Windows will negotiate the highest mutually supported version of SSL/TLS supported by the server and client. For example:
- If the server and client both support TLS 1.2, they will negotiate and use TLS 1.2.
- If the server supports TLS 1.1 and 1.2, but the client only supports TLS 1.0 and 1.1, they will negotiate and use TLS 1.1.
- If the server supports TLS 1.2, but the client only supports TLS 1.0, they will fail to negotiate and a connection will not be established.
You can use the following article as an example: Windows 7/2008/2008R2 agents shown as offline after upgrading to Apex One.
Older operating systems may require specific patches to support newer protocols. Please refer to our PCI Data Security Standard Compatibility with OfficeScan article for advice on TLS 1.1 and 1.2.
The following are Network Traces showing TLS connections from Agent to Server, both successful and failed.
TCP 3-way handshake
18:19:56.533860 711 40.643720 10.0.3.50 10.0.2.105 TCP 66 50420 → 4343 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 18:19:56.546115 712 40.655975 10.0.2.105 10.0.3.50 TCP 66 4343 → 50420 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1400 WS=256 SACK_PERM=1713 18:19:56.546195 713 40.656055 10.0.3.50 10.0.2.105 TCP 54 50420 → 4343 [ACK] Seq=1 Ack=1 Win=263168 Len=0
Then the Client Hello – Client informs the server what it would like to use (TLS 1.2) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.
18:19:56.601626 714 40.711486 10.0.3.50 10.0.2.105 TLSv1.2 243 Client Hello Frame 714: 243 bytes on wire (1944 bits), 243 bytes captured (1944 bits) on interface 0 Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06) Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105 Transmission Control Protocol, Src Port: 50420, Dst Port: 4343, Seq: 1, Ack: 1, Len: 189 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 184 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 180 Version: TLS 1.2 (0x0303) Random: 5aea014c62e61f9d0e8749f2a52a8533890b9e6be56cad78... Session ID Length: 0 Cipher Suites Length: 42 Cipher Suites (21 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 97 Extension: server_name (len=11) Extension: status_request (len=5) Extension: supported_groups (len=8) Extension: ec_point_formats (len=2) Extension: signature_algorithms (len=20) Extension: SessionTicket TLS (len=0) Extension: application_layer_protocol_negotiation (len=14) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1)
Once successful, the server sends the Server Hello. This includes the same protocol as the agent (TLS 1.2), the chosen cipher, and the server’s certificate.
18:19:56.613664 716 40.723524 10.0.2.105 10.0.3.50 TLSv1.2 679 Server Hello, Certificate, Server Key Exchange, Server Hello Done Frame 716: 679 bytes on wire (5432 bits), 679 bytes captured (5432 bits) on interface 0 Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07) Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50 Transmission Control Protocol, Src Port: 4343, Dst Port: 50420, Seq: 1401, Ack: 190, Len: 625 [2 Reassembled TCP Segments (2025 bytes): #715(1400), #716(625)] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 2020 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 90 Version: TLS 1.2 (0x0303) Random: 5aea014c61794843f79d0c71490f191bea899c92229a00ad... Session ID Length: 32 Session ID: f71900007caa18c93b400632a898f775aa5b0a959cefca22... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Compression Method: null (0) Extensions Length: 18 Extension: application_layer_protocol_negotiation (len=5) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1618 Certificates Length: 1615 Certificates (1615 bytes) Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 296 EC Diffie-Hellman Server Params Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
After the Server Hello and receipt of the server’s certificate, the client will use that certificate to begin the encryption handshake using the negotiated protocol and cipher.
18:19:56.615223 718 40.725083 10.0.3.50 10.0.2.105 TLSv1.2 147 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message Frame 718: 147 bytes on wire (1176 bits), 147 bytes captured (1176 bits) on interface 0 Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06) Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105 Transmission Control Protocol, Src Port: 50420, Dst Port: 4343, Seq: 190, Ack: 2026, Len: 93 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 37 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 33 EC Diffie-Hellman Client Params TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 40 Handshake Protocol: Encrypted Handshake Message
The server will use this information and follow with its portion of the handshake.
18:19:56.631367 719 40.741227 10.0.2.105 10.0.3.50 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message Frame 719: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) on interface 0 Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07) Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50 Transmission Control Protocol, Src Port: 4343, Dst Port: 50420, Seq: 2026, Ack: 283, Len: 51 Secure Sockets Layer TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 40 Handshake Protocol: Encrypted Handshake Message
Communication will now proceed successfully with encryption.
TLS 1.1 Negotiation (Client only supports TLS 1.1 – Server Supports TLS 1.1 and 1.2) – Network Trace
TCP 3-way handshake
16:09:20.590777 346 37.286887 10.0.3.50 10.0.2.105 TCP 66 49840 → 4343 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 16:09:20.592941 347 37.289051 10.0.2.105 10.0.3.50 TCP 66 4343 → 49840 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1400 WS=256 SACK_PERM=1 16:09:20.593575 348 37.289685 10.0.3.50 10.0.2.105 TCP 54 49840 → 4343 [ACK] Seq=1 Ack=1 Win=263168 Len=0
Then the Client Hello – Client informs the server what it would like to use (TLS 1.1) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.
16:09:20.673698 349 37.369808 10.0.3.50 10.0.2.105 TLSv1.1 191 Client Hello Frame 349: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0 Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06) Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105 Transmission Control Protocol, Src Port: 49840, Dst Port: 4343, Seq: 1, Ack: 1, Len: 137 Secure Sockets Layer TLSv1.1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.1 (0x0302) Length: 132 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 128 Version: TLS 1.1 (0x0302) Random: 5afda9303ee62dad4c67806844112542e8746c73e46e56ea... Session ID Length: 0 Cipher Suites Length: 14 Cipher Suites (7 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 73 Extension: server_name (len=11) Extension: status_request (len=5) Extension: supported_groups (len=8) Extension: ec_point_formats (len=2) Extension: SessionTicket TLS (len=0) Extension: application_layer_protocol_negotiation (len=14) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1)
Once successful, the server sends the Server Hello. This includes the same protocol as the agent (TLS 1.2), the chosen cipher, and the server’s certificate.
16:09:20.678780 351 37.374890 10.0.2.105 10.0.3.50 TLSv1.1 677 Server Hello, Certificate, Server Key Exchange, Server Hello Done Frame 351: 677 bytes on wire (5416 bits), 677 bytes captured (5416 bits) on interface 0 Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07) Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50 Transmission Control Protocol, Src Port: 4343, Dst Port: 49840, Seq: 1401, Ack: 138, Len: 623 [2 Reassembled TCP Segments (2023 bytes): #350(1400), #351(623)] Secure Sockets Layer TLSv1.1 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.1 (0x0302) Length: 2018 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 90 Version: TLS 1.1 (0x0302) Random: 5afda930739cc7dc97c4e53d4d4e189e4bc26cfee1517337... Session ID Length: 32 Session ID: b61a000002965c0ab15f31c1cefdf906555772354b27dd76... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Compression Method: null (0) Extensions Length: 18 Extension: application_layer_protocol_negotiation (len=5) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1618 Certificates Length: 1615 Certificates (1615 bytes) Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 294 EC Diffie-Hellman Server Params Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
After the Server Hello and receipt of the server’s certificate, the client will use that certificate to begin the encryption handshake using the negotiated protocol and cipher.
16:09:20.684151 353 37.380261 10.0.3.50 10.0.2.105 TLSv1.1 171 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message Frame 353: 171 bytes on wire (1368 bits), 171 bytes captured (1368 bits) on interface 0 Ethernet II, Src: Microsof_68:54:07 (00:15:5d:68:54:07), Dst: Microsof_68:54:06 (00:15:5d:68:54:06) Internet Protocol Version 4, Src: 10.0.3.50, Dst: 10.0.2.105 Transmission Control Protocol, Src Port: 49840, Dst Port: 4343, Seq: 138, Ack: 2024, Len: 117 Secure Sockets Layer TLSv1.1 Record Layer: Handshake Protocol: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.1 (0x0302) Length: 37 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 33 EC Diffie-Hellman Client Params TLSv1.1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.1 (0x0302) Length: 1 Change Cipher Spec Message TLSv1.1 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.1 (0x0302) Length: 64 Handshake Protocol: Encrypted Handshake Message
The server will use this information and follow with its portion of the handshake.
16:09:20.686772 354 37.382882 10.0.2.105 10.0.3.50 TLSv1.1 129 Change Cipher Spec, Encrypted Handshake Message Frame 354: 129 bytes on wire (1032 bits), 129 bytes captured (1032 bits) on interface 0 Ethernet II, Src: Microsof_68:54:06 (00:15:5d:68:54:06), Dst: Microsof_68:54:07 (00:15:5d:68:54:07) Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.3.50 Transmission Control Protocol, Src Port: 4343, Dst Port: 49840, Seq: 2024, Ack: 255, Len: 75 Secure Sockets Layer TLSv1.1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.1 (0x0302) Length: 1 Change Cipher Spec Message TLSv1.1 Record Layer: Handshake Protocol: Encrypted Handshake Message Content Type: Handshake (22) Version: TLS 1.1 (0x0302) Length: 64 Handshake Protocol: Encrypted Handshake Message
Communication will now proceed successfully with encryption.
TCP 3-way handshake
16:28:58.861976 61 3.211254 10.0.2.104 10.0.2.105 TCP 66 50440 → 4343 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM=1 16:28:58.862262 62 3.211540 10.0.2.105 10.0.2.104 TCP 66 4343 → 50440 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 16:28:58.862567 63 3.211845 10.0.2.104 10.0.2.105 TCP 54 50440 → 4343 [ACK] Seq=1 Ack=1 Win=262144 Len=0
Then the Client Hello – Client informs the server what it would like to use (TLS 1.2) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.
16:28:58.865301 64 3.214579 10.0.2.104 10.0.2.105 TLSv1.1 261 Client Hello Frame 64: 261 bytes on wire (2088 bits), 261 bytes captured (2088 bits) on interface 0 Ethernet II, Src: Microsof_2c:1e:23 (00:15:5d:2c:1e:23), Dst: Microsof_2c:1e:38 (00:15:5d:2c:1e:38) Internet Protocol Version 4, Src: 10.0.2.104, Dst: 10.0.2.105 Transmission Control Protocol, Src Port: 50440, Dst Port: 4343, Seq: 1, Ack: 1, Len: 207 Secure Sockets Layer TLSv1.1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 202 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 198 Version: TLS 1.2 (0x0303) Random: 5afdadca810d2ca16a5ea1c9dec9aadd5e3399c46869a418... Session ID Length: 0 Cipher Suites Length: 38 Cipher Suites (19 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 119 Extension: server_name (len=23) Extension: status_request (len=5) Extension: supported_groups (len=8) Extension: ec_point_formats (len=2) Extension: signature_algorithms (len=20) Extension: SessionTicket TLS (len=0) Extension: application_layer_protocol_negotiation (len=14) Extension: extended_master_secret (len=0) Extension: token_binding (len=6) Extension: renegotiation_info (len=1)
This time, since the server doesn’t support TLS 1.2, it counters with the highest that it does support – TLS 1.1.
16:28:58.867066 66 3.216344 10.0.2.105 10.0.2.104 TLSv1.1 617 Server Hello, Certificate, Server Key Exchange, Server Hello Done Frame 66: 617 bytes on wire (4936 bits), 617 bytes captured (4936 bits) on interface 0 Ethernet II, Src: Microsof_2c:1e:38 (00:15:5d:2c:1e:38), Dst: Microsof_2c:1e:23 (00:15:5d:2c:1e:23) Internet Protocol Version 4, Src: 10.0.2.105, Dst: 10.0.2.104 Transmission Control Protocol, Src Port: 4343, Dst Port: 50440, Seq: 1461, Ack: 208, Len: 563 [2 Reassembled TCP Segments (2023 bytes): #65(1460), #66(563)] Secure Sockets Layer TLSv1.1 Record Layer: Handshake Protocol: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.1 (0x0302) Length: 2018 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 90 Version: TLS 1.1 (0x0302) Random: 5afdadca99776c037d5174f25839dd8a9f464bcc5b2cc19b... Session ID Length: 32 Session ID: ed1e00007de53e9b61c9ff044f564834a2c8e33b08b51f18... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Compression Method: null (0) Extensions Length: 18 Extension: application_layer_protocol_negotiation (len=5) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1) Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1618 Certificates Length: 1615 Certificates (1615 bytes) Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 294 EC Diffie-Hellman Server Params Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0
If the agent accepts the TLS 1.1, it continues as it would as if it initially offered TLS 1.1.
TCP 3-way handshake
16:44:22.880115 4241 8.801447 10.0.2.104 10.0.2.105 TCP 66 50200 → 4343 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 16:44:22.884801 4246 8.806133 10.0.2.105 10.0.2.104 TCP 66 4343 → 50200 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 16:44:22.885278 4247 8.806610 10.0.2.104 10.0.2.105 TCP 54 50200 → 4343 [ACK] Seq=1 Ack=1 Win=262656 Len=0
Then the Client Hello – Client informs the server what it would like to use (TLS 1.1) and what ciphers it supports. The server must agree to the same protocol and cipher suite to continue with communication.
16:44:22.887075 4248 8.808407 10.0.2.104 10.0.2.105 TLSv1.1 191 Client Hello Frame 4248: 191 bytes on wire (1528 bits), 191 bytes captured (1528 bits) on interface 0 Ethernet II, Src: Microsof_2c:1e:23 (00:15:5d:2c:1e:23), Dst: Microsof_2c:1e:38 (00:15:5d:2c:1e:38) Internet Protocol Version 4, Src: 10.0.2.104, Dst: 10.0.2.105 Transmission Control Protocol, Src Port: 50200, Dst Port: 4343, Seq: 1, Ack: 1, Len: 137 Secure Sockets Layer TLSv1.1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.1 (0x0302) Length: 132 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 128 Version: TLS 1.1 (0x0302) Random: 5afdb1662620bc243a189e5aa5b002f2367e8e6cedf00a90... Session ID Length: 0 Cipher Suites Length: 14 Cipher Suites (7 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 73 Extension: server_name (len=11) Extension: status_request (len=5) Extension: supported_groups (len=8) Extension: ec_point_formats (len=2) Extension: SessionTicket TLS (len=0) Extension: application_layer_protocol_negotiation (len=14) Extension: extended_master_secret (len=0) Extension: renegotiation_info (len=1)
As the TLS version offered by the agent is lower than the lowest supported by the server, the server rejects the connection with a TCP Reset.
16:44:22.891009 4249 8.812341 10.0.2.105 10.0.2.104 TCP 54 4343 → 50200 [RST, ACK] Seq=1 Ack=138 Win=0 Len=0
Using HTTPS also creates the need for certificates and certificate validation.
All Apex One agents have their own self-signed certificate they use for communication and verification with the Apex One server. This can be a problem in environments that deploy HTTPS Inspection gateways. With HTTPS Inspection, the Security Gateway can inspect the traffic that is encrypted by HTTPS.
The Security Gateway uses certificates and becomes an intermediary between the client computer and the secure website. This causes a problem as Apex One will not trust the Security Gateway’s certificate.
Thus, agent traffic must be excluded from HTTPS Inspection on Security Gateway products.
If you are still having difficulty resolving this issue, please have the following information ready for support when opening a case if possible:
- Go to the Trend Micro Download Center and download the Case Diagnostic Tool.
- Run this on a problem endpoint and the Apex One server.
- Put a check-mark next to OSCE_12Agent for the endpoint and OSCE_12Server on the server, and check Basic Information and Connectivity Issue.
- Click Next and click the Start Debug Mode button and until it's indicated ON on both.
- Start a network trace using Wireshark or the built-in Windows tracing:
Windows has the ability to run in-depth traces in Windows 7/Server 2008 R2 and later. At an Admin Command Line you can run this following command:
Netsh trace start capture=yes maxsize=2048 persistent=yes tracefile=C:\%computername%.etl
- Capture tells it to capture the network traffic.
- Scenario allows us to capture more Windows internal provider information during the trace.
- MaxSize limits the file size (in MB) so that it doesn’t fill up the disk. May need to be adjusted larger. (please do not go above 4GB per trace)
- Persistent allows it to pick right back up after a machine restart. This is not always needed but useful if we need a trace of what happens during a restart or when a machine is coming back up.
- Tracefile tells it where to save the trace. Folder must already exist on the machine.
Ideally, if possible, we would want a simultaneous trace from both ends of the communication. If this is not possible, please still collect from one of the machines.
- On the Apex One Agent on the problem endpoint, choose Update Now.
- Once complete, click Stop Debug Mode.
- Stop Wireshark or Run netsh trace stop to stop the Windows trace.
- If using Windows trace, it will then save and correlate the information. Once complete, you will have a .cab and .etl file that you can upload. Please zip them together for upload.
- If using Wireshark, zip the pcapng file for upload.
- Click Next in the CDT.
- Select Today's Logs and click Next.
- Note the name of the zip created and click the Open Folder button.
- Upload that zip file, as well as the zipped PCAPNG or ETL/CAB from the network trace to your support case when provided with an upload link.