topic Disabling TLS 1.1 on Windows Client in Network Security

Disabling TLS 1.1 on Windows Client

tankenghua — Tue, 13 Sep 2022 08:02:10 GMT

Hi Gurus,

I'm a software engineer by trade. I've been assigned the task to verify our applications able to work after disabling TLS 1.1 on Windows 10 Enterprise Edition client machines. Customer will be moving on to TLS 1.2.

Some details
AnyConnect client 4.10.01075
Cisco FTD 1120
Cisco FMC for VMWare. Software Version 6.4.0.12 (Build 112)

My understanding on the requirements for DTLS v1.2 support
1. AnyConnect client version 4.7 and above
2. Cisco FMC version 6.6 and above

Will disabling TLS 1.1 on Windows 10 machine affect our setup? Will it prevents AnyConnect client 4.10.0175 from connecting and establishing the VPN connection?

TIA for any response.

Re: Disabling TLS 1.1 on Windows Client

Rob Ingram — Tue, 13 Sep 2022 08:12:05 GMT

@tankenghua you should be ok in just disabling TLS/DTLS 1.0 and 1.1 from the windows side, assuming you've upgraded the FMC and FTD to version 6.6 or higher (7.0.4 is the current Cisco gold star recommended version). You should consider configuring the FMC/FTD to not only require TLS/DTLS 1.2 but also to use the most secure ciphers, example here.

Re: Disabling TLS 1.1 on Windows Client

tankenghua — Tue, 13 Sep 2022 08:27:36 GMT

@Rob Ingram Thank you for the prompt response and advise. Much appreciated.

My understanding from a former colleague the newer version of FMC is not supported on our ESXi version.

Our FMC is hosted on a legacy ESXi VMWare 5.1.

Re: Disabling TLS 1.1 on Windows Client

Rob Ingram — Tue, 13 Sep 2022 08:32:37 GMT

@tankenghua yes that is accurate, for FMC 6.6 the minimum supported ESX version is 6.0.....in short you would need to upgrade your ESX environment to 6.X in order to use DTLS 1.2 which was released in 6.6.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html