Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

TLS issue detected by Troubleshooting Assistant for Server (TA-Server) and Troubleshooting Assistant for Agent (TA-Agent)

    • Updated:
    • 24 Jun 2020
    • Product/Version:
    • Apex One All
    • OfficeScan XG
    • Platform:
    • Windows Server 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
Summary

TLS

The Troubleshooting Assistant for Server (TA-Server) and Troubleshooting Assistant for Agent (TA-Agent) detected that agents are having HTTPs communication issues with the Apex One Server/Agent. As a result, the agent may show offline. The Apex One Server/Agent fails to send notification and so on.

Details
Public

This issue may be caused by the TLS protocol mismatch.

It is caused by a mismatch between the client and server TLS versions. Usually, this problem occurs on the Windows 7 SP1/Windows 2008 Server R2 or below platforms.

The Windows 7 SP1/Windows 2008 Server R2 only support TLS1.0 or below by default.

If the customer sets the agents to use TLS 1.2 to communicate with the server, refer to the Windows Server 2008 R2 section of KB 1117987 to install Windows Update.

To resolve the issue:

  1. After the agent has installed Windows Update and the EasyFix, it will add the registry key "DefaultSecureProtocols"=dword:00000a00

    [X64 platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    [X86 platform]
    [HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

    Refer to the Windows KB, Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows

    The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.

    DefaultSecureProtocols ValueProtocol enabled
    0x00000008Enable SSL 2.0 by default
    0x00000020Enable SSL 3.0 by default
    0x00000080Enable TLS 1.0 by default
    0x00000200Enable TLS 1.1 by default
    0x00000800Enable TLS 1.2 by default
    • The 0XA80 means enable TLS1.0, TLS1.1 and TLS1.2.
    • The 0XA00 means enable TLS1.1 and TLS1.2.
    • The 0X800 means enable TLS1.2.
  2. The user needs to run the Cipher Suites.reg file on the agent to enable TLS1.0, TLS1.1 and TLS1.2.

    Example:

    When the server uses HTTPS to communicates with the agent, it uses the following TLS settings (TLS1.2, for example).

    TA-Server

    • On the Apex One/OSCE server-side, it uses the TLS client setting:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

    • On the Apex/OSCE agent side, it uses the TLS server setting:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

    • On the Windows 7 SP1/Windows Server 2008R2 or below endpoint, it depends on the “DefaultSecureProtocols” and “\SCHANNEL\Protocols\TLS 1.x” setting to determine what protocol the agent uses.

    TA-Agent

    When the agent uses HTTPS to communicates with the agent, it uses the following TLS setting (TLS1.2, for example).

    • On the Apex One/OSCE agent-side, it uses the TLS client setting:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

    • On the Apex/OSCE server side, it uses the TLS server setting:

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

    On Windows 7 SP1/Windows Server 2008 R2 or below endpoint, it depends on the “DefaultSecureProtocols” and “\SCHANNEL\Protocols\TLS 1.x” setting to determine what protocol the agent uses.
     
  3. After installing the Windows Update, EasyFix package and Cipher Suites.Reg, you need to restart the machine for it to take effect.
  4. After finishing the above 3 steps, if the issue still persists, this may be caused by a certificate mismatch of the agent and the Apex One server. To fix it, refer to the KB article: Ofcsslagent certificate issue detected by the Troubleshooting Assistant for Server tool.
 
If the issue cannot be fixed after applying the above steps, proceed to Additional Steps for further analysis.
 

Additional Steps

  • Use the Wireshark tool to capture the traffic on the server and agent to analyze the TLS issue.

    The filter is "tcp.port == 'LocalServerPort on the agent' and ip.address == 'agent IP address'" (Case Sensitive)

    For example: “tcp.port == 21112 and ip.addr == 192.168.100.100”

  • Refer to the KB article: Potential issues with HTTPS communication in OfficeScan XG Service Pack 1 and Apex One, which introduces how the server and the agent negotiate the TLS version.
Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot
Solution Id:
000250617
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.