Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enforcing TLS 1.2 on Safe Lock Intelligent Manager (SLIM) Server

    • Updated:
    • 18 Feb 2021
    • Product/Version:
    • Safe Lock TXOne Edition
    • Platform:
Summary

Many banking customers request SLIM to support TLS 1.2 only with strong ciphers to meet PCI-DDS compliance.

When TLS 1.2 communication is enforced in SLIM server, both database and agent are disconnected. The Dashboard display will also encounter an issue. This article shows the steps on how to enforce TLS 1.2 in SLIM server.

Details
Public

Follow these steps:

  1. Ensure Windows client with TLS 1.2 is enabled.
    • Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016, and later versions of Windows natively support TLS 1.2 for client-server communications over WinHTTP.
    • Earlier versions of Windows, such as Windows 7 or Windows Server 2012, don't enable TLS 1.1 or TLS 1.2 by default for secure communications using WinHTTP. For these earlier versions of Windows, install Update 3140245 to manually enable the registry value, which can be set to add TLS 1.1 and TLS 1.2 to the default secure protocols list for WinHTTP.
  2. For the database, by default SLIM installer includes SQL Express 2008R2 SP2 (version 10.50.4000) which doesn't support TLS 1.2. Follow these steps:
    1. Upgrade SQL Express database to SP3 to support TLS 1.2. You may download SP3 here.
    2. Apply TLS 1.2 SQL support patch.
    3. For remote database, make sure to apply the instructions on this Microsoft KB.
  3. SLIM installer also includes PHP CGI version 5.3.29 which also doesn't support TLS 1.2. Upgrade to PHP version to 5.5 or 5.6 to support TLS 1.2. Follow these procedures on Upgrading PHP on Windows.

    image.png

  4. Enable TLS 1.2 and disable TLS 1.0/1.1 on SLIM server.
    1. Enable TLS 1.2 by following this Microsoft best practices guide to disable TLS 1.0 in the section Configuring Schannel protocols in the Windows Registry.
    2. Enable strong crypto by following this Microsoft best practices guide to enable Strong Crypto in the section Configuring security via the Windows Registry.
    3. Disable 3DES and RC4 Ciphers by following this Microsoft best practices guide to disable 3DES and RC4 in the section SCHANNEL\Ciphers subkey.
    4. Restart the SLIM Server.
  5. Verify after SLIM enforces TLS 1.2 only:
    1. Registration of Safe Lock Agent to SLIM with TLS 1.2 is successful and IM send command to Agent is completed.

      image.png

    2. Web console and dashboard are both working as well.

      image.png

    3. Test TLS connection to SLIM server on 443/8000/8001 ports by Nmap tools.

      image.png

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000285690
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.