in use in an ePolicy Orchestrator environment.
For configuring the SChannel settings using the registry, it's possible to edit the registry directly. A more convenient method is to use the IISCryptotool from Nartac Software. This tool is an advanced registry editor that focuses on the SChannel registry entries.
The ePO Application Server service supports only a limited number of TLS cipher suites. Because TLS connections require the same cipher suites to be supported on both the client and server, the SChannel settings are limited to the same cipher suites. These settings are as follows:
For ePO 5.10 Update 10 and earlier
For outbound connections to the SQL Server, Tomcat supports the following three cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
On the SQL Server hosting the ePO database, at least one of these suites must be enabled in the SChannel settings. This includes installations where SQL is on the same computer as ePO.
For inbound connections from the ePO Server service and ePO Agent Handler service, Tomcat supports the four cipher suites listed below:
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
On the computer where ePO is installed and on any remote agent handlers, at least one of these cipher suites must be enabled in the SChannel settings.
For ePO 5.10 CU 11 and later
For outbound connections to the SQL Server, Tomcat supports the following cipher suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
On the SQL Server hosting the ePO database, at least one of these suites must be enabled in the SChannel settings. This includes installations where SQL is on the same computer as ePO.
For inbound connections from the ePO Server service and ePO Agent Handler service, Tomcat supports the four cipher suites listed below:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
On the computer where ePO is installed and on any remote agent handlers, at least one of these cipher suites must be enabled in the SChannel settings.
Finally, Tomcat needs to be able to access the epo.trellix.com and s-download.trellix.com sites that provide the Software Catalog functionality. Currently, these sites offer the following suites:
For the epo.trellix.com site:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_3DES_EDE_CBC_SHA
For the s-download.trellix.com site:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Tomcat uses the SChannel settings on the computer where ePO is installed to make connections to these sites, so at least one suite for each site must be enabled in the SChannel settings.
With this information, you can now specify the SChannel Settings needed to enable ePO to function correctly. These settings are classified into three groups:
Absolute bare minimum settings
Minimum recommended settings
Best compatibility settings
The settings below are the absolute minimum needed for ePO to function.
WARNING: These settings are for a default installation of ePO only. There's no guarantee that these settings are compatible with any additional managed product extensions. Examples are provided below:
Threat Intelligence Exchange
Data Exchange Layer
Content Security Reporter
Any third-party extensions
These settings are categorically not recommended for a production ePO environment.
For ePO 5.10 Update 10 and earlier
On the ePO server
Protocols
TLS 1.2
Ciphers
AES128/128
AES256/256
Hashes
SHA
SHA256
Key Exchanges
PKCS - see PKCS Key Length entry in the "Notes" section below
ECDH
Cipher suites
One of the following three suites:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
And one of the following four suites:
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
And one of the following four suites:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
On the SQL Server hosting the ePO database
NOTE: Also applies if the SQL Server is on the same computer as ePO:
The same two suites that are enabled on the ePO server
On any additional Agent Handlers (AH)
Protocols
TLS 1.2
Ciphers
AES128/128
AES256/256
Hashes
SHA
SHA256
Key Exchanges
PKCS - see PKCS Key Length entry in the "Notes" section below
ECDH
Cipher suites
The same two suites that are enabled on the ePO server
For ePO 5.10 Update 11 and later
The revised cipher suite support provided in ePO 5.10 Update 11 means that it's possible to have just a single suite enabled on the ePO server, SQL Server, and Agent Handlers, and one additional suite enabled on the ePO server for Software Catalog functionality. The actual cipher suite chosen depends on the operating system in use.
On the ePO server, the SQL Server hosting the ePO database, and any additional Agent Handlers (AHs)
NOTE: Also applies if the SQL Server is on the same computer as ePO.
NOTE: If you have any Agent Handlers installed on Windows 2012 or 2012 R2, enable the suite below on the Agent Handlers:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Below are the recommended settings for the best compatibility with other applications.
The Nartac IISCryptotool provides several templates that allow several different SChannel configurations to be easily applied. The Best Practices template follows industry standards and works well in ePO environments. If you don't need the specific settings detailed above, we recommend applying the Best Practices template to the ePO server, SQL Server, and any additional Agent Handlers.
NOTE: If you're running Update 11 or later, and have any Agent Handler installed on Windows 2012 or 2012 R2, enable the suite provided below on these Agent Handlers:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
If the SQL Server is on the same system where ePO is being installed, you must enable TLS 1.0 in the SChannel Settings, but only during the installation.
IMPORTANT: When the installation is complete, TLS 1.0 can be disabled.
NOTE: ePO 5.10 Update 10 and earlier only support a maximum size of 2048 bits. So, don't set this value higher than 2048 decimal on the ePO server and Agent Handlers. If you need to set this value higher, apply 5.10 Update 11.
Related Information
NOTE:Content from KB91296 has been integrated into this article, so KB91296 is no longer available.