search cancel

Configure TLS 1.2 communications between Endpoint Protection Manager 14 and clients

book

Article ID: 163754

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

To meet the standards of regulatory compliance or to increase security in your environment, you want to restrict communication to use TLS 1.2 between Symantec Endpoint Protection Manager (SEPM) 14, and the clients that it manages. However, you do not want to orphan your clients in the process.

Resolution

Perform the following tasks to configure client and server communication to only use TLS v1.2.

  1. For all supported operating systems, such as Windows 7, you must do one of the following:
    • Ensure the computer has Internet Explorer 11 installed, and that TLS 1.2 is enabled under Internet Options > Advanced > Security.
    • Ensure that TLS 1.2 is enabled under the System account settings. See Technical Information for details how to accomplish this task.
       
  2. For all unsupported operating systems that run SEP 12.1.x, such as Windows XP / Server 2003, that do not support TLS 1.2, do the following:
    1. Under Policies > Policy Components > Management Server Lists, create a new management server list that uses HTTP, which communicates over port 8014. Add this server’s address, and click OK to save.
    2. Create a new group.
      See Adding a Group.
    3. Assign this management server list to this group.
      See Assigning a management server list to a group and location.
    4. Move the clients that run an unsupported operating system into this group.
      See Moving a client computer to another group.
    5. Allow the clients time to check in with the management server and move to the new group. The time that is needed varies depends on the mode and the length of the heartbeat.
       
  3. After you log on to the SEPM, navigate to SEPMInstall\apache\conf\ssl.
  4. In the files ssl.conf (for port 8445) and sslforclients.conf (for port 443), locate the following line in each:

    SSLProtocol all -SSLv2 -SSLv3
     
  5. Using a text editor, edit the lines in ssl.conf and sslforclients.conf above and add the text indicated in bold below to both files, so that it reads as follows:

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    NOTE: In SEPM 14.3 RU2 and later ssl.conf is configured to use TLS 1.2 by default and does not require editing. The line will be:
    #:Overridden_by_14.3.2.2000_upgrade_wizard <Date and time>#
    #SSLProtocol all -SSLv2 -SSLv3
    SSLProtocol TLSv1.2
     
  6. Restart the following management server services:
    • Symantec Endpoint Protection Manager
    • Symantec Endpoint Protection Manager API Service
    • Symantec Endpoint Protection Manager Webserver

The client computers should now check in and begin to communicate with TLS 1.2 only.

Note: Windows XP / Server 2003 does not support TLS 1.1 or higher and must use TLS 1.0.

Configure Windows XP / Server 2003 to use TLS 1.0

  1. Navigate to SEPMInstall\apache\conf\ssl.
  2. In the files ssl.conf (for port 8445) and sslforclients.conf (for port 443), locate the following line in each:

    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
     
  3. Using a text editor, remove the text indicated in bold to both files, so that it reads as follows:

    SSLProtocol all -SSLv2 -SSLv3
     
  4. See changes that may be necessary in SSLCipherSuite at HTTPS communications fail to SEP clients installed XP / Server 2003.
  5. Restart the following management server services:
    • Symantec Endpoint Protection Manager
    • Symantec Endpoint Protection Manager API Service
    • Symantec Endpoint Protection Manager Webserver

Technical information

To enable TLS 1.2 under the System account settings for Internet Explorer versions earlier than 11, follow these steps:

  1. Download PsExec. PsExec is a Windows Sysinternals utility provided and supported by Microsoft.
  2. Open a command window, and enter the following command to launch Internet Explorer as the System account:

    psexec –s –i Path_to_IE\iexplorer.exe
     
  3. Click Tools > Internet Options > Advanced, and under Security, check TLS 1.2.
    If it is already checked, then you can skip Step 5.
  4. Click OK to save the settings, and then close Internet Explorer.
  5. Restart the Symantec Management Client service with the following commands in the command window:
    1. smc -stop
    2. smc -start