Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Communication between OfficeScan (OSCE) and Smart Protection Server(SPS) using TLSv1.2

    • Updated:
    • 17 Aug 2017
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Smart Protection Server 3.1
    • Smart Protection Server 3.2
    • Platform:
    • Windows 2008 R2
Summary

PCI DSS 3.1 addresses that it's no longer considered secure using SSL and early versions of TLS (TLSv1.0) as an encryption channel. When applying TLSv1.1 and TLSv1.2 settings, the Administrator may face a connection issue between OfficeScan and SPS as shown in the following error message:

"Unable to connect to the Smart Protection Server File Reputation Service"

SPS Address

This article illustrates the detailed settings of TLSv1.2.

Details
Public

Standalone SPS server side

Please refer to the following article to disable TLSv1.0 on Smart Protection Server: Enabling TLS 1.2 support in Smart Protection Server 3.1.

Integrated SPS server side

The setup will complete from the OfficeScan server side.

OfficeScan server side

 
There is no update from Microsoft to support TLSv1.1 and TLSv1.2 for older Windows servers. Please use at least Windows Server 2008 R2.

To disable SSL and TLSv1.0 plus enable TLSv1.1 and TLSv1.2 on the OfficeScan IIS server:

  1. On the OfficeScan server, save the following registry script into PCI.reg:
    Windows Registry Editor Version 5.00  #Disable SSLv2.0  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  #Disable SSLv3.0  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  #Disable TLSv1.0  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  #Enable TLSv1.1  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  #Enable TLSv1.2  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  #Disable weak cipher RC4 and Triple DES  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]  "Enabled"=dword:00000000  
  2. Execute PCI.reg.
  3. Reboot the OfficeScan server.
  4. Make sure that the OfficeScan IIS server only enabled TLSv1.1 and TLSv1.2.

To activate the browser using TLSv1.1 and TLSv1.2:

  1. Launch Internet Explorer.
  2. Go to Internet Options > Advanced.
  3. Tick the "Use TLS 1.1" and "Use TLS 1.2" options.

    Internet Options

    The browser should now be able to use TLSv1.1 and TLSv1.2.

To make the Windows Native Library support TLSv1.1 and TLSv1.2, some Windows updates have to be installed. Please follow the procedures below:

  1. Update Windows Server 2008 R2 to SP1.
  2. Make sure that the following updates are installed. If not, manually install them:
  3. Download Easy fix from this page and launch it.

    Easy Fix

  4. Reboot the OfficeScan server.
  5. Use Testing Connection to make sure that the OfficeScan server can connect to SPS.
  1. Make sure following updates are installed. If not, manually install them:
  2. Download Easy fix from this page and launch it.

    Easy Fix

  3. Reboot the OfficeScan server.
  4. Use Testing Connection to make sure that the OfficeScan server can connect to SPS.

For Windows Server 2012 R2 or newer, there is no need to install the Windows updates for TLSv1.2 support.

If the connection issue persists, please contact Trend Micro Technical Support for assistance.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1117987
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.