cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TLS Issues in windows 7 and Windows 2008

Dear All,

I was getting the below 2 errors in Windows 7 and Windows 8 Server respectively.

 

  1. The following network error occurred while retrieving the application: An existing connection was forcibly closed by the remote host. ( Windows 7)
  2. Download failure: The client and server cannot communicate, because they do not possess a common algorithm. ( Windows 😎

I could find from various articles and discussions that the above issues are occurring due to TLS Compatibility.

I have noticed that the registry entry  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp  is added in the systems 

But the Entries for TLS 1.1 and TLS 1.2 are missing under , 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
 
My doubt here is , the TLS entries are required to be added in the Inventory device side as well ?

Also, is here any way we can turn off TLS enforcement for FNMS agent communication (at agent side) 
 
Regards,
Junaid Vengadan 
(3) Replies

Hi @emtmeta ,

Yes we have to add the TLS 1.1 and 1.2 entries at the client end.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

For FNMS cloud instances the beacon will accept the communication over the above and later protocols only. 

 

Regards

thanks a lot @winvarma

What about one premise ?

I guess adding TLS entries in Registry is highly recommended there as well .

But in worst case scenario (May be system which we can restart to reflect the registry changes)  , is there any option to disable this TLS enforcement in any of our registry (managesoft) or in configuration ?

 

Many thanks is advance,

Junaid Vengadan

 

TLS enforcement requirements are on the Beacon for where agents report in. In the registry, that would be the entries under "Server". If you disable strong cypher requirements then agents can connect with TLS 1.0. 

You can always fall back to HTTP unencrypted for agent -> Beacon communication and keep the Beacon to Application Server communication encrypted via SSL and TLS 1.2.