Standalone SPS server side
Please refer to the following article to disable TLSv1.0 on Smart Protection Server: Enabling TLS 1.2 support in Smart Protection Server 3.1.
Integrated SPS server side
The setup will complete from the OfficeScan server side.
OfficeScan server side
There is no update from Microsoft to support TLSv1.1 and TLSv1.2 for older Windows servers. Please use at least Windows Server 2008 R2.
To disable SSL and TLSv1.0 plus enable TLSv1.1 and TLSv1.2 on the OfficeScan IIS server:
- On the OfficeScan server, save the following registry script into PCI.reg:
Windows Registry Editor Version 5.00 #Disable SSLv2.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable SSLv3.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable TLSv1.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Enable TLSv1.1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 #Enable TLSv1.2 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 #Disable weak cipher RC4 and Triple DES [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000
- Execute PCI.reg.
- Reboot the OfficeScan server.
- Make sure that the OfficeScan IIS server only enabled TLSv1.1 and TLSv1.2.
To activate the browser using TLSv1.1 and TLSv1.2:
- Launch Internet Explorer.
- Go to Internet Options > Advanced.
- Tick the "Use TLS 1.1" and "Use TLS 1.2" options.
The browser should now be able to use TLSv1.1 and TLSv1.2.
To make the Windows Native Library support TLSv1.1 and TLSv1.2, some Windows updates have to be installed. Please follow the procedures below:
- Update Windows Server 2008 R2 to SP1.
- Make sure that the following updates are installed. If not, manually install them:
- Download Easy fix from this page and launch it.
- Reboot the OfficeScan server.
- Use Testing Connection to make sure that the OfficeScan server can connect to SPS.
- Make sure following updates are installed. If not, manually install them:
- Download Easy fix from this page and launch it.
- Reboot the OfficeScan server.
- Use Testing Connection to make sure that the OfficeScan server can connect to SPS.
For Windows Server 2012 R2 or newer, there is no need to install the Windows updates for TLSv1.2 support.
If the connection issue persists, please contact Trend Micro Technical Support for assistance.