PCI DSS 3.1 addresses that it's no longer considered secure using SSL and early versions of TLS (TLSv1.0) as an encryption channel. When applying TLSv1.1 and TLSv1.2 settings, the Administrator may face a connection issue between OfficeScan and SPS as shown in the following error message:
"Unable to connect to the Smart Protection Server File Reputation Service"
This article illustrates the detailed settings of TLSv1.2.
Standalone SPS server side
Please refer to the following article to disable TLSv1.0 on Smart Protection Server: Enabling TLS 1.2 support in Smart Protection Server 3.1.
Integrated SPS server side
The setup will complete from the OfficeScan server side.
OfficeScan server side
To disable SSL and TLSv1.0 plus enable TLSv1.1 and TLSv1.2 on the OfficeScan IIS server:
- On the OfficeScan server, save the following registry script into PCI.reg:
Windows Registry Editor Version 5.00 #Disable SSLv2.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable SSLv3.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable TLSv1.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Enable TLSv1.1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 #Enable TLSv1.2 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 #Disable weak cipher RC4 and Triple DES [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000
- Execute PCI.reg.
- Reboot the OfficeScan server.
- Make sure that the OfficeScan IIS server only enabled TLSv1.1 and TLSv1.2.
To make the Windows Native Library support TLSv1.1 and TLSv1.2, some Windows updates have to be installed. Please follow the procedures below:
- Update Windows Server 2008 R2 to SP1.
- Make sure that the following updates are installed. If not, manually install them:
- Download Easy fix from this page and launch it.
- Reboot the OfficeScan server.
- Use Testing Connection to make sure that the OfficeScan server can connect to SPS.
- Make sure following updates are installed. If not, manually install them:
- Download Easy fix from this page and launch it.
- Reboot the OfficeScan server.
- Use Testing Connection to make sure that the OfficeScan server can connect to SPS.
For Windows Server 2012 R2 or newer, there is no need to install the Windows updates for TLSv1.2 support.
If the connection issue persists, please contact Trend Micro Technical Support for assistance.