Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Using TLSv1.1 / TLSv1.2 to communicate with OfficeScan Edge Relay server

    • Updated:
    • 17 Oct 2017
    • Product/Version:
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 2003 32-Bit
    • Windows 2003 64-Bit
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2012
    • Windows 2012 Server R2
    • Windows 2016
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
Summary

Since Payment Card Industry Data Security Standard (PCI DSS) 3.1, Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) versions (i.e. v1.0) are not allowed to be used as a security channel anymore; only TLSv1.1 and TLSv1.2 can satisfy the standard.

This article illustrates the requirement of TLSv1.1 / TLSv1.2 of the OfficeScan Edge Relay Server and what to do when you encounter the "An internal error has occurred. Restart the Edge Relay service (OfcEdgeSvc) and Microsoft Internet Information Services (IIS). Check the Edge Relay server logs for more information (Error code: 4)." message:

Edge Relay Settings

Details
Public

Several Windows Updates and settings updates are required for the OfficeScan server, agent, and Edge Relay server to support TLSv1.1 / TLSv1.2.

OfficeScan server side

 
There is no update from Microsoft to support TLSv1.1 and TLSv1.2 for older Windows servers. Please use at least Windows Server 2008 R2.

To set up the OfficeScan server:

  1. Upgrade the OfficeScan server to at least Build 1736. Please contact Trend Micro Technical Support for assistance.
  2. Follow the OfficeScan server side procedure in this article to apply necessary settings updates and Windows Updates.

Edge Relay server side

  1. After upgrading the OfficeScan server to Build 1736, please copy <Server installation folder>\PCCSRV\Admin\Utility\EdgeServer\ folder to the Edge Relay server.
  2. Upgrade/Install Edge Relay server (to) Build 1736.
  3. Disable SSL and TLSv1.0 and enable TLSv1.1 and TLSv1.2 on the IIS server:
    1. On the OfficeScan server, save the following registry script into PCI.reg:
      Windows Registry Editor Version 5.00  #Disable SSLv2.0  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  #Disable SSLv3.0  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  #Disable TLSv1.0  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]  "DisabledByDefault"=dword:00000001  "Enabled"=dword:00000000  #Enable TLSv1.1  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  #Enable TLSv1.2  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]  "DisabledByDefault"=dword:00000000  "Enabled"=dword:00000001  #Disable weak cipher RC4 and Triple DES  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]  "Enabled"=dword:00000000  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]  "Enabled"=dword:00000000  
    2. Execute PCI.reg.
    3. Reboot the Edge Relay server.
    4. Make sure that the IIS server only enabled TLSv1.1 and TLSv1.2.
  4. Go to the OfficeScan server's web console and verify if the OfficeScan server can register to the Edge Relay server.

    Disconnect

OfficeScan agent side

 
There is no update from Microsoft to support TLSv1.1 and TLSv1.2 for older Windows. Please use at least Windows 7.

To make the Windows Native Library support TLSv1.1 and TLSv1.2, some Windows updates have to be installed for Window 7:

  1. Update Windows 7 to SP1.
  2. Make sure that the following updates are installed. If not, manually install them:
  3. Download Easy fix from this page and launch it.
  4. Reboot the endpoint. The off-premise management should work fine on the endpoint.

For Windows 8.1 or newer, there is no need to install the Windows updates for TLSv1.2 support.

Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
1118506
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.