Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
10
Helpful
3
Replies

Disabling TLS 1.1 on Windows Client

Go to solution
tankenghua
Level 1
Level 1

‎09-13-2022 01:02 AM

Hi Gurus,

I'm a software engineer by trade. I've been assigned the task to verify our applications able to work after disabling TLS 1.1 on Windows 10 Enterprise Edition client machines. Customer will be moving on to TLS 1.2.

Some details
AnyConnect client 4.10.01075
Cisco FTD 1120
Cisco FMC for VMWare. Software Version 6.4.0.12 (Build 112)

My understanding on the requirements for DTLS v1.2 support
1. AnyConnect client version 4.7 and above
2. Cisco FMC version 6.6 and above

Will disabling TLS 1.1 on Windows 10 machine affect our setup? Will it prevents AnyConnect client 4.10.0175 from connecting and establishing the VPN connection?

TIA for any response.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-13-2022 01:12 AM

@tankenghua you should be ok in just disabling TLS/DTLS 1.0 and 1.1 from the windows side, assuming you've upgraded the FMC and FTD to version 6.6 or higher (7.0.4 is the current Cisco gold star recommended version). You should consider configuring the FMC/FTD to not only require TLS/DTLS 1.2 but also to use the most secure ciphers, example here.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to tankenghua

‎09-13-2022 01:32 AM

@tankenghua yes that is accurate, for FMC 6.6 the minimum supported ESX version is 6.0.....in short you would need to upgrade your ESX environment to 6.X in order to use DTLS 1.2 which was released in 6.6.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎09-13-2022 01:12 AM

@tankenghua you should be ok in just disabling TLS/DTLS 1.0 and 1.1 from the windows side, assuming you've upgraded the FMC and FTD to version 6.6 or higher (7.0.4 is the current Cisco gold star recommended version). You should consider configuring the FMC/FTD to not only require TLS/DTLS 1.2 but also to use the most secure ciphers, example here.

Go to solution
tankenghua
Level 1
Level 1

‎09-13-2022 01:27 AM

@Rob Ingram  Thank you for the prompt response and advise. Much appreciated. 

My understanding from a former colleague the newer version of FMC is not supported on our ESXi version. 

Our FMC is hosted on a legacy ESXi VMWare 5.1. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to tankenghua

‎09-13-2022 01:32 AM

@tankenghua yes that is accurate, for FMC 6.6 the minimum supported ESX version is 6.0.....in short you would need to upgrade your ESX environment to 6.X in order to use DTLS 1.2 which was released in 6.6.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card